I'm working on tweaking the config on a 2911 ISR G2 with a ZBF and am looking for some input. Our main issue right now is that the router is having performance issues once we hit certain troughput thresholds.
Right now, I have an inside-outside inspect set to look at all FTP, TCP, UDP, ICMP, DNS, SIP and HTTP (I know, its a bit redundant) traffic and do inspection on it then pass all other traffic. From a company policy, we are not filtering ANY traffic of any kind going outbound. (I know this isn't best practice but that's another battle for another day.)
Additionally, I have an outside-inside policy set to pass GRE traffic to an internal PPTP server (I know, not secure but its what we have.) then I have another inbound policy to inspect all traffic coming through that matches a specific ACL that defines all of the holes we're poking for hosting various functions on internal servers, etc.
Here's what I'm wondering...could I, should I, why would or wouldn't I simply pass traffic that matches specific ACLs or whatever instead of how we are presently doing a lot of inspection?
If I was to simply pass matching traffic instead of doing the inspect, would I see a substantial performance increase/workload decrease ont he 2911?
What are the security ramifications related to simply passing traffic instead of doing the inspection?
1] Inspection inspects the packet i.e it checks and maintains the state information like seq. numbers, port numbers, ip addresses, connection time, idle time etc,
2] Pass option simply passes the traffic without maintaining any records.
3] So when you have your policy set to "Inspect" the traffic, all the retun traffic is allowed by default to Inside.
4] When you have Pass policy from Inside to Outside, you will have to allow the retun traffic explicitly. That would be fine for configurtion but that would create a big security hole as now traffic originating outside of your Device will also be allowed to come Inside . It will be as good as no ZBF.
There are few whitepapers/Technotes on cisco.com for tweaking the policies to enchance performance.
Let me know if this helped. Thanks.