Problem: Connectivity with zone based firewalls enabled.
#########
class-map type inspect match-any CLASS_WAN_TRAFFIC
match protocol icmp
match protocol isakmp
match protocol echo
!
!
policy-map type inspect POLICY_WAN_TRAFFIC
class type inspect CLASS_WAN_TRAFFIC
inspect
class class-default
drop log
!
zone security inside
zone security outside
zone-pair security PAIR_WAN_TRAFFIC source inside destination outside
service-policy type inspect POLICY_WAN_TRAFFIC
!
!
!
!
interface FastEthernet0/1
ip address 172.16.0.1 255.255.255.0
zone-member security inside
!
interface Serial0/0/0
ip address 10.0.0.1 255.255.255.0
zone-member security outside
#########
As you can see I am trying to inspect pings. So based on what I have read about zone based firewalls, someone pinging from the 10.0.0.0/24 subnet shouldn’t be able to reach the 172.16.0.0/24 subnet.
But when I ping the 172.16.0.0/24, I am able to reach it.
#########
PERTR01#ping 172.16.0.1 source 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
#########
Check the zone-pair statistics.
#########
CERTR01#sh policy-map type inspect zone-pair
Zone-pair: PAIR_WAN_TRAFFIC
Service-policy inspect : POLICY_WAN_TRAFFIC
Class-map: CLASS_WAN_TRAFFIC (match-any)
Match: protocol icmp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol isakmp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol echo
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Session creations since subsystem startup or last reset 0
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:0:0]
Last session created never
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 0
Last half-open session total 0
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
#########
Solution: So what’s the problem? Traffic destined or sourced from the router is in the special zone “self”. Traffic is set to automatically permit.
Here is my new code –
#########
class-map type inspect match-any CLASS_SELF_TRAFFIC
match protocol icmp
!
!
policy-map type inspect POLICY_OUTSIDE_SELF_TRAFFIC
class type inspect CLASS_SELF_TRAFFIC
drop
class class-default
!
policy-map type inspect POLICY_SELF_OUTSIDE_TRAFFIC
class type inspect CLASS_SELF_TRAFFIC
inspect
class class-default
!
!
zone-pair security PAIR_SELF_TRAFFIC source outside destination self
service-policy type inspect POLICY_OUTSIDE_SELF_TRAFFIC
!
zone-pair security PAIR_SELF_OUTSIDE_TRAFFIC source self destination outside
service-policy type inspect POLICY_SELF_OUTSIDE_TRAFFIC
#########
The ping is now unsuccessful.
#########
PERTR01#ping 172.16.0.1 source 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.2
…..
Success rate is 0 percent (0/5)
#########
Verification: You can now see the zone-pair statistics registering the traffic.
#########
CERTR01#sh policy-map type inspect zone-pair PAIR_SELF_TRAFFIC
Zone-pair: PAIR_SELF_TRAFFIC
Service-policy inspect : POLICY_OUTSIDE_SELF_TRAFFIC
Class-map: CLASS_SELF_TRAFFIC (match-any)
Match: protocol icmp
10 packets, 800 bytes
30 second rate 0 bps
Drop
10 packets, 800 bytes
Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes
#########