Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ZBF: Required to 'pass' icmp errors in the reverse direction ?

Hi,

I've noticed something when having some traffic inspected.

Imagine you have a zone A and a zone B and a policy allowing all connection from A to B:

class-map type inspect match-any cm_all

match protocol icmp

match protocol tcp

match protocol udp

policy-map type inspect pm_all

class cm_all

  inspect

zone-pair security zp_A_to_B source zone_A destination zone_B

service-policy type inspect pm_all

Now, it turns out that for everything to work as intended, you also need to all a reverse policy B to A that allows icmp errors to pass through.

ip access-list extended acl_icmp_err

permit icmp any any unreachable

permit icmp any any ttl-exceeded

ipv6 access-list acl_icmp6_err

permit icmp any any unreachable

permit icmp any any hop-limit

permit icmp any any packet-too-big

class-map type inspect match-all cm_icmp_err

match protocol icmp

match access-group name acl_icmp_err

class-map type inspect match-all cm_icmp6_err

match protocol icmp

match access-group name acl_icmp6_err

policy-map type inspect pm_icmp_err

  class cm_icmp_err

    pass

  class cm_icmp6_err

    pass

zone-pair security zp_A_to_B source zone_A destination zone_B

service-policy type inspect pm_icmp_err

Without this, things like PMTU, traceroute, ... won't work.

I would have expected that icmp errors "related" to a currently inspected sessions would be accepted in the return traffic, but that's apparently not the case.

Can anyone comment on this ?

Cheers,

    Sylvain

  • Firewalling
Everyone's tags (4)
1 REPLY
New Member

ZBF: Required to 'pass' icmp errors in the reverse direction ?

WTF ??? The whole thread is gone ???

581
Views
0
Helpful
1
Replies
This widget could not be displayed.