I'm trying to run ZBFW on a 2811 with IOS version 15.3(T4) and I'm running into a strange issue I'm not quite sure how to troubleshoot.
I have 3 zones, internet, local, and ssl-vpn.
The rules I'm trying to enforce are: all traffic from SSL-VPN can go to anywhere, anywhere can go to SSL-VPN. Anything originating from local can go out. Certain ports can come in for DMZ services (http, https, imap/s, pop3/s, submission).
After rebooting the router and applying f0/0 and tun0 to internet, f0/1 to local, and virtual-template 1 to ssl-vpn things work fine. But after a while I stop being able to connect to servers at the high end of the subnet. (I have .20 to .26 configured with the services, .20, .21 work fine always, .22 and up stop responding). Remove interfaces from the ZBFW, no problem at all. Apply ZBFW, traffic stops.
I'm seeing dropped sessions in the log on zone-pair local-to-internet , invalid flags with ip ident 0 which I think is outbound traffic attempted for no inbound inspect entry, but everything should be allowed out, and the traffic is to port 80 which is allowed by 'match protocol http' on the inbound policy.
Edited config attached (remove passwords and stuff) Last few log lines are at the bottom.
I'm more R&S myself but I see ZBFW is on the CCIE blueprint so figured I'd jump in now.
The router is not being able to inspect those sessions so the only way to make this work right now would be to instead of inspecting that particular traffic just do a pass on both directions ( put those at the top of the class-map in the policy-map configuration)
Julio Carvajal Senior Network Security and Core Specialist CCIE #42930, 2xCCNP, JNCIP-SEC
I have the 2811 with a layer 3 port (f0/1) fronting a 3560 that had 2 VLAN's on it, internal and servers. The server in question is a Linux box with 2 NICs. I had one nic on VLAN 1 and one nic on VLAN 2 (192.168.168/24 and 192.168.1/24 respectively). Each NIC had multiple aliases (.20-26 on each subnet). I set up 'ip' rules to make all traffic exit out the same interface/IP it came in on.
I renumbered all the servers so that they were all collapsed onto the 192.168.168/24 interface and disabled the now unused 'public' facing NIC and everything works fine with the exact same firewall configuration. There seems to be something that the server is doing when it's returning traffic that is confusing the inspection rules.
If I ended up having to just 'pass' any inbound traffic I'd also have to 'pass' any outbound traffic from those hosts as well, right? At that point I might as well just to back to straight CBAC access-list filtering. Although I'm probably going to just forget about dual-NICs on the server and leave it as-is since it seems to work if it's all on the same subnet.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...