Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Zone Based Firewall Denials

I am having trouble with Sun Unix NFS and NIS between two servers, one that is outside the firewall (192.168.20.1) and the NFS/NIS server (192.168.10.1) that is inside.  Even though I have NFS selected as an allowed protocol, it appears that we get frequent denials from the inside zone to the outside zone between these two servers an high port numbers.  So rather than fight this, I added a rule as follows using SDM.  My question is... Is this the proper way to specify a zone based rule where I want to allow ALL protocols?  SDM says if you do not specifically ADD a protocol, it allows ALL protocols; however, if you look further below at my syslog, it is obvious this this is not working.  I have also noticed that the cause of this is due to a Stray Segment with ip ident 0.  Can anyone tell me if this is due to my rule or what could cause a "stray segment" if that is the cause?  Thanks in advance.

-------------------------------------------------------------------

class-map type inspect match-all cls-sum-gc3_server_in_out
match access-group name acl-gc3_server_in_out

policy-map type inspect pm-inspect-in-out
class type inspect cls-sum-gc3_in_out
  inspect pm-increase_tcp_idle_timeout
class type inspect cls-sum-gc3_server_in_out
  inspect

class class-default
  drop

zone-pair security zp-in-out source GC3-zone destination ULA-Corp-zone
service-policy type inspect pm-inspect-in-out

ip access-list extended acl-gc3_server_in_out
remark SDM_ACL Category=128
permit ip host 192.168.10.1 192.168.0.0 0.0.255.255

-------------------------------------------------------------------

syslog denial examples

Jul 21 13:22:40 silrt0g1 19060: Jul 21 13:22:39.547: %FW-6-DROP_PKT: Dropping tcp session 192.168.10.1:908 192.168.20.1:61395  due to  Stray Segment with ip ident 0
Jul 21 13:37:25 silrt0g1 19061: Jul 21 13:37:24.551: %FW-6-DROP_PKT: Dropping tcp session 192.168.10.1:908 192.168.20.1:61505  due to  Stray Segment with ip ident 0
Jul 21 13:43:19 silrt0g1 19064: Jul 21 13:43:18.330: %FW-6-DROP_PKT: Dropping tcp session 192.168.20.1:61515 192.168.10.1:908  due to  Stray Segment with ip ident 0
Jul 21 14:20:59 silrt0g1 19075: Jul 21 14:20:58.692: %FW-6-DROP_PKT: Dropping tcp session 192.168.20.1:61742 192.168.10.1:908  due to  Stray Segment with ip ident 0
Jul 21 14:25:44 silrt0g1 19076: Jul 21 14:25:43.470: %FW-6-DROP_PKT: Dropping tcp session 192.168.20.1:61770 192.168.10.1:908  due to  Stray Segment with ip ident 0

830
Views
0
Helpful
0
Replies