Strange IOS ZBFW issue

paclark01 · ‎08-01-2012

Hi,

I'm trying to run ZBFW on a 2811 with IOS version 15.3(T4) and I'm running into a strange issue I'm not quite sure how to troubleshoot.

I have 3 zones, internet, local, and ssl-vpn.

The rules I'm trying to enforce are: all traffic from SSL-VPN can go to anywhere, anywhere can go to SSL-VPN. Anything originating from local can go out. Certain ports can come in for DMZ services (http, https, imap/s, pop3/s, submission).

After rebooting the router and applying f0/0 and tun0 to internet, f0/1 to local, and virtual-template 1 to ssl-vpn things work fine. But after a while I stop being able to connect to servers at the high end of the subnet. (I have .20 to .26 configured with the services, .20, .21 work fine always, .22 and up stop responding). Remove interfaces from the ZBFW, no problem at all. Apply ZBFW, traffic stops.

I'm seeing dropped sessions in the log on zone-pair local-to-internet , invalid flags with ip ident 0 which I think is outbound traffic attempted for no inbound inspect entry, but everything should be allowed out, and the traffic is to port 80 which is allowed by 'match protocol http' on the inbound policy.

Edited config attached (remove passwords and stuff) Last few log lines are at the bottom.

I'm more R&S myself but I see ZBFW is on the CCIE blueprint so figured I'd jump in now.

Thanks in advance for where to look next.

Peter

Julio Carvajal · ‎08-06-2012

Hello Peter,

It's definetely an inspection issue as you said

The router is not being able to inspect those sessions so the only way to make this work right now would be to instead of inspecting that particular traffic just do a pass on both directions ( put those at the top of the class-map in the policy-map configuration)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

paclark01 · ‎08-07-2012

Actually, it's even wierder than that.

I have the 2811 with a layer 3 port (f0/1) fronting a 3560 that had 2 VLAN's on it, internal and servers. The server in question is a Linux box with 2 NICs. I had one nic on VLAN 1 and one nic on VLAN 2 (192.168.168/24 and 192.168.1/24 respectively). Each NIC had multiple aliases (.20-26 on each subnet). I set up 'ip' rules to make all traffic exit out the same interface/IP it came in on.

I renumbered all the servers so that they were all collapsed onto the 192.168.168/24 interface and disabled the now unused 'public' facing NIC and everything works fine with the exact same firewall configuration. There seems to be something that the server is doing when it's returning traffic that is confusing the inspection rules.

If I ended up having to just 'pass' any inbound traffic I'd also have to 'pass' any outbound traffic from those hosts as well, right? At that point I might as well just to back to straight CBAC access-list filtering. Although I'm probably going to just forget about dual-NICs on the server and leave it as-is since it seems to work if it's all on the same subnet.

Julio Carvajal · ‎08-07-2012

Hello Peter,

That is definetly the issue, at leat you now know what is going on and how to remediate it.

Let me know if there is something else I can do for you if not please mark the question as answered,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC