Doubts about zone firewall configuration.
Class Map type inspect match-any cls-insp-traffic (id 3)
Description: traffic that i want to inspect
Match protocol http
Match protocol https
Match protocol msnmsgr
Match protocol tcp
Match protocol udp
Class Map type inspect match-all cls-invalid-src (id 2)
Match access-group name invalid-address
My policy maps:
Policy Map type inspect pol-insp-traffic
Class cls-invalid-src
Drop log
Class cls-insp-traffic
Inspect
Class class-default
Pass
Policy Map type inspect pol-drop
Class class-default
Here’s the question:
Before I add match protocol icmp, my ping and traceroute to www.google.com looks like this
Tracing route to www.l.google.com [216.239.61.104]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 10.10.10.1
2 * * * Request timed out.
3 ^C
Pinging www.l.google.com [216.239.61.104] with 32 bytes of data:
Request timed out.
Request timed out.
I have to add match protocol icmp to be able to ping and trace, after I added the line match protocol icmp into my class-map cls-insp-traffic:
Tracing route to www.l.google.com [216.239.61.104]
over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 10.10.10.1
2 7 ms 7 ms 8 ms cm1.eta114.maxonline.com.sg [116.88.114.1]
3 10 ms 10 ms 7 ms 172.20.52.97
4 10 ms 11 ms 7 ms 172.26.52.1
5 10 ms 10 ms 11 ms 172.20.7.30
6 11 ms 11 ms 11 ms 203.117.35.41
7 13 ms 10 ms 11 ms 203.117.34.1
8 * 199 ms * 72.14.196.189
9 197 ms 199 ms 346 ms 209.85.254.166
10 198 ms 195 ms 199 ms 209.85.254.179
11 198 ms 196 ms 199 ms sin01s01-in-f104.1e100.net [216.239.61.104]
Trace complete.
Why is that so? From my policy map it has stated as long as traffic that matches cls-insp-traffic, the firewall will inspect otherwise let it pass.; why can’t firewall let icmp pass?
Answer: Pass is unidirectional, which means the firewall allows the icmp traffic to pass but not return. That is why when I insert a line match protocol icmp in cls-insp-traffic trace is possible, because cls-insp-traffic under pol-insp-traffic is an inspect action. Inspect will base on the state table to see if a connection from outside is to be allowed or not.
Answer from Scott Morris CCIE and JNCIE, he recently got his CCDE too.
Author : Scott Morris – CCIE/JNCIE
Profile : https://learningnetwork.cisco.com/people/swmorris
Message:
————————————————————–
Not so much that it’s unidirectional (I suppose the effect of it is… but…). But more specifically, the information does not get entered into the state table. So that any return traffic, when checked against the state table, will find no entry and will therefore be denied. Unless, of course, there is another corresponding “pass” entry.
HTH,
Scott
cyruslab 