[c-nsp] Zone Based Firewall default-class

Steve McCrory SteveMc at netservicesplc.com
Mon Jul 12 09:01:01 EDT 2010 

Hi Jay,

The action 'pass' on the class-default is different from 'inspect' as it
does not perform stateful inspection and, therefore, there is no state
table for return traffic to be compared against.

As such, even though traffic was initiated from inside, the router
thinks the return traffic is the initiator and drops the traffic.

Can you configure your class-default with an 'inspect' action instead?

Steven
 
Steven McCrory
 
Senior Network Engineer
 
Netservices PLC
Waters Edge Business Park
Modwen Road
Manchester, M5 3EZ
 
www.netservicesplc.com

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jay Nakamura
Sent: 09 July 2010 21:08
To: cisco-nsp
Subject: [c-nsp] Zone Based Firewall default-class

I have a strange problem with ZBFW or I am just missing something
obvious.

3845 running 12.4(24)T advipservices

I am trying to apply a firewall rule between two entities.  Since I am
not 100% sure what all traffic is passing through the two, I wanted to
write rules for what I know and pass anything I don't know but log it
so I can find out if that's suppose to be there or not.


policy-map type inspect InPMAP
 class type inspect GeneralInCMAP
  inspect
 class class-default
  pass log

policy-map type inspect OutPMAP
 class type inspect GeneralOutCMAP
  inspect
 class class-default
  pass log


zone security Inside
zone security Other

zone-pair security Other-to-Inside source Other destination Inside
 service-policy type inspect InPMAP
zone-pair security Inside-to-Other source Inside destination Other
 service-policy type inspect OutPMAP

However, once I apply the zone, I get this

Jul  9 15:04:51 192.168.1.253 266: Jul  9 15:04:50 EDT:
%FW-6-LOG_SUMMARY: 5 packets were dropped from 192.168.1.143:1888 =>
172.16.20.24:1433 (target:class)-(Inside-to-Other:class-default)
Jul  9 15:04:51 192.168.1.253 267: Jul  9 15:04:50 EDT:
%FW-6-LOG_SUMMARY: 5 packets were passed from 172.16.20.24:1433 =>
192.168.1.102:2583 (target:class)-(Other-to-Inside:class-default)

So, one direction, it's passing traffic as intended but the other
direction it's dropping it on "class-default"

What am I doing wrong?  Or do I need to create a class-map that allows
everything and pass it in that class?

Is this a bug?
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

--------
NetServices plc, Company No. 4178393,
Registered Office: NetServices House, 31 Modwen Road,
Waters Edge Business Park, SALFORD, M5 3EZ
--------

More information about the cisco-nsp mailing list