cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1002
Views
0
Helpful
3
Replies

ASR Zone based firewall and return traffic

paul.matthews
Level 5
Level 5

OK Guys, I am new to firewalling but need to get one up and running, I actually have a pair, but am trying to just get it working on one to then copy.

I am using three zones - inside, outside and self. Self seems to be OK.

I need to permit some access in through the firewall, and some out. As a consequence I have two zone pairs.

When I try to do it I see return traffic being dropped, so obviously I need to somehow permit that.

Is it simply a case of reversing the ACLs (I have a worry about that) and adding them to the opposite zone pair? is there some easy option I have missed in my hurry?

I mentioned the concern. One outbound rule is from a server on any port to the internet on any port. Obviously that reversed is going to open the server up to everything.

Thanks,

Paul.

3 Replies 3

Collin Clark
VIP Alumni
VIP Alumni

Paul-

It sounds like you are permitting traffic, not inspecting it. When it is inspected, the traffic is put into a state table and return traffic is allowed through. If you simply permit traffic, then you would have to permit that traffic and that defeats the purpose of using the firewall. Here's an example-


class-map type inspect match-any INSIDE-TO-OUTSIDE-CLASS
 match protocol ftp
 match protocol tcp
 match protocol udp
 match protocol icmp

policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
 class type inspect INSIDE-TO-OUTSIDE-CLASS
  inspect
 class class-default
  drop

zone-pair security IN_OUT source INSIDE destination OUTSIDE
 service-policy type inspect INSIDE-TO-OUTSIDE-POLICY

HTH

I have


policy-map type inspect PolInsideOut
 class type inspect ClassManagementOutDNS
  inspect
 class type inspect ClassManagementOutWebproxies
  inspect
 class type inspect ClassReturnTrafficOut
  inspect
 class class-default
  drop log


policy-map type inspect PolOutsideIn
 class type inspect ClassMediaAgentBackupCommcell
  inspect
 class type inspect ClassWebConsoleManagementCommcell
  inspect
 class type inspect ClassWebConsoleManagementReport
  inspect
 class type inspect ClassWebConsoleManagementProxy
  inspect
class type inspect ClassReturnTrafficIn
  inspect

 class class-default
  drop log

where the classes define traffic, for example:

ip access-list extended WebConsoleManagementCommcell
 permit tcp any host 172.16.45.4 eq www
 permit tcp any host 172.16.45.4 eq 443

class-map type inspect match-any ClassWebConsoleManagementCommcell
 match access-group name WebConsoleManagementCommcell

Add you have that applied to an interface correct?

Can you post the results of the following commands:

show zone-pair security
show policy-map type inspect

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: