Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1244
Views
5
Helpful
7
Replies

Zone-based Firewall - Allow "established" flag?

Go to solution
PAUL TRIVINO
Level 3
Level 3

‎05-24-2013 08:37 AM - edited ‎03-11-2019 06:48 PM

We are implementing the ZBFW on our edge routers, connected to to ISPs with BGP routing.  I have copied the basic policy from another site but that site has very few if any outbound connections.  What I think is happening is, the traffic goes out to site 'X' on RouterA but the return traffic comes in via the other ISP to RouterB.  So the connection has never been seen by the INSIDE>OUTSIDE policy on the RouterB ZBFW, and the rejection messages are saying the OUTSIDE>INSIDE policy on RouterB is blocking it.

What I cannot find out is this:  Can I add something like

permit ip any a.b.c.d 0.0.0.255 established

(syntax might not be right)

to the appropriate ACL used in the OUTSIDE>INSIDE policy to allow these connections back in on either router?  We have a more security beyond the ZBFW but I can easily see where this kind of asymetric routing could occur.

Thanks - Paul

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to PAUL TRIVINO

‎05-24-2013 12:57 PM

Hello,

I did understood the question,

No such a thing as established keyword(must use pass/pass to let the firewall know" do not care about asymetric routing")

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
sokakkar
Cisco Employee
Cisco Employee
In response to PAUL TRIVINO

‎05-24-2013 01:03 PM

Hello Paul,

'established' keyword in acl would again require ZBFW to have the connection table entry, and since the initial packet never left through Router B so even if you put such acl, it won't help (will work only if connection is sent through Router B but in your case it was opened through Router B). What 'established' in acl can do, ZBFW does it in more sophisticated manner.

https://supportforums.cisco.com/docs/DOC-1870

So, either set the action to pass in both directions as Julio mentioned (but keep in mind that is like having a no firewall in traffic path). But if you can't fix the asymetrric routing, may be consider doing pass only for affected flow.

-

Sourav

View solution in original post

7 Replies 7

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎05-24-2013 10:38 AM

Hello Paul,

What you are seeing here is assymetric routing (not good for any firewall)

You will need to do a pass-pass policy for that traffic (would allow assymetric traffic)

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
PAUL TRIVINO
Level 3
Level 3
In response to Julio Carvajal

‎05-24-2013 11:02 AM

Yes, I realize it is asymetric routing.

What I was asking was, is allowing 'established' valid in a ZBFW config.  Thanks.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to PAUL TRIVINO

‎05-24-2013 12:57 PM

Hello,

I did understood the question,

No such a thing as established keyword(must use pass/pass to let the firewall know" do not care about asymetric routing")

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
PAUL TRIVINO
Level 3
Level 3
In response to Julio Carvajal

‎05-24-2013 01:35 PM

I'm sorry, I wasn't clear - I meant using the 'established' keyword in an ACL invoked by the ZBFW class(es).  My bad.

0 Helpful

Go to solution
sokakkar
Cisco Employee
Cisco Employee
In response to PAUL TRIVINO

‎05-24-2013 01:03 PM

Hello Paul,

'established' keyword in acl would again require ZBFW to have the connection table entry, and since the initial packet never left through Router B so even if you put such acl, it won't help (will work only if connection is sent through Router B but in your case it was opened through Router B). What 'established' in acl can do, ZBFW does it in more sophisticated manner.

https://supportforums.cisco.com/docs/DOC-1870

So, either set the action to pass in both directions as Julio mentioned (but keep in mind that is like having a no firewall in traffic path). But if you can't fix the asymetrric routing, may be consider doing pass only for affected flow.

-

Sourav

Go to solution
PAUL TRIVINO
Level 3
Level 3
In response to sokakkar

‎05-24-2013 01:38 PM

Thanks Sourav, good call - you are right, of course. 

I will need to make this 'pass' in both directions until I get my 2nd ASR in place and can set up Configuring Firewall Stateful Interchassis Redundancy which *should* fix the whole thing.

Thanks all!

0 Helpful

Go to solution
sokakkar
Cisco Employee
Cisco Employee
In response to PAUL TRIVINO

‎05-24-2013 01:40 PM

Sure Paul. :-)

Feel free to post in case you've any additional questions.

-

Sourav

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card