Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1086
Views
0
Helpful
0
Replies

Zone Based Firewall Denials

sdniel
Level 1
Level 1

‎07-21-2010 12:10 PM - edited ‎03-11-2019 11:14 AM

I am having trouble with Sun Unix NFS and NIS between two servers, one that is outside the firewall (192.168.20.1) and the NFS/NIS server (192.168.10.1) that is inside.  Even though I have NFS selected as an allowed protocol, it appears that we get frequent denials from the inside zone to the outside zone between these two servers an high port numbers.  So rather than fight this, I added a rule as follows using SDM.  My question is... Is this the proper way to specify a zone based rule where I want to allow ALL protocols?  SDM says if you do not specifically ADD a protocol, it allows ALL protocols; however, if you look further below at my syslog, it is obvious this this is not working.  I have also noticed that the cause of this is due to a Stray Segment with ip ident 0.  Can anyone tell me if this is due to my rule or what could cause a "stray segment" if that is the cause?  Thanks in advance.

-------------------------------------------------------------------

class-map type inspect match-all cls-sum-gc3_server_in_out
 match access-group name acl-gc3_server_in_out

policy-map type inspect pm-inspect-in-out
 class type inspect cls-sum-gc3_in_out
  inspect pm-increase_tcp_idle_timeout
 class type inspect cls-sum-gc3_server_in_out
  inspect

class class-default
  drop

zone-pair security zp-in-out source GC3-zone destination ULA-Corp-zone
service-policy type inspect pm-inspect-in-out

ip access-list extended acl-gc3_server_in_out
remark SDM_ACL Category=128
permit ip host 192.168.10.1 192.168.0.0 0.0.255.255

-------------------------------------------------------------------

syslog denial examples

Jul 21 13:22:40 silrt0g1 19060: Jul 21 13:22:39.547: %FW-6-DROP_PKT: Dropping tcp session 192.168.10.1:908 192.168.20.1:61395  due to  Stray Segment with ip ident 0
Jul 21 13:37:25 silrt0g1 19061: Jul 21 13:37:24.551: %FW-6-DROP_PKT: Dropping tcp session 192.168.10.1:908 192.168.20.1:61505  due to  Stray Segment with ip ident 0
Jul 21 13:43:19 silrt0g1 19064: Jul 21 13:43:18.330: %FW-6-DROP_PKT: Dropping tcp session 192.168.20.1:61515 192.168.10.1:908  due to  Stray Segment with ip ident 0
Jul 21 14:20:59 silrt0g1 19075: Jul 21 14:20:58.692: %FW-6-DROP_PKT: Dropping tcp session 192.168.20.1:61742 192.168.10.1:908  due to  Stray Segment with ip ident 0
Jul 21 14:25:44 silrt0g1 19076: Jul 21 14:25:43.470: %FW-6-DROP_PKT: Dropping tcp session 192.168.20.1:61770 192.168.10.1:908  due to  Stray Segment with ip ident 0

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card