ICMP PING works fine, but TCP ping being dropped by 2900

Nitin Nayar · ‎06-19-2017

Hi Guys,

I am trying to do TCP Ping to 8.8.8.8. but looks like my 2900 is dropping any ICMP responses coming back from INET transit routers.

When I do a ICMP ping to 8.8.8.8, it works fine and I am getting the ICMP responses back from each transit router.

I have a Layer 2 switch with SPAN doing PCAP. And in the PCAP, I can see the responses, but don't get these on the other side of the 2900. See attached PPT.

Any ideas on what I need to enable / allow on my IOS ZBFW to enable these ICMP responses. Can I enable any logging to see what is breaking it?

Thanks,

Georg Pauwen · ‎06-19-2017

Hello,

are you initiating these pings from the router itself ? If so, the self zone might be the problem.

Can you post the configuration of your 2900 ? A TCP specific parameter map might help, not sure what you have configured so far, so seeing your configuration is useful.

Nitin Nayar · ‎06-20-2017

Thanks Georg. I am running the tests for a Linux machine, not from the Router.

Here is the IOS ZBFW config:

policy-map type inspect ROUTER-OUTBOUND-POLICY
description Router Outbound and IPSec
class type inspect ROUTER-INSPECT-OUTBOUND-CLASS
inspect
class type inspect ROUTER-PASS-OUTBOUND-CLASS
pass
class class-default
drop log
policy-map type inspect INTERNAL-TO-WEB-GATEWAY-POLICY
description ZS
class type inspect INTERNAL-TO-WEB-GATEWAY-CLASS
inspect
class class-default
drop log
policy-map type inspect GUEST-INTERNET-POLICY
description Guest Wi-Fi
class type inspect GUEST-TO-OUTSIDE-CLASS
inspect
class class-default
drop log
policy-map type inspect CORPORATE-DIA-POLICY
description Corporate to DIA
class type inspect CORPORATE-DIA-CLASS
inspect
class type inspect TRACEROUTE-CLASS
pass
class class-default
drop log
!

!
zone security default
description default zone used for INTERNAL Network
zone security OUTSIDE
description default zone used for INTERNET
zone security WEB-GATEWAY
description default zone used for ZS Network
zone security GUEST
description default zone used for GUEST Network
zone-pair security FROM-ROUTER source self destination OUTSIDE
service-policy type inspect ROUTER-OUTBOUND-POLICY
zone-pair security GUEST-INTERNET source GUEST destination OUTSIDE
service-policy type inspect GUEST-INTERNET-POLICY
zone-pair security INTERNAL-WEB-GATEWAY source default destination WEB-GATEWAY
service-policy type inspect INTERNAL-TO-WEB-GATEWAY-POLICY
zone-pair security INTERNAL-OUTSIDE source default destination OUTSIDE
service-policy type inspect CORPORATE-DIA-POLICY
zone-pair security TO-ROUTER source OUTSIDE destination self
service-policy type inspect ROUTER-INBOUND-POLICY
!

Georg Pauwen · ‎06-20-2017

Hello,

from the Wireshark output, it looks like your TCP ping goes between ports 55126 and 443. You could try and configure an additional class matching that traffic:

access-list 101 permit tcp any any eq 55126
access-list 101 permit tcp any any eq 443

class-map type inspect match-all TCP_PING
match access-group 101

and add this to the relevant policy map (I would assume INTERNAL-TO-WEB-GATEWAY-POLICY)...

Nitin Nayar · ‎06-20-2017

Hi Georg,

The Port 55126 is chosen by 2900 - dynamic NAT. So this will not work as I will have to open the whole Ephemeral port range.

Is there no way to create a Stateful Firewall rule allowing ICMP traffic back to TCP ping going out?

Any other ideas?