[c-nsp] Cisco IOS 15.2(4)M1 - ZBFW, NAT NVI, VRF = Broken TCP state?

JP Senior SeniorJ at bennettjones.com
Wed Sep 12 22:59:47 EDT 2012 

Hey, everyone.
I'm wondering if I'm hitting some obscure bug here or I've just flatly configured something incorrectly causing one-way tcp and udp sessions. L7 traffic inspection just is not working properly with this configuration. I'm using ZBFW, NAT NVI, and VRF for a 2921 running 15.2(4)M1 - the latest downloadable stable IOS.

With the configuration below, all return traffic from the "LAB" zone to the "Outside" zone is dropped by the OUTSIDE->SELF policy.  This seems like session state is breaking somewhere. As soon as I remove the OUTSIDE->SELF policy, the return traffic works.  The expected behavior is for ZBFW to punch a hole from the LAB->OUTSIDE network and permit all reply traffic regardless of the policy configured on OUTSIDE->SELF.  Without the outside->self policy the router is exposed with basically a permit ip any any from the internet.

COPP is not a desired solution to get around this problem due to configuration complexity and supportability.  Using access-lists on the inbound interface fail as well because ZBFW cannot punch holes through ACLS like CBAC can.  Using another policy to permit tcp any eq 80 host 203.0.113.1 type access-lists could work but this is not the intent of using ZBFW in the first place.

All the return traffic is being dropped by zbfw.
[Snip from show log | i 4.2.2.3]

%FW-6-DROP_PKT: Dropping udp session 4.2.2.3:53 203.0.113.1:21423 on zone-pair OUTSIDE->SELF class class-default due to  DROP action found in policy-map with ip ident 0

%FW-6-DROP_PKT: Dropping tcp session 4.2.2.3:80 203.0.113.1:19448 on zone-pair OUTSIDE->SELF class class-default due to  DROP action found in policy-map with ip ident 0

[Snip from show policy-firewall session zone-pair LAB->OUTSIDE]

        Session 313B30C0 (192.168.1.15:60133)=>(4.2.2.2:53) dns:udp SIS_OPENING

          Created 00:00:00, Last heard 00:00:00

          Bytes sent (initiator:responder) [55:0]

       Session 313B61C0 (192.168.1.15:29502)=>4.2.2.3:80) http:tcp SIS_OPENING/TCP_SYNSENT

          Created 00:00:00, Last heard 00:00:00

          Bytes sent (initiator:responder) [0:0]
No sessions from show policy-firewall session zone-pair OUTSIDE->SELF - everything blank.  An icmp ping or whatever else I explicitly permit (SIP for example) work fine if it would have been configured.


As soon as the zone-pair OUTSIDE->SELF is removed everything works as expected, tcp flows great, dns responses work as expected.
[Snip from show policy-firewall session zone-pair LAB->OUTSIDE after no zone-pair security OUTSIDE->SELF source OUTSIDE destination self is configured]

Session 313BD540 (192.168.1.15:62059)=>(4.2.2.3:53) dns:udp SIS_OPEN

          Created 00:00:00, Last heard 00:00:00

          Bytes sent (initiator:responder) [44:234]

        Session 313B99C0 (92.168.1.15:34318)=>(4.2.2.3:80) http:tcp SIS_OPEN/TCP_ESTAB

          Created 00:00:06, Last heard 00:00:03

          Bytes sent (initiator:responder) [350:0]

A simplified, stripped-down configuration:

!Deny nat loopback issues

ip access-list extended LAB_NAT

deny ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 any



!Define the VRF - this lab network should not be in the global routing table

ip vrf LAB

rd 100:1



zone security LAB

zone security OUTSIDE



interface GigabitEthernet0/0

ip nat enable

ip vrf forwarding LAB

ip address 192.168.1.1 255.255.255.0

zone-member security LAB

!

!RFC5735 - 203.0.113.0/24 TEST-NET-3 assists in clear documentation of what we consider 'inside' and 'outside' :)

interface GigabitEthernet0/1

ip nat enable

ip vrf forwarding LAB

ip address 203.0.113.1 255.255.255.0

zone-member security OUTSIDE



!Simple NAT within the VRF.

ip nat source list LAB_NAT interface GigabitEthernet0/1 vrf LAB overload



!Simple internet access - dns, http, icmp.

class-map type inspect LAB->OUTSIDE-PROTOCOLS

match protocol dns

match protocol http

match protocol icmp



!Only allow ping traffic sent to the router

class-map type inspect OUTSIDE->SELF-PROTOCOLS

match protocol icmp



policy-map type inspect LAB->OUTSIDE

class LAB->OUTSIDE-PROTOCOLS

  inspect

class class-default

  drop log



policy-map type inspect OUTSIDE->SELF

  class type inspect OUTSIDE->SELF-PROTOCOLS

   inspect

  class class-default

   drop log



zone-pair security LAB->OUTSIDE source LAB destination OUTSIDE

service-policy type inspect LAB->OUTSIDE



zone-pair security OUTSIDE->SELF source OUTSIDE destination self

service-policy type inspect OUTSIDE->SELF



Thanks for your time, everyone!

-JP Senior
CCIE #24838 (R&S)


The contents of this message may contain confidential and/or privileged
subject matter. If this message has been received in error, please contact
the sender and delete all copies. Like other forms of communication,
e-mail communications may be vulnerable to interception by unauthorized
parties. If you do not wish us to communicate with you by e-mail, please
notify us at your earliest convenience. In the absence of such
notification, your consent is assumed. Should you choose to allow us to
communicate by e-mail, we will not take any additional security measures
(such as encryption) unless specifically requested.

More information about the cisco-nsp mailing list