Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1257
Views
0
Helpful
3
Replies

ASR Zone based firewall and return traffic

paul.matthews
Level 5
Level 5

‎09-29-2016 01:36 AM - edited ‎03-12-2019 01:20 AM

OK Guys, I am new to firewalling but need to get one up and running, I actually have a pair, but am trying to just get it working on one to then copy.

I am using three zones - inside, outside and self. Self seems to be OK.

I need to permit some access in through the firewall, and some out. As a consequence I have two zone pairs.

When I try to do it I see return traffic being dropped, so obviously I need to somehow permit that.

Is it simply a case of reversing the ACLs (I have a worry about that) and adding them to the opposite zone pair? is there some easy option I have missed in my hurry?

I mentioned the concern. One outbound rule is from a server on any port to the internet on any port. Obviously that reversed is going to open the server up to everything.

Thanks,

Paul.

Labels:
0 Helpful
3 Replies 3

Collin Clark
VIP Alumni
VIP Alumni

‎09-29-2016 02:26 PM

Paul-

It sounds like you are permitting traffic, not inspecting it. When it is inspected, the traffic is put into a state table and return traffic is allowed through. If you simply permit traffic, then you would have to permit that traffic and that defeats the purpose of using the firewall. Here's an example-


class-map type inspect match-any INSIDE-TO-OUTSIDE-CLASS
 match protocol ftp
 match protocol tcp
 match protocol udp
 match protocol icmp

policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
 class type inspect INSIDE-TO-OUTSIDE-CLASS
  inspect
 class class-default
  drop

zone-pair security IN_OUT source INSIDE destination OUTSIDE
 service-policy type inspect INSIDE-TO-OUTSIDE-POLICY

HTH

0 Helpful

paul.matthews
Level 5
Level 5
In response to Collin Clark

‎09-30-2016 01:30 AM

I have


policy-map type inspect PolInsideOut
 class type inspect ClassManagementOutDNS
  inspect
 class type inspect ClassManagementOutWebproxies
  inspect
 class type inspect ClassReturnTrafficOut
  inspect
 class class-default
  drop log


policy-map type inspect PolOutsideIn
 class type inspect ClassMediaAgentBackupCommcell
  inspect
 class type inspect ClassWebConsoleManagementCommcell
  inspect
 class type inspect ClassWebConsoleManagementReport
  inspect
 class type inspect ClassWebConsoleManagementProxy
  inspect
class type inspect ClassReturnTrafficIn
  inspect

 class class-default
  drop log

where the classes define traffic, for example:

ip access-list extended WebConsoleManagementCommcell
 permit tcp any host 172.16.45.4 eq www
 permit tcp any host 172.16.45.4 eq 443

class-map type inspect match-any ClassWebConsoleManagementCommcell
 match access-group name WebConsoleManagementCommcell

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to paul.matthews

‎09-30-2016 11:19 AM

Add you have that applied to an interface correct?

Can you post the results of the following commands:

show zone-pair security
show policy-map type inspect

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card