01-26-2017 08:13 PM - edited 03-12-2019 01:50 AM
Hi Guys,
I have an odd issue, and I have a tac case open on this, and the response from the TAC engineer doesn't make me feel like zone based firewall works how I would expect it to.
So I have Zone A and Zone B. I setup a class map to match protocol ssh. I then setup policies to 'pass' ssh traffic between the two sites (which requires 2 zone pairs). Then I do a default deny all
When the packet traverses from Zone A to Zone B, it matches the traffic and allows the traffic to flow to Zone B. However when that packet attempts to return from Zone B to Zone A the packet is dropped by the policy because it doesn't match the protocol ssh even though it is a response to the original packet.
What TAC engineer indicates is that everyone should only use inspect (exception is for vpn traffic from outside to self) for everything from zone to zone. My response back was that pass (since it is not inspecting the data) is less cpu intensive and it should work. Apparently the only fix to this, if I want to use pass is to utilize ACL's.
Is it just me, or does this seem somewhat wrong? Especially since the original packet from Zone A to Zone B matches using the match protocol and passes the packet fine.
Apparently there is a document that Cisco has related to this, and describes that I am doing things wrong.
Does anyone else use the 'pass' for their zone to zone traffic?
01-26-2017 10:15 PM
hi,
you can use 'pass' to allow SSH from zone A to B and B to A.
you should have a zone pair security policy on the reverse or return flow, i.e. zone B to A.
could you post your ZBF policy?
01-27-2017 12:02 AM
Let me see if I understand your setup correctly:
So you have a zone pair from A to B matching SSH with the pass function. You also have a zone pair from B to A matching SSH with a pass function.
Do you have any ACLs configured on the interfaces? If not then I suspect that the match protocol command matches on SSH as the destination port and since the return traffic will have SSH as the source port it will not match the class-map rule.
If you set up Netflow on the router and capture the traffic in question I am sure we will see that this is what is happening.
--
Please remember to select a correct answer and rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide