RE: Viewing IOS ZBF inspect drops from Joseph L. Brunner on 2012-02-05 (Ccielab archives 02/2012)

From: Joseph L. Brunner <joe_at_affirmedsystems.com>
Date: Sun, 5 Feb 2012 23:27:48 +0000

Great post guys - thank you.

Very good thread here - best in a while. I think we're all doing Security these days :)

-Joe

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Piotr Matusiak
Sent: Sunday, February 05, 2012 3:05 PM
To: Bogdan Sass
Cc: Cisco certification
Subject: Re: Viewing IOS ZBF inspect drops

Hi,

It looks fine. I even used your exact config in GNS3 and it works. Are you sure you don't have some strange L2 issue?

Here's log:

R3#pi 10.0.0.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/55/184 ms R3#

R2#
*Feb 5 21:01:03.047: %FW-6-SESS_AUDIT_TRAIL_START:
(target:class)-(OUTSIDE_DMZ:CM_OUTSIDE_DMZ):Start icmp session: initiator (
136.1.23.2:0) -- responder (10.0.0.4:0)
R2#
*Feb 5 21:01:15.283: %FW-6-SESS_AUDIT_TRAIL:
(target:class)-(OUTSIDE_DMZ:CM_OUTSIDE_DMZ):Stop icmp session: initiator (
136.1.23.2:0) sent 720 bytes -- responder (10.0.0.4:0) sent 720 bytes R2#sh policy-map type inspect zone-pair OUTSIDE_DMZ ses policy exists on zp OUTSIDE_DMZ
Zone-pair: OUTSIDE_DMZ
  Service-policy inspect : PM_OUTSIDE_DMZ
    Class-map: CM_OUTSIDE_DMZ (match-all)
      Match: access-group name TO_DMZ
      Match: class-map match-any DMZ_PROTO
        Match: protocol http
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol ftp
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol dns
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: protocol tacacs
          0 packets, 0 bytes
          30 second rate 0 bps
        Match: access-group name ICMP
          0 packets, 0 bytes
          30 second rate 0 bps
   Inspect
       Police
        rate 512000 bps,6400 limit
        conformed 25 packets, 2950 bytes; actions: transmit
        exceeded 0 packets, 0 bytes; actions: drop
        conformed 0 bps, exceed 0 bps
    Class-map: class-default (match-any)
      Match: any
      Drop
        0 packets, 0 bytes
R2#

Regards,

--
Piotr Matusiak
CCIE #19860 (R&S, Security), CCSI #33705 Technical Instructor
website: www.MicronicsTraining.com <http://www.micronicstraining.com/>
blog: www.ccie1.com
If you can't explain it simply, you don't understand it well enough - Albert Einstein
2012/2/5 Bogdan Sass <bogd.no.spam_at_gmail.com>
>  On 05/02/2012 15:51, Piotr Matusiak wrote:
>
> Hi,
>
> It should work with that config. Must be something wrong elsewhere.
>
>
>     I keep getting mixed results with ZBF - sometimes the inspect 
> policies simply FAIL to get a correct match. This happened to me again 
> and again during testing - sometimes a regex or protocol match 
> simply... doesn't match.
>
>     I have since downgraded the IOS version from 12.4(24)T2 to 
> 12.4(15)T17 . (The reason? The "class-map type inspect http 
> *match-all* " keyword has... disappeared somewhere on the way between 12.4(15)T and 12.4(20)T.
> Which means there are some application filtering scenarios that have 
> just become impossible). However, the problem persists on the "new" IOS.
>
>     The original config is attached (there might be some minor 
> differences from the one I posted, due to my attempts at troubleshooting).
>
>     I am also attaching a config (same router) from a transparent mode 
> ZBF configuration. The problem with this is a similar one - it fails 
> to match on the ICMP protocol, and the packets get dropped by the default class.
>
> Rack1R3#sh policy-map type in zone-pair INSIDE_DMZ
>  Zone-pair: INSIDE_DMZ
>
>   Service-policy inspect : *PM_INSIDE_DMZ*
>
>     Class-map: INSIDE_PROTO (match-all)
>       Match: protocol http
>       Match: protocol ftp
>       Match: protocol icmp
>       Match: protocol dns
>       Match: protocol ssh
>       Inspect
>         Session creations since subsystem startup or last reset 0
>         Current session counts (estab/half-open/terminating) [0:0:0]
>         Maxever session counts (estab/half-open/terminating) [0:0:0]
>         Last session created never
>         Last statistic reset never
>         Last session creation rate 0
>         Maxever session creation rate 0
>         Last half-open session total 0
>
>
>     Class-map: class-default (match-any)
>       Match: any
>       Drop
>        * 10 packets, 800 bytes*
>
> Rack1R3#sh run policy-map
> <snip>
> policy-map type inspect *PM_INSIDE_DMZ*  class type inspect* 
> INSIDE_PROTO*
>   *inspect*
>  class class-default
>   drop log
>
> Rack1R3#sh run class-map
> Building configuration...
>
> Current configuration : 262 bytes
> !
> class-map type inspect match-all *INSIDE_PROTO*  match protocol http  
> match protocol ftp
> * match protocol icmp*
>  match protocol dns
>  match protocol ssh
>
> Rack1R1#p 10.0.0.100
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 10.0.0.100, timeout is 2 seconds:
> ....
> Success rate is 0 percent (0/5)
>
> Rack1R3#
> *Feb  5 17:23:37.759: %FW-6-DROP_PKT: *Dropping icmp session 
> *10.0.0.1:0
> 10.0.0.100:0 on zone-pair INSIDE_DMZ class class-default due to policy 
> match failure with ip ident 25
>
> <snip>
>
>
> --
> Bogdan Sass
> CCSP,LPIC-1,VCP5,CCIE #22221 (RS)
> Information Systems Security Professional "Curiosity was framed - 
> ignorance killed the cat"
Blogs and organic groups at http://www.ccie.net

Received on Sun Feb 05 2012 - 23:27:48 ART

This archive was generated by hypermail 2.2.0 : Thu Mar 01 2012 - 11:46:56 ART