zone-based FW: "pass" means one-way or two? from Gavin Schokman on 2009-11-06 (Ccielab archives 11/2009)

From: Gavin Schokman <g_schokman_at_yahoo.com.au>
Date: Fri, 6 Nov 2009 20:20:23 -0000

Hi GS'ers,

Doing a lab excerise and hitting some unexpected behaviour here with
zone-based firewall.
I've got the following config defined on my firewall router

!! traffic def's

class-map typ inspect match-all HTTP
match protocol http

class-map type inspect FTP
match protocol ftp

class-map type inspect DNS
match protocol DNS

class-map type inspect H323
match protocol h323

class-map type inspect TELNET
match protocol telnet

! policies

policy-map type inspect INSIDE->OUTSIDE
class type inspect HTTP
  pass
class type inspect FTP
  pass
class type inspect DNS
  pass
class type inspect H323
  pass
class type inspect TELNET
  inspect
class class-default
  drop

policy-map type inspect OUTSIDE->INSIDE
class class-default
  no drop

zone security INSIDE

zone sec OUTSIDE

zone-pair sec OUTSIDE->INSIDE sou OUTSIDE dest INSIDE
service-p type inspect OUTSIDE->INSIDE

zone-pair sec INSIDE->OUTSIDE sou INSIDE dest OUTSIDE
service-p type inspect INSIDE->OUTSIDE

!! bind interfaces

int se1/0
zone-m sec OUTSIDE

int fa0/0
zone-m sec INSIDE

R5 ----- R6 ----- BB1
R5 is inside, R6 is the firewall router & BB1 on the outside

BB1 is has telnet & http server enabled.

Trying to telnet to BB1 from R5 works with the "inspect" option configured.
The forward traffic is allowed through, as is the return traffic.
However, http connections (which has the "pass" option) are not working.
Traffic in the forward direction, i.e. R5 -> BB1 works (witnessed via "deb
ip packet" on BB1), but it seems the return traffic is being blocked by R6.

My understanding of the "pass" & "inspect" options in zone-based FW, is that
they both allow forward traffic out and dynamically create a rule to allow
the return traffic. Also, DocCD states:
-- quote
If a policy is not configured between a pair of zones, traffic is dropped.
However, it is not necessary to configure a zone-pair and a service policy
solely for return traffic. Return traffic is allowed, by default, if a
service policy permits the traffic in the forward direction. In the above
example, it is not mandatory that you configure a zone-pair source Z2
destination Z1 solely for allowing return traffic from Z2 to Z1. The service
policy on the Z1-Z2 zone-pair takes care of it.
-- end quote

Can someone help shed some light on what is expected behaviour for the
"pass" option?

Thanks

Kind regards,
Gavin

Blogs and organic groups at http://www.ccie.net
Received on Fri Nov 06 2009 - 20:20:23 ART

This archive was generated by hypermail 2.2.0 : Tue Dec 01 2009 - 06:36:28 ART