ZBF problem or IOS bug

Krasnoperov · ‎03-22-2012

Hi , I have simple rules in ZBF

class-map type inspect match-all DMZ310_TO_INTERNET_PASS

match access-group name DMZ310_TO_INTERNET_PASS

!

class-map type inspect match-all DMZ310->INTERNET_INSP_COMB

match access-group name DMZ310_TO_INTERNET_INSPECT

match class-map DMZ310->INT_INSPECTION_PROTOCOLS

!

class-map type inspect match-any DMZ310->INT_INSPECTION_PROTOCOLS

description ---=============

match protocol tcp

match protocol icmp

match protocol dns

match protocol user-nashssh

match protocol http

match protocol udp

!

policy-map type inspect DMZ310->INTERNET_POLICY

class type inspect DMZ310_TO_INTERNET_PASS

pass

class type inspect DMZ310->INTERNET_INSP_COMB

inspect

class class-default

drop

!

zone security INTERNET

!

zone security DMZ310

!

zone-pair security DMZ310->INTERNET source DMZ310 destination INTERNET

service-policy type inspect DMZ310->INTERNET_POLICY

!

interface GigabitEthernet0/1.310

encapsulation dot1Q 310

ip address 1.1.1.2 255.255.255.128

ip nat outside

ip virtual-reassembly in

zone-member security DMZ310

standby 3 ip 1.1.1.1

standby 3 priority 15

standby 3 preempt

ip policy route-map BGP-DEFAULT-ROUTE

service-policy input POLICE_DMZ310_IN

service-policy output POLICE_DMZ310_OUT

!

interface GigabitEthernet0/1.301

description -=ISP=-

encapsulation dot1Q 301

ip address 2.2.2.2 255.255.255.252

ip flow ingress

ip nat outside

ip virtual-reassembly in

zone-member security INTERNET

!

ip access-list extended DMZ310_TO_INTERNET_INSPECT

permit icmp host 1.1.1.5 any

permit ip host 1.1.1.5 any

deny ip any any

1)From host 1.1.1.5 I can ping any host to INTERNET, and I see my session, but when I try ant TCP connection it's faild, no session I can see.

2)If I add this host to my passing ACL DMZ310_TO_INTERNET_PASS and backpassACL INTERNET_TO_DMZ310_PASS

permit icmp host 1.1.1.5 any

permit ip host 1.1.1.5 any

it works, TCP works

why so?

thanks

Henrik Grankvist · ‎03-22-2012

Don't know if this is just been left since you did your "pass-test", but:

policy-map type inspect DMZ310->INTERNET_POLICY

class type inspect DMZ310_TO_INTERNET_PASS <----------------- Is treated before the inspect statement at the row after it

pass

class type inspect DMZ310->INTERNET_INSP_COMB

inspect

class class-default

drop

And that class-map I'm pointing at matches a access-list that doesn't exist atm.

Krasnoperov · ‎03-22-2012

If you mean that I should just change PASS and put it after INSPECT, I did this, but nothing change

policy-map type inspect DMZ310->INTERNET_POLICY

class type inspect DMZ310->INTERNET_INSP_COMB

inspect

class type inspect DMZ310_TO_INTERNET_PASS

pass

class class-default

drop

In fact in my acl in this rule

class type inspect DMZ310_TO_INTERNET_PASS

exist

I just forget to paste in my config in this discussion

access list DMZ310_TO_INTERNET_PASS

permit ip host 1.1.1.10 any

deny ip any any

Henrik Grankvist · ‎03-22-2012

And I would remove the "permit icmp host 1.1.1.5 any from the "DMZ310_TO_INTERNET_INSPECT" access-list:

ip access-list extended DMZ310_TO_INTERNET_INSPECT

permit ip host 1.1.1.5 any

Because you already have ICMP in the "DMZ310->INT_INSPECTION_PROTOCOLS" class-map and maybe that is doing something weird, I don't know, worth a try!

Krasnoperov · ‎03-22-2012

And this I try to do, but nothing change

Krasnoperov · ‎03-22-2012

Well I think it's just a bug, because I just copy all my rules (policy-map,class-maps,ACLs), change they names(add 1 at the end)(router change their ID's I suppose), and point this to my zone-pair security and it works fine!

class-map type inspect match-all DMZ310_TO_INTERNET_PASS1

match access-group name DMZ310_TO_INTERNET_PASS1

!

class-map type inspect match-all DMZ310->INTERNET_INSP_COMB1

match access-group name DMZ310_TO_INTERNET_INSPECT1

match class-map DMZ310->INT_INSPECTION_PROTOCOLS1

!

class-map type inspect match-any DMZ310->INT_INSPECTION_PROTOCOLS1

description ---=============

match protocol tcp

match protocol icmp

match protocol dns

match protocol user-nashssh

match protocol http

match protocol udp

!

policy-map type inspect DMZ310->INTERNET_POLICY1

class type inspect DMZ310_TO_INTERNET_PASS1

pass

class type inspect DMZ310->INTERNET_INSP_COMB1

inspect

class class-default

drop

!

zone security INTERNET

!

zone security DMZ310

!

zone-pair security DMZ310->INTERNET source DMZ310 destination INTERNET

service-policy type inspect DMZ310->INTERNET_POLICY1

!

interface GigabitEthernet0/1.310

encapsulation dot1Q 310

ip address 1.1.1.2 255.255.255.128

ip nat outside

ip virtual-reassembly in

zone-member security DMZ310

standby 3 ip 1.1.1.1

standby 3 priority 15

standby 3 preempt

ip policy route-map BGP-DEFAULT-ROUTE

service-policy input POLICE_DMZ310_IN

service-policy output POLICE_DMZ310_OUT

!

interface GigabitEthernet0/1.301

description -=ISP=-

encapsulation dot1Q 301

ip address 2.2.2.2 255.255.255.252

ip flow ingress

ip nat outside

ip virtual-reassembly in

zone-member security INTERNET

!

ip access-list extended DMZ310_TO_INTERNET_INSPECT1

permit icmp host 1.1.1.5 any

permit ip host 1.1.1.5 any

deny ip any any

Henrik Grankvist · ‎03-23-2012

Ok, good! Thats good to know