https://community.cisco.com/t5/network-security/asr-zone-based-firewall-and-return-traffic/m-p/2948769#M149590 <P>Paul-</P> <P>It sounds like you are permitting traffic, not inspecting it. When it is inspected, the traffic is put into a state table and return traffic is allowed through. If you simply permit traffic, then you would have to permit that traffic and that defeats the purpose of using the firewall. Here's an example-</P> <P><BR />class-map type inspect match-any INSIDE-TO-OUTSIDE-CLASS <BR />&nbsp;match protocol ftp <BR />&nbsp;match protocol tcp <BR />&nbsp;match protocol udp <BR />&nbsp;match protocol icmp <BR /><BR />policy-map type inspect INSIDE-TO-OUTSIDE-POLICY <BR />&nbsp;class type inspect INSIDE-TO-OUTSIDE-CLASS <BR />&nbsp; inspect <BR />&nbsp;class class-default <BR />&nbsp; drop <BR /><BR />zone-pair security IN_OUT source INSIDE destination OUTSIDE <BR />&nbsp;service-policy type inspect INSIDE-TO-OUTSIDE-POLICY </P> <P>HTH</P> <P></P> <P></P> Thu, 29 Sep 2016 21:26:26 GMT Collin Clark 2016-09-29T21:26:26Z https://community.cisco.com/t5/network-security/asr-zone-based-firewall-and-return-traffic/m-p/2948768#M149589 <P>OK Guys, I am new to firewalling but need to get one up and running, I actually have a pair, but am trying to just get it working on one to then copy.<BR /><BR />I am using three zones - inside, outside and self. Self seems to be OK.</P> <P></P> <P>I need to permit some access in through the firewall, and some out. As a consequence I have two zone pairs.</P> <P></P> <P>When I try to do it I see return traffic being dropped, so obviously I need to somehow permit that.<BR /><BR />Is it simply a case of reversing the ACLs (I have a worry about that) and adding them to the opposite zone pair? is there some easy option I have missed in my hurry?<BR /><BR />I mentioned the concern. One outbound rule is from a server on any port to the internet on any port. Obviously that reversed is going to open the server up to everything.</P> <P></P> <P>Thanks,</P> <P>Paul.</P> Tue, 12 Mar 2019 08:20:15 GMT https://community.cisco.com/t5/network-security/asr-zone-based-firewall-and-return-traffic/m-p/2948768#M149589 paul.matthews 2019-03-12T08:20:15Z https://community.cisco.com/t5/network-security/asr-zone-based-firewall-and-return-traffic/m-p/2948769#M149590 <P>Paul-</P> <P>It sounds like you are permitting traffic, not inspecting it. When it is inspected, the traffic is put into a state table and return traffic is allowed through. If you simply permit traffic, then you would have to permit that traffic and that defeats the purpose of using the firewall. Here's an example-</P> <P><BR />class-map type inspect match-any INSIDE-TO-OUTSIDE-CLASS <BR />&nbsp;match protocol ftp <BR />&nbsp;match protocol tcp <BR />&nbsp;match protocol udp <BR />&nbsp;match protocol icmp <BR /><BR />policy-map type inspect INSIDE-TO-OUTSIDE-POLICY <BR />&nbsp;class type inspect INSIDE-TO-OUTSIDE-CLASS <BR />&nbsp; inspect <BR />&nbsp;class class-default <BR />&nbsp; drop <BR /><BR />zone-pair security IN_OUT source INSIDE destination OUTSIDE <BR />&nbsp;service-policy type inspect INSIDE-TO-OUTSIDE-POLICY </P> <P>HTH</P> <P></P> <P></P> Thu, 29 Sep 2016 21:26:26 GMT https://community.cisco.com/t5/network-security/asr-zone-based-firewall-and-return-traffic/m-p/2948769#M149590 Collin Clark 2016-09-29T21:26:26Z https://community.cisco.com/t5/network-security/asr-zone-based-firewall-and-return-traffic/m-p/2948770#M149591 <P>I have</P> <P><BR />policy-map type inspect PolInsideOut<BR />&nbsp;class type inspect ClassManagementOutDNS<BR />&nbsp; inspect<BR />&nbsp;class type inspect ClassManagementOutWebproxies<BR />&nbsp; inspect<BR />&nbsp;class type inspect ClassReturnTrafficOut<BR />&nbsp; inspect<BR />&nbsp;class class-default<BR />&nbsp; drop log</P> <P><BR />policy-map type inspect PolOutsideIn<BR />&nbsp;class type inspect ClassMediaAgentBackupCommcell<BR />&nbsp; inspect<BR />&nbsp;class type inspect ClassWebConsoleManagementCommcell<BR />&nbsp; inspect<BR />&nbsp;class type inspect ClassWebConsoleManagementReport<BR />&nbsp; inspect<BR />&nbsp;class type inspect ClassWebConsoleManagementProxy<BR />&nbsp; inspect<BR />class type inspect ClassReturnTrafficIn<BR />&nbsp; inspect</P> <P>&nbsp;class class-default<BR />&nbsp; drop log</P> <P></P> <P>where the classes define traffic, for example:</P> <P>ip access-list extended WebConsoleManagementCommcell<BR />&nbsp;permit tcp any host 172.16.45.4 eq www<BR />&nbsp;permit tcp any host 172.16.45.4 eq 443</P> <P>class-map type inspect match-any ClassWebConsoleManagementCommcell<BR />&nbsp;match access-group name WebConsoleManagementCommcell</P> Fri, 30 Sep 2016 08:30:44 GMT https://community.cisco.com/t5/network-security/asr-zone-based-firewall-and-return-traffic/m-p/2948770#M149591 paul.matthews 2016-09-30T08:30:44Z https://community.cisco.com/t5/network-security/asr-zone-based-firewall-and-return-traffic/m-p/2948771#M149592 <P>Add you have that applied to an interface correct?</P> <P>Can you post the results of the following commands:</P> <P>show zone-pair security<BR />show policy-map type inspect</P> Fri, 30 Sep 2016 18:19:54 GMT https://community.cisco.com/t5/network-security/asr-zone-based-firewall-and-return-traffic/m-p/2948771#M149592 Collin Clark 2016-09-30T18:19:54Z