cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

781
Views
5
Helpful
7
Replies
PAUL TRIVINO
Participant

Zone-based Firewall - Allow "established" flag?

We are implementing the ZBFW on our edge routers, connected to to ISPs with BGP routing.  I have copied the basic policy from another site but that site has very few if any outbound connections.  What I think is happening is, the traffic goes out to site 'X' on RouterA but the return traffic comes in via the other ISP to RouterB.  So the connection has never been seen by the INSIDE>OUTSIDE policy on the RouterB ZBFW, and the rejection messages are saying the OUTSIDE>INSIDE policy on RouterB is blocking it.

What I cannot find out is this:  Can I add something like

permit ip any a.b.c.d 0.0.0.255 established

(syntax might not be right)

to the appropriate ACL used in the OUTSIDE>INSIDE policy to allow these connections back in on either router?  We have a more security beyond the ZBFW but I can easily see where this kind of asymetric routing could occur.

Thanks - Paul

2 ACCEPTED SOLUTIONS

Accepted Solutions

Hello,

I did understood the question,

No such a thing as established keyword(must use pass/pass to let the firewall know" do not care about asymetric routing")

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Hello Paul,

'established' keyword in acl would again require ZBFW to have the connection table entry, and since the initial packet never left through Router B so even if you put such acl, it won't help (will work only if connection is sent through Router B but in your case it was opened through Router B). What 'established' in acl can do, ZBFW does it in more sophisticated manner.

https://supportforums.cisco.com/docs/DOC-1870

So, either set the action to pass in both directions as Julio mentioned (but keep in mind that is like having a no firewall in traffic path). But if you can't fix the asymetrric routing, may be consider doing pass only for affected flow.

-

Sourav

View solution in original post

7 REPLIES 7
Julio Carvajal
Advisor

Hello Paul,

What you are seeing here is assymetric routing (not good for any firewall)

You will need to do a pass-pass policy for that traffic (would allow assymetric traffic)

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Yes, I realize it is asymetric routing.

What I was asking was, is allowing 'established' valid in a ZBFW config.  Thanks.

Hello,

I did understood the question,

No such a thing as established keyword(must use pass/pass to let the firewall know" do not care about asymetric routing")

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

I'm sorry, I wasn't clear - I meant using the 'established' keyword in an ACL invoked by the ZBFW class(es).  My bad.

Hello Paul,

'established' keyword in acl would again require ZBFW to have the connection table entry, and since the initial packet never left through Router B so even if you put such acl, it won't help (will work only if connection is sent through Router B but in your case it was opened through Router B). What 'established' in acl can do, ZBFW does it in more sophisticated manner.

https://supportforums.cisco.com/docs/DOC-1870

So, either set the action to pass in both directions as Julio mentioned (but keep in mind that is like having a no firewall in traffic path). But if you can't fix the asymetrric routing, may be consider doing pass only for affected flow.

-

Sourav

View solution in original post

Thanks Sourav, good call - you are right, of course. 

I will need to make this 'pass' in both directions until I get my 2nd ASR in place and can set up Configuring Firewall Stateful Interchassis Redundancy which *should* fix the whole thing.

Thanks all!

Sure Paul. :-)

Feel free to post in case you've any additional questions.

-

Sourav

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: pxGrid (36%)

Content for Community-Ad