Hey, everyone. I'm wondering if I'm hitting some obscure bug here or I've just flatly configured something incorrectly causing one-way tcp and udp sessions. L7 traffic inspection just is not working properly with this configuration. I'm using ZBFW, NAT NVI, and VRF for a 2921 running 15.2(4)M1 - the latest downloadable stable IOS.
With the configuration below, all return traffic from the "LAB" zone to the "Outside" zone is dropped by the OUTSIDE->SELF policy. This seems like session state is breaking somewhere. As soon as I remove the OUTSIDE->SELF policy, the return traffic works. The expected behavior is for ZBFW to punch a hole from the LAB->OUTSIDE network and permit all reply traffic regardless of the policy configured on OUTSIDE->SELF. Without the outside->self policy the router is exposed with basically a permit ip any any from the internet. COPP is not a desired solution to get around this problem due to configuration complexity and supportability. Using access-lists on the inbound interface fail as well because ZBFW cannot punch holes through ACLS like CBAC can. Using another policy to permit tcp any eq 80 host 203.0.113.1 type access-lists could work but this is not the intent of using ZBFW in the first place. All the return traffic is being dropped by zbfw. [Snip from show log | i 4.2.2.3] %FW-6-DROP_PKT: Dropping udp session 4.2.2.3:53 203.0.113.1:21423 on zone-pair OUTSIDE->SELF class class-default due to DROP action found in policy-map with ip ident 0 %FW-6-DROP_PKT: Dropping tcp session 4.2.2.3:80 203.0.113.1:19448 on zone-pair OUTSIDE->SELF class class-default due to DROP action found in policy-map with ip ident 0 [Snip from show policy-firewall session zone-pair LAB->OUTSIDE] Session 313B30C0 (192.168.1.15:60133)=>(4.2.2.2:53) dns:udp SIS_OPENING Created 00:00:00, Last heard 00:00:00 Bytes sent (initiator:responder) [55:0] Session 313B61C0 (192.168.1.15:29502)=>4.2.2.3:80) http:tcp SIS_OPENING/TCP_SYNSENT Created 00:00:00, Last heard 00:00:00 Bytes sent (initiator:responder) [0:0] No sessions from show policy-firewall session zone-pair OUTSIDE->SELF - everything blank. An icmp ping or whatever else I explicitly permit (SIP for example) work fine if it would have been configured. As soon as the zone-pair OUTSIDE->SELF is removed everything works as expected, tcp flows great, dns responses work as expected. [Snip from show policy-firewall session zone-pair LAB->OUTSIDE after no zone-pair security OUTSIDE->SELF source OUTSIDE destination self is configured] Session 313BD540 (192.168.1.15:62059)=>(4.2.2.3:53) dns:udp SIS_OPEN Created 00:00:00, Last heard 00:00:00 Bytes sent (initiator:responder) [44:234] Session 313B99C0 (92.168.1.15:34318)=>(4.2.2.3:80) http:tcp SIS_OPEN/TCP_ESTAB Created 00:00:06, Last heard 00:00:03 Bytes sent (initiator:responder) [350:0] A simplified, stripped-down configuration: !Deny nat loopback issues ip access-list extended LAB_NAT deny ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255 permit ip 192.168.1.0 0.0.0.255 any !Define the VRF - this lab network should not be in the global routing table ip vrf LAB rd 100:1 zone security LAB zone security OUTSIDE interface GigabitEthernet0/0 ip nat enable ip vrf forwarding LAB ip address 192.168.1.1 255.255.255.0 zone-member security LAB ! !RFC5735 - 203.0.113.0/24 TEST-NET-3 assists in clear documentation of what we consider 'inside' and 'outside' :) interface GigabitEthernet0/1 ip nat enable ip vrf forwarding LAB ip address 203.0.113.1 255.255.255.0 zone-member security OUTSIDE !Simple NAT within the VRF. ip nat source list LAB_NAT interface GigabitEthernet0/1 vrf LAB overload !Simple internet access - dns, http, icmp. class-map type inspect LAB->OUTSIDE-PROTOCOLS match protocol dns match protocol http match protocol icmp !Only allow ping traffic sent to the router class-map type inspect OUTSIDE->SELF-PROTOCOLS match protocol icmp policy-map type inspect LAB->OUTSIDE class LAB->OUTSIDE-PROTOCOLS inspect class class-default drop log policy-map type inspect OUTSIDE->SELF class type inspect OUTSIDE->SELF-PROTOCOLS inspect class class-default drop log zone-pair security LAB->OUTSIDE source LAB destination OUTSIDE service-policy type inspect LAB->OUTSIDE zone-pair security OUTSIDE->SELF source OUTSIDE destination self service-policy type inspect OUTSIDE->SELF Thanks for your time, everyone! -JP Senior CCIE #24838 (R&S) The contents of this message may contain confidential and/or privileged subject matter. If this message has been received in error, please contact the sender and delete all copies. Like other forms of communication, e-mail communications may be vulnerable to interception by unauthorized parties. If you do not wish us to communicate with you by e-mail, please notify us at your earliest convenience. In the absence of such notification, your consent is assumed. Should you choose to allow us to communicate by e-mail, we will not take any additional security measures (such as encryption) unless specifically requested. _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/