cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1084
Views
0
Helpful
4
Replies

ICMP PING works fine, but TCP ping being dropped by 2900

Nitin Nayar
Level 1
Level 1

Hi Guys,

I am trying to do TCP Ping to 8.8.8.8. but looks like my 2900 is dropping any ICMP responses coming back from INET transit routers.

When I do a ICMP ping to 8.8.8.8, it works fine and I am getting the ICMP responses back from each transit router.

I have a Layer 2 switch with SPAN doing PCAP. And in the PCAP, I can see the responses, but don't get these on the other side of the 2900. See attached PPT.

Any ideas on what I need to enable / allow on my IOS ZBFW to enable these ICMP responses. Can I enable any logging to see what is breaking it?

Thanks,

4 Replies 4

Hello,

are you initiating these pings from the router itself ? If so, the self zone might be the problem.

Can you post the configuration of your 2900 ? A TCP specific parameter map might help, not sure what you have configured so far, so seeing your configuration is useful.

Thanks Georg. I am running the tests for a Linux machine, not from the Router.

Here is the IOS ZBFW config:

policy-map type inspect ROUTER-OUTBOUND-POLICY
description Router Outbound and IPSec
class type inspect ROUTER-INSPECT-OUTBOUND-CLASS
inspect
class type inspect ROUTER-PASS-OUTBOUND-CLASS
pass
class class-default
drop log
policy-map type inspect INTERNAL-TO-WEB-GATEWAY-POLICY
description ZS
class type inspect INTERNAL-TO-WEB-GATEWAY-CLASS
inspect
class class-default
drop log
policy-map type inspect GUEST-INTERNET-POLICY
description Guest Wi-Fi
class type inspect GUEST-TO-OUTSIDE-CLASS
inspect
class class-default
drop log
policy-map type inspect CORPORATE-DIA-POLICY
description Corporate to DIA
class type inspect CORPORATE-DIA-CLASS
inspect
class type inspect TRACEROUTE-CLASS
pass
class class-default
drop log
!

!
zone security default
description default zone used for INTERNAL Network
zone security OUTSIDE
description default zone used for INTERNET
zone security WEB-GATEWAY
description default zone used for ZS Network
zone security GUEST
description default zone used for GUEST Network
zone-pair security FROM-ROUTER source self destination OUTSIDE
service-policy type inspect ROUTER-OUTBOUND-POLICY
zone-pair security GUEST-INTERNET source GUEST destination OUTSIDE
service-policy type inspect GUEST-INTERNET-POLICY
zone-pair security INTERNAL-WEB-GATEWAY source default destination WEB-GATEWAY
service-policy type inspect INTERNAL-TO-WEB-GATEWAY-POLICY
zone-pair security INTERNAL-OUTSIDE source default destination OUTSIDE
service-policy type inspect CORPORATE-DIA-POLICY
zone-pair security TO-ROUTER source OUTSIDE destination self
service-policy type inspect ROUTER-INBOUND-POLICY
!

Hello,

from the Wireshark output, it looks like your TCP ping goes between ports 55126 and 443. You could try and configure an additional class matching that traffic:

access-list 101 permit tcp any any eq 55126
access-list 101 permit tcp any any eq 443

class-map type inspect match-all TCP_PING
match access-group 101

and add this to the relevant policy map (I would assume INTERNAL-TO-WEB-GATEWAY-POLICY)...

Hi Georg,

The Port 55126 is chosen by 2900 - dynamic NAT. So this will not work as I will have to open the whole Ephemeral port range.

Is there no way to create a Stateful Firewall rule allowing ICMP traffic back to TCP ping going out?

 Any other ideas?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: