Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ZFW question

Hi,

here is example of ZFW setup in IOS 2800 router. Bellow are error messages i am getting and router config.

Wondering why i am getting "...due to  Invalid Segment with ip ident 0" error message? Should it be just a dropping session because of the ZFW configuration?

IOS version is advipservicesk9-m, 15.1(1)T

Thanks

R2-IPX#

*Jan  6 23:19:43: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (10.7.7.20)

R2-IPX#

*Jan  6 23:19:49: %FW-6-DROP_PKT: Dropping tcp session 10.7.7.30:4167 10.34.34.250:9001 on zone-pair INSIDE-DC class CM-TCPUDP due to  Invalid Segment with ip ident 0

R2-IPX#

*Jan  6 23:20:38: %FW-6-DROP_PKT: Dropping tcp session 10.7.7.30:4167 10.34.34.250:9001 on zone-pair INSIDE-DC class CM-TCPUDP due to  Invalid Flags with ip ident 0

R2-IPX#

*Jan  6 23:21:31: %FW-6-DROP_PKT: Dropping tcp session 10.7.7.30:4167 10.34.34.250:9001 on zone-pair INSIDE-DC class CM-TCPUDP due to  Invalid Flags with ip ident 0

R2-IPX#

R2-IPX#

R2-IPX#

R2-IPX#sh run

Building configuration...

Current configuration : 5400 bytes

!

! Last configuration change at 23:19:43 UTC Fri Jan 6 2012 by admin

!

version 15.1

service timestamps debug datetime msec

service timestamps log datetime

no service password-encryption

!

hostname R2-IPX

!

boot-start-marker

boot-end-marker

!

logging count

logging buffered 4096

!

aaa new-model

!

!

aaa group server tacacs+ AAA

server 10.7.7.30

!

aaa authentication login AAA group tacacs+ local

aaa authentication login AAA-LOCAL local

aaa authentication enable default group AAA enable

aaa authorization commands 1 default group AAA if-authenticated

aaa authorization commands 15 default group AAA if-authenticated

aaa accounting exec default

action-type start-stop

group AAA

!

aaa accounting commands 1 default

action-type start-stop

group AAA

!

aaa accounting commands 15 default

action-type start-stop

group AAA

!

aaa accounting network default

action-type start-stop

group AAA

!

aaa accounting connection default

action-type start-stop

group AAA

!

aaa accounting system default

action-type start-stop

group AAA

aaa session-id common

dot11 syslog

ip source-route

!

!

ip cef

!

!

ip domain name ip.net

ip port-map user-PORT9001 port tcp 9001

ip inspect log drop-pkt

no ipv6 cef

!

multilink bundle-name authenticated

!

parameter-map type inspect global

log dropped-packets enable

!

voice-card 0

!

!

!

username admin privilege 15 password 0 password

!

redundancy

!

!

!

class-map type inspect match-any CM-TCPUDP

description **Inspect tcp OR udp**

match protocol tcp

match protocol udp

class-map type inspect match-all user-PORT9001

match protocol user-PORT9001

class-map type inspect match-all CM-ICMP

description **to match prot icmp and types defined in ICMP**

match protocol icmp

match access-group name ICMP

!

!

policy-map type inspect PM-INSIDE->DC

description ** from INSIDE to DC **

class type inspect CM-TCPUDP

  inspect

class type inspect CM-ICMP

  pass

class class-default

  drop

policy-map type inspect PM-EXEC->DC

description **port mapping from EXEC to DC **

class type inspect user-PORT9001

  inspect

class type inspect CM-ICMP

  pass

class class-default

  drop

policy-map type inspect PM-DC->EXEC

class type inspect CM-ICMP

class class-default

  drop   

policy-map type inspect PM-EXEC->OUTSIDE

description **from EXEC to OUTSIDE**

class type inspect CM-TCPUDP

  inspect

class type inspect CM-ICMP

  pass

class class-default

  drop

policy-map type inspect PM-IN->OUTSIDE

description **from INSIDE to OUTSIDE**

class type inspect CM-TCPUDP

  inspect

class type inspect CM-ICMP

  pass

class class-default

  drop

policy-map type inspect PM-DC->OUTSIDE

description ** from DC to OUTSIDE **

class type inspect CM-TCPUDP

  inspect

class type inspect CM-ICMP

  pass

class class-default

  drop

!

zone security OUTSIDE

zone security INSIDE

zone security EXEC

zone security DC

zone-pair security IN-OUTSIDE source INSIDE destination OUTSIDE

service-policy type inspect PM-IN->OUTSIDE

zone-pair security EXEC-OUTSIDE source EXEC destination OUTSIDE

service-policy type inspect PM-EXEC->OUTSIDE

zone-pair security DC-OUTSIDE source DC destination OUTSIDE

service-policy type inspect PM-DC->OUTSIDE

zone-pair security INSIDE-DC source INSIDE destination DC

service-policy type inspect PM-INSIDE->DC

zone-pair security EXEC-DC source EXEC destination DC

service-policy type inspect PM-EXEC->DC

zone-pair security DC-EXEC source DC destination EXEC

service-policy type inspect PM-DC->EXEC

!

!

!        

!

!

!

!

!

interface Loopback0

ip address 2.2.2.2 255.0.0.0

!

interface FastEthernet0/0

ip address 192.1.24.102 255.255.255.0

zone-member security OUTSIDE

duplex auto

speed auto

!

interface FastEthernet0/0.8

shutdown

!

interface FastEthernet0/0.9

shutdown

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

!

interface FastEthernet0/1.7

encapsulation dot1Q 7

ip address 10.7.7.102 255.255.255.0

zone-member security INSIDE

!

interface FastEthernet0/1.34

encapsulation dot1Q 34

ip address 10.34.34.102 255.255.255.0

zone-member security DC

!

interface FastEthernet0/1.44

encapsulation dot1Q 44

ip address 10.44.44.102 255.255.255.0

zone-member security EXEC

!

interface Serial0/0/0

no ip address

shutdown

no fair-queue

!

router ospf 1

log-adjacency-changes

network 10.7.7.0 0.0.0.255 area 100

network 10.34.34.0 0.0.0.255 area 100

network 10.44.44.0 0.0.0.255 area 100

network 10.100.100.0 0.0.0.255 area 100

network 192.1.24.0 0.0.0.255 area 100

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip nat inside source static 10.7.7.20 192.1.24.20

ip route 1.0.0.0 255.0.0.0 FastEthernet0/0

ip route 3.0.0.0 255.0.0.0 FastEthernet0/0

ip route 7.7.7.7 255.255.255.255 192.1.24.108

ip route 10.88.88.0 255.255.255.0 192.1.24.108

ip route 10.100.100.0 255.255.255.0 192.1.24.103

!

ip access-list extended ICMP

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any unreachable

!

control-plane

!

!

!

!

!

!

!

!        

line con 0

exec-timeout 60 0

privilege level 15

logging synchronous

login authentication AAA-LOCAL

line aux 0

line vty 0 4

exec-timeout 120 0

privilege level 15

logging synchronous

login authentication AAA

transport input telnet ssh

!

scheduler allocate 20000 1000

end

3 REPLIES

ZFW question

Hello,

Are you getting these logs just for traffic going to port 9001?

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ZFW question

Not just for port9001;

for traffic direction INSIDE->OUTSIDE i got dropped tcp session due to "stray segment with ip ident 0"

ZFW question

Hello,

Okay so all traffic gets dropped, can you be a little more specific please.

Then I will look for an answer on this.

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
562
Views
0
Helpful
3
Replies