Doubts about zone firewall configuration.

Doubts about zone firewall configuration.

by Cyrus Lok on Tuesday, March 23, 2010 at 2:05am
My class maps:

Class Map type inspect match-any cls-insp-traffic (id 3)
Description: traffic that i want to inspect
Match protocol http
Match protocol https
Match protocol msnmsgr
Match protocol tcp
Match protocol udp

Class Map type inspect match-all cls-invalid-src (id 2)
Match access-group name invalid-address

My policy maps:

Policy Map type inspect pol-insp-traffic
Class cls-invalid-src
Drop log
Class cls-insp-traffic
Inspect
Class class-default
Pass

Policy Map type inspect pol-drop
Class class-default

Here’s the question:

Before I add match protocol icmp, my ping and traceroute to www.google.com looks like this

Tracing route to www.l.google.com [216.239.61.104]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 10.10.10.1
2 * * * Request timed out.
3 ^C

Pinging www.l.google.com [216.239.61.104] with 32 bytes of data:
Request timed out.
Request timed out.

I have to add match protocol icmp to be able to ping and trace, after I added the line match protocol icmp into my class-map cls-insp-traffic:

Tracing route to www.l.google.com [216.239.61.104]
over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 10.10.10.1
2 7 ms 7 ms 8 ms cm1.eta114.maxonline.com.sg [116.88.114.1]
3 10 ms 10 ms 7 ms 172.20.52.97
4 10 ms 11 ms 7 ms 172.26.52.1
5 10 ms 10 ms 11 ms 172.20.7.30
6 11 ms 11 ms 11 ms 203.117.35.41
7 13 ms 10 ms 11 ms 203.117.34.1
8 * 199 ms * 72.14.196.189
9 197 ms 199 ms 346 ms 209.85.254.166
10 198 ms 195 ms 199 ms 209.85.254.179
11 198 ms 196 ms 199 ms sin01s01-in-f104.1e100.net [216.239.61.104]

Trace complete.

Why is that so? From my policy map it has stated as long as traffic that matches cls-insp-traffic, the firewall will inspect otherwise let it pass.; why can’t firewall let icmp pass?

Answer: Pass is unidirectional, which means the firewall allows the icmp traffic to pass but not return. That is why when I insert a line match protocol icmp in cls-insp-traffic trace is possible, because cls-insp-traffic under pol-insp-traffic is an inspect action. Inspect will base on the state table to see if a connection from outside is to be allowed or not.

Answer from Scott Morris CCIE and JNCIE, he recently got his CCDE too.

Author : Scott Morris – CCIE/JNCIE
Profile : https://learningnetwork.cisco.com/people/swmorris

Message:
————————————————————–
Not so much that it’s unidirectional (I suppose the effect of it is… but…). But more specifically, the information does not get entered into the state table. So that any return traffic, when checked against the state table, will find no entry and will therefore be denied. Unless, of course, there is another corresponding “pass” entry.

HTH,

Scott

Advertisements
This entry was posted in Security. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s