https://community.cisco.com/t5/network-security/zone-based-firewall-inspect-does-not-work/m-p/2005519#M439890 <HTML><HEAD></HEAD><BODY><P>Do not understand what you are trying to say... zone is a zone (how would a router know it is internal zone? no nat? maybe I am not using nat at all?), why doesn't 'inspect' work between internal zones?</P><P></P><P>On another board someone suggested it was because I tested it with icmp which is stateless.. </P></BODY></HTML> Sat, 14 Jul 2012 12:09:00 GMT Mariusz00001 2012-07-14T12:09:00Z https://community.cisco.com/t5/network-security/zone-based-firewall-inspect-does-not-work/m-p/2005517#M439888 <PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>Zone: Outside</P><P>&nbsp; Member Interfaces:</P><P>&nbsp;&nbsp;&nbsp; Dialer0</P><P></P><P>Zone: Inside</P><P>&nbsp; Member Interfaces:</P><P>&nbsp;&nbsp;&nbsp; Virtual-Template1</P><P>&nbsp;&nbsp;&nbsp; Vlan1102</P><P></P><P>Zone: Guest</P><P>&nbsp; Member Interfaces:</P><P>&nbsp;&nbsp;&nbsp; Vlan1104</P><BR /><BR /><P>Zone-pair&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Inside-to-Guest</P><P>Source Zone&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Inside</P><P>Destination Zone&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Guest</P><P>Service-policy inspect : Zone-Inside-to-Guest</P><P>&nbsp; Class-map : Default-Inspection(match-any)</P><P>&nbsp; Action : inspect</P><BR /><BR /><BR /><P>Class Map type inspect match-any Default-Inspection (id 10)</P><P>&nbsp; Description: Default protocol Inspection class</P><P>&nbsp;&nbsp; Match protocol tcp</P><P>&nbsp;&nbsp; Match protocol udp</P><P>&nbsp;&nbsp; Match protocol icmp</P><BR /><BR /><BR /></PRE><P></P><P>My question is: I cannot make it work the ZBF between my internal zones. As you can see above, I've got Zone-Pair: Inside-to-Guest with 'inspect'. Unfortunately, when I tried to ping for the first time, i received:</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>%FW-6-DROP_PKT: Dropping icmp session GUEST:0&nbsp;&nbsp;&nbsp; INSIDE:0&nbsp; due to&nbsp; policy match failure with ip ident 0</P></PRE><P></P><P>It indicated that the traffic going BACK was blocked... WHY? There is 'inspect'</P><P></P><P>So I created a new pair: Guest-to-Inside and I changed everything to pass. It DID work. But that is not what I wanted! I wanted INSIDE to access GUEST but Guest should not access Inside. I assumed I could do it with 'inspect' but it did now work.</P><P></P><P>Let me add that I have an exactly the same zone-pair and classes/policies for Inside-to-Outside and it does work with inspect.</P><P></P><P>Why can I not 'inspect'&nbsp; between my internal zones? Is it because there is no NAT?</P> Mon, 11 Mar 2019 23:27:12 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-inspect-does-not-work/m-p/2005517#M439888 Mariusz00001 2019-03-11T23:27:12Z https://community.cisco.com/t5/network-security/zone-based-firewall-inspect-does-not-work/m-p/2005518#M439889 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Well there is a problem with the communication the host are trying to make, the router with the ZBFW enable will perform a deep packet inspection in order to investigate and confirm if a session will need to be allowed or not.</P><P>In this particular traffic you are seeing here the inspection was not succesfull ( I mean it is being inspected just that the traffic did not pass the test ( Inspection). That is why with a pass/pass on the right zones it works like a charm.</P><P></P><P>As you know that this traffic is between internal zones the pass/pass it's okay ( It keeps being secure as this is between internal host, and you can restricted by using an ACL.</P><P></P><P>Regards,</P><P></P><P>Julio</P><P></P><P>CSC it's a free support community, take your time to rate all the engineer's responses that helps you resolving your problems.</P></BODY></HTML> Sat, 14 Jul 2012 05:47:47 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-inspect-does-not-work/m-p/2005518#M439889 Julio Carvajal 2012-07-14T05:47:47Z https://community.cisco.com/t5/network-security/zone-based-firewall-inspect-does-not-work/m-p/2005519#M439890 <HTML><HEAD></HEAD><BODY><P>Do not understand what you are trying to say... zone is a zone (how would a router know it is internal zone? no nat? maybe I am not using nat at all?), why doesn't 'inspect' work between internal zones?</P><P></P><P>On another board someone suggested it was because I tested it with icmp which is stateless.. </P></BODY></HTML> Sat, 14 Jul 2012 12:09:00 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-inspect-does-not-work/m-p/2005519#M439890 Mariusz00001 2012-07-14T12:09:00Z https://community.cisco.com/t5/network-security/zone-based-firewall-inspect-does-not-work/m-p/2005520#M439891 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>First of all the router can be able to inspect ICMP sessions, he can perform a deep packet inspection and work with the echo and echo-replies.</P><P></P><P>Now let me explain my self again, I was way too tired yesterday <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>Traffic between inside to Guest is being inspected but the traffic is not passing the inspection engine ( this could be because of Asymetric routing, invalid payload,etc,etc)</P><P>So that being the case that is why the traffic is being allowed with a pass/pass this because the router does not become as specific as with the inspection engine.</P><P></P><P>Do you see what I mean?</P><P></P><P>Julio</P></BODY></HTML> Sat, 14 Jul 2012 18:10:19 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-inspect-does-not-work/m-p/2005520#M439891 Julio Carvajal 2012-07-14T18:10:19Z https://community.cisco.com/t5/network-security/zone-based-firewall-inspect-does-not-work/m-p/2005521#M439892 <HTML><HEAD></HEAD><BODY><P>Ok... any reason why it was happening???</P><P></P><P>What is so special about inside-to-guest (does not work) vs inside-to-outside (works great). Rules, policies etc are the same!</P></BODY></HTML> Sat, 14 Jul 2012 18:56:41 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-inspect-does-not-work/m-p/2005521#M439892 Mariusz00001 2012-07-14T18:56:41Z https://community.cisco.com/t5/network-security/zone-based-firewall-inspect-does-not-work/m-p/2005522#M439893 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Again this could be because of invalid flags, invalid tcp headers or payloads,etc.</P><P></P><P>Now in order o check what is happening you should take captures on both devices ( run wireshark ) and check if you see anything that is not normal on the packets.</P><P></P><P>Does this happens with all the data exchanged between the servers ( UDP,ICMP,TCP)</P><P></P><P>What is in between the two subnets besides the router?</P><P></P><P>Julio</P></BODY></HTML> Sat, 14 Jul 2012 19:16:09 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-inspect-does-not-work/m-p/2005522#M439893 Julio Carvajal 2012-07-14T19:16:09Z