Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
854
Views
0
Helpful
3
Replies

ZFW question

endpoint
Level 1
Level 1

‎01-06-2012 02:52 PM - edited ‎03-11-2019 03:11 PM

Hi,

here is example of ZFW setup in IOS 2800 router. Bellow are error messages i am getting and router config.

Wondering why i am getting "...due to  Invalid Segment with ip ident 0" error message? Should it be just a dropping session because of the ZFW configuration?

IOS version is advipservicesk9-m, 15.1(1)T

Thanks

R2-IPX#

*Jan  6 23:19:43: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (10.7.7.20)

R2-IPX#

*Jan  6 23:19:49: %FW-6-DROP_PKT: Dropping tcp session 10.7.7.30:4167 10.34.34.250:9001 on zone-pair INSIDE-DC class CM-TCPUDP due to  Invalid Segment with ip ident 0

R2-IPX#

*Jan  6 23:20:38: %FW-6-DROP_PKT: Dropping tcp session 10.7.7.30:4167 10.34.34.250:9001 on zone-pair INSIDE-DC class CM-TCPUDP due to  Invalid Flags with ip ident 0

R2-IPX#

*Jan  6 23:21:31: %FW-6-DROP_PKT: Dropping tcp session 10.7.7.30:4167 10.34.34.250:9001 on zone-pair INSIDE-DC class CM-TCPUDP due to  Invalid Flags with ip ident 0

R2-IPX#

R2-IPX#

R2-IPX#

R2-IPX#sh run

Building configuration...

Current configuration : 5400 bytes

!

! Last configuration change at 23:19:43 UTC Fri Jan 6 2012 by admin

!

version 15.1

service timestamps debug datetime msec

service timestamps log datetime

no service password-encryption

!

hostname R2-IPX

!

boot-start-marker

boot-end-marker

!

logging count

logging buffered 4096

!

aaa new-model

!

!

aaa group server tacacs+ AAA

server 10.7.7.30

!

aaa authentication login AAA group tacacs+ local

aaa authentication login AAA-LOCAL local

aaa authentication enable default group AAA enable

aaa authorization commands 1 default group AAA if-authenticated

aaa authorization commands 15 default group AAA if-authenticated

aaa accounting exec default

action-type start-stop

group AAA

!

aaa accounting commands 1 default

action-type start-stop

group AAA

!

aaa accounting commands 15 default

action-type start-stop

group AAA

!

aaa accounting network default

action-type start-stop

group AAA

!

aaa accounting connection default

action-type start-stop

group AAA

!

aaa accounting system default

action-type start-stop

group AAA

aaa session-id common

dot11 syslog

ip source-route

!

!

ip cef

!

!

ip domain name ip.net

ip port-map user-PORT9001 port tcp 9001

ip inspect log drop-pkt

no ipv6 cef

!

multilink bundle-name authenticated

!

parameter-map type inspect global

log dropped-packets enable

!

voice-card 0

!

!

!

username admin privilege 15 password 0 password

!

redundancy

!

!

!

class-map type inspect match-any CM-TCPUDP

description **Inspect tcp OR udp**

match protocol tcp

match protocol udp

class-map type inspect match-all user-PORT9001

match protocol user-PORT9001

class-map type inspect match-all CM-ICMP

description **to match prot icmp and types defined in ICMP**

match protocol icmp

match access-group name ICMP

!

!

policy-map type inspect PM-INSIDE->DC

description ** from INSIDE to DC **

class type inspect CM-TCPUDP

  inspect

class type inspect CM-ICMP

  pass

class class-default

  drop

policy-map type inspect PM-EXEC->DC

description **port mapping from EXEC to DC **

class type inspect user-PORT9001

  inspect

class type inspect CM-ICMP

  pass

class class-default

  drop

policy-map type inspect PM-DC->EXEC

class type inspect CM-ICMP

class class-default

  drop   

policy-map type inspect PM-EXEC->OUTSIDE

description **from EXEC to OUTSIDE**

class type inspect CM-TCPUDP

  inspect

class type inspect CM-ICMP

  pass

class class-default

  drop

policy-map type inspect PM-IN->OUTSIDE

description **from INSIDE to OUTSIDE**

class type inspect CM-TCPUDP

  inspect

class type inspect CM-ICMP

  pass

class class-default

  drop

policy-map type inspect PM-DC->OUTSIDE

description ** from DC to OUTSIDE **

class type inspect CM-TCPUDP

  inspect

class type inspect CM-ICMP

  pass

class class-default

  drop

!

zone security OUTSIDE

zone security INSIDE

zone security EXEC

zone security DC

zone-pair security IN-OUTSIDE source INSIDE destination OUTSIDE

service-policy type inspect PM-IN->OUTSIDE

zone-pair security EXEC-OUTSIDE source EXEC destination OUTSIDE

service-policy type inspect PM-EXEC->OUTSIDE

zone-pair security DC-OUTSIDE source DC destination OUTSIDE

service-policy type inspect PM-DC->OUTSIDE

zone-pair security INSIDE-DC source INSIDE destination DC

service-policy type inspect PM-INSIDE->DC

zone-pair security EXEC-DC source EXEC destination DC

service-policy type inspect PM-EXEC->DC

zone-pair security DC-EXEC source DC destination EXEC

service-policy type inspect PM-DC->EXEC

!

!

!        

!

!

!

!

!

interface Loopback0

ip address 2.2.2.2 255.0.0.0

!

interface FastEthernet0/0

ip address 192.1.24.102 255.255.255.0

zone-member security OUTSIDE

duplex auto

speed auto

!

interface FastEthernet0/0.8

shutdown

!

interface FastEthernet0/0.9

shutdown

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

!

interface FastEthernet0/1.7

encapsulation dot1Q 7

ip address 10.7.7.102 255.255.255.0

zone-member security INSIDE

!

interface FastEthernet0/1.34

encapsulation dot1Q 34

ip address 10.34.34.102 255.255.255.0

zone-member security DC

!

interface FastEthernet0/1.44

encapsulation dot1Q 44

ip address 10.44.44.102 255.255.255.0

zone-member security EXEC

!

interface Serial0/0/0

no ip address

shutdown

no fair-queue

!

router ospf 1

log-adjacency-changes

network 10.7.7.0 0.0.0.255 area 100

network 10.34.34.0 0.0.0.255 area 100

network 10.44.44.0 0.0.0.255 area 100

network 10.100.100.0 0.0.0.255 area 100

network 192.1.24.0 0.0.0.255 area 100

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip nat inside source static 10.7.7.20 192.1.24.20

ip route 1.0.0.0 255.0.0.0 FastEthernet0/0

ip route 3.0.0.0 255.0.0.0 FastEthernet0/0

ip route 7.7.7.7 255.255.255.255 192.1.24.108

ip route 10.88.88.0 255.255.255.0 192.1.24.108

ip route 10.100.100.0 255.255.255.0 192.1.24.103

!

ip access-list extended ICMP

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any unreachable

!

control-plane

!

!

!

!

!

!

!

!        

line con 0

exec-timeout 60 0

privilege level 15

logging synchronous

login authentication AAA-LOCAL

line aux 0

line vty 0 4

exec-timeout 120 0

privilege level 15

logging synchronous

login authentication AAA

transport input telnet ssh

!

scheduler allocate 20000 1000

end

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎01-06-2012 03:06 PM

Hello,

Are you getting these logs just for traffic going to port 9001?

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

endpoint
Level 1
Level 1
In response to Julio Carvajal

‎01-06-2012 03:14 PM

Not just for port9001;

for traffic direction INSIDE->OUTSIDE i got dropped tcp session due to "stray segment with ip ident 0"

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to endpoint

‎01-06-2012 04:15 PM

Hello,

Okay so all traffic gets dropped, can you be a little more specific please.

Then I will look for an answer on this.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card