Doubts about zone firewall configuration.

Doubts about zone firewall configuration.

by Cyrus Lok on Tuesday, March 23, 2010 at 2:05am
My class maps:

Class Map type inspect match-any cls-insp-traffic (id 3)
Description: traffic that i want to inspect
Match protocol http
Match protocol https
Match protocol msnmsgr
Match protocol tcp
Match protocol udp

Class Map type inspect match-all cls-invalid-src (id 2)
Match access-group name invalid-address

My policy maps:

Policy Map type inspect pol-insp-traffic
Class cls-invalid-src
Drop log
Class cls-insp-traffic
Class class-default

Policy Map type inspect pol-drop
Class class-default

Here’s the question:

Before I add match protocol icmp, my ping and traceroute to looks like this

Tracing route to []
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms
2 * * * Request timed out.
3 ^C

Pinging [] with 32 bytes of data:
Request timed out.
Request timed out.

I have to add match protocol icmp to be able to ping and trace, after I added the line match protocol icmp into my class-map cls-insp-traffic:

Tracing route to []
over a maximum of 30 hops
1 <1 ms <1 ms <1 ms
2 7 ms 7 ms 8 ms []
3 10 ms 10 ms 7 ms
4 10 ms 11 ms 7 ms
5 10 ms 10 ms 11 ms
6 11 ms 11 ms 11 ms
7 13 ms 10 ms 11 ms
8 * 199 ms *
9 197 ms 199 ms 346 ms
10 198 ms 195 ms 199 ms
11 198 ms 196 ms 199 ms []

Trace complete.

Why is that so? From my policy map it has stated as long as traffic that matches cls-insp-traffic, the firewall will inspect otherwise let it pass.; why can’t firewall let icmp pass?

Answer: Pass is unidirectional, which means the firewall allows the icmp traffic to pass but not return. That is why when I insert a line match protocol icmp in cls-insp-traffic trace is possible, because cls-insp-traffic under pol-insp-traffic is an inspect action. Inspect will base on the state table to see if a connection from outside is to be allowed or not.

Answer from Scott Morris CCIE and JNCIE, he recently got his CCDE too.

Author : Scott Morris – CCIE/JNCIE
Profile :

Not so much that it’s unidirectional (I suppose the effect of it is… but…). But more specifically, the information does not get entered into the state table. So that any return traffic, when checked against the state table, will find no entry and will therefore be denied. Unless, of course, there is another corresponding “pass” entry.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s