Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Zone based firewall - inspect does not work?

Zone: Outside

  Member Interfaces:

    Dialer0

Zone: Inside

  Member Interfaces:

    Virtual-Template1

    Vlan1102

Zone: Guest

  Member Interfaces:

    Vlan1104



Zone-pair              : Inside-to-Guest

Source Zone            : Inside

Destination Zone       : Guest

Service-policy inspect : Zone-Inside-to-Guest

  Class-map : Default-Inspection(match-any)

  Action : inspect




Class Map type inspect match-any Default-Inspection (id 10)

  Description: Default protocol Inspection class

   Match protocol tcp

   Match protocol udp

   Match protocol icmp




My question is: I cannot make it work the ZBF between my internal zones. As you can see above, I've got Zone-Pair: Inside-to-Guest with 'inspect'. Unfortunately, when I tried to ping for the first time, i received:

%FW-6-DROP_PKT: Dropping icmp session GUEST:0    INSIDE:0  due to  policy match failure with ip ident 0

It indicated that the traffic going BACK was blocked... WHY? There is 'inspect'

So I created a new pair: Guest-to-Inside and I changed everything to pass. It DID work. But that is not what I wanted! I wanted INSIDE to access GUEST but Guest should not access Inside. I assumed I could do it with 'inspect' but it did now work.

Let me add that I have an exactly the same zone-pair and classes/policies for Inside-to-Outside and it does work with inspect.

Why can I not 'inspect'  between my internal zones? Is it because there is no NAT?

5 REPLIES

Zone based firewall - inspect does not work?

Hello,

Well there is a problem with the communication the host are trying to make, the router with the ZBFW enable will perform a deep packet inspection in order to investigate and confirm if a session will need to be allowed or not.

In this particular traffic you are seeing here the inspection was not succesfull ( I mean it is being inspected just that the traffic did not pass the test ( Inspection). That is why with a pass/pass on the right zones it works like a charm.

As you know that this traffic is between internal zones the pass/pass it's okay ( It keeps being secure as this is between internal host, and you can restricted by using an ACL.

Regards,

Julio

CSC it's a free support community, take your time to rate all the engineer's responses that helps you resolving your problems.

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Zone based firewall - inspect does not work?

Do not understand what you are trying to say... zone is a zone (how would a router know it is internal zone? no nat? maybe I am not using nat at all?), why doesn't 'inspect' work between internal zones?

On another board someone suggested it was because I tested it with icmp which is stateless..

Zone based firewall - inspect does not work?

Hello,

First of all the router can be able to inspect ICMP sessions, he can perform a deep packet inspection and work with the echo and echo-replies.

Now let me explain my self again, I was way too tired yesterday

Traffic between inside to Guest is being inspected but the traffic is not passing the inspection engine ( this could be because of Asymetric routing, invalid payload,etc,etc)

So that being the case that is why the traffic is being allowed with a pass/pass this because the router does not become as specific as with the inspection engine.

Do you see what I mean?

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Zone based firewall - inspect does not work?

Ok... any reason why it was happening???

What is so special about inside-to-guest (does not work) vs inside-to-outside (works great). Rules, policies etc are the same!

Zone based firewall - inspect does not work?

Hello,

Again this could be because of invalid flags, invalid tcp headers or payloads,etc.

Now in order o check what is happening you should take captures on both devices ( run wireshark ) and check if you see anything that is not normal on the packets.

Does this happens with all the data exchanged between the servers ( UDP,ICMP,TCP)

What is in between the two subnets besides the router?

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
965
Views
0
Helpful
5
Replies