| [Config] ACL and Zone base firewall configI need assistance with figuring something out, I upgraded my IOS last night and for some reason I am now unable to connect to steam.
Tried to setup an ACL to properly punch through my zone based firewall. I probably botched the application. So here is my config below.
MyRouter#show run all
Building configuration...
Current configuration with default configurations exposed : 14957 bytes
!
version 12.4
parser cache
no service log backtrace
no service config
no service exec-callback
no service nagle
service slave-log
no service slave-coredump
no service pad to-xot
no service pad from-xot
no service pad cmns
no service pad
no service telnet-zeroidle
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
no service exec-wait
no service linenumber
--More-- ��������� ���������no service internal
no service compress-config
service prompt config
no service old-slip-prompts
no service pt-vty-logging
no service disable-ip-fast-frag
service sequence-numbers
!
hostname MyRouter
!
boot-start-marker
boot system flash c181x-advipservicesk9-mz.124-15.T14.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 52000
enable secret X
!
aaa new-model
!
!
aaa authentication login default local
--More-- ��������� ���������aaa authorization exec default local
!
!
aaa session-id common
clock timezone CST -6
clock summer-time CDT recurring
!
no ip source-route
no ip gratuitous-arps
--More-- ��������� ���������ip spd queue threshold minimum 73 maximum 74
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.10
ip dhcp excluded-address 192.168.1.20 192.168.1.254
!
ip dhcp pool Lan
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server Comcast's
lease 5
!
!
no ip bootp server
ip port-map user-protocol--2 port udp 20800
ip port-map user-protocol--3 port udp 20810
ip port-map user-protocol--1 port udp 28960
ip port-map user-defined port udp from 27000 to 27015
no ip ips notify log
login block-for 300 attempts 3 within 30
--More-- ��������� ���������login on-failure log
!
multilink bundle-name authenticated
parameter-map type regex sdm-regex-nonascii
pattern [^\x00-\x80]
!
!
no memory validate-checksum
!
!
archive
log config
no record rc
no logging enable
logging size 100
no notify syslog contenttype plaintext
no notify syslog contenttype xml
hidekeys
no path
no rollback filter adaptive
rollback retry timeout 0
--More-- ��������� ���������!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
class-map type inspect match-all sdm-nat-user-protocol--3-1
match access-group 104
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 103
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 102
match protocol user-protocol--1
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
--More-- ��������� ��������� match protocol imap
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any Steam
class-map type inspect match-all sdm-icmp-access
--More-- ��������� ��������� match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
match access-group 101
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-user-protocol--2-1
inspect
class type inspect sdm-nat-user-protocol--3-1
inspect
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
--More-- ��������� ��������� class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class type inspect SDM-Voice-permit
inspect
class class-default
pass
policy-map type inspect sdm-permit
class class-default
policy-map type inspect Steam
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
--More-- ��������� ���������bridge irb
!
!
!
interface Null0
no ip unreachables
!
interface Dot11Radio0
no ip address
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
encryption mode ciphers aes-ccm
!
encryption vlan 1 mode ciphers aes-ccm
!
broadcast-key change 3600
!
broadcast-key vlan 1 change 3600 membership-termination capability-change
!
--More-- ��������� ��������� !
ssid
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2452
station-role root
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
--More-- ��������� ��������� no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
no cdp enable
!
interface FastEthernet0
description $ETH-WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet0
ip access-group 110 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
--More-- ��������� ��������� ip route-cache flow
duplex auto
speed auto
no cdp enable
!
interface FastEthernet1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
no cdp enable
!
interface FastEthernet2
no cdp enable
spanning-tree portfast
!
interface FastEthernet3
no cdp enable
spanning-tree portfast
--More-- ��������� ���������!
interface FastEthernet4
no cdp enable
spanning-tree portfast
!
interface FastEthernet5
no cdp enable
spanning-tree portfast
!
interface FastEthernet6
no cdp enable
spanning-tree portfast
!
interface FastEthernet7
no cdp enable
spanning-tree portfast
!
interface FastEthernet8
no cdp enable
spanning-tree portfast
!
interface FastEthernet9
no cdp enable
--More-- ��������� ��������� spanning-tree portfast
!
interface Vlan1
no ip address
bridge-group 1
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
shutdown
!
interface BVI1
description $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
--More-- ��������� ��������� zone-member security in-zone
ip route-cache flow
!
ip forward-protocol nd
!
!
no ip http server
ip http access-class 6
ip http authentication local
ip http secure-server
ip nat inside source list 3 interface FastEthernet0 overload
ip nat inside source static udp 192.168.1.1 28960 interface BVI1 28960
ip nat inside source static udp 192.168.1.1 20800 interface BVI1 20800
ip nat inside source static udp 192.168.1.1 20810 interface BVI1 20810
!
ip access-list extended OutboundBlock
deny ip 0.0.0.0 0.255.255.255 any log-input
deny ip 10.0.0.0 0.255.255.255 any log-input
deny ip 127.0.0.0 0.255.255.255 any log-input
deny ip 169.254.0.0 0.0.255.255 any log-input
deny ip 172.16.0.0 0.15.255.255 any log-input
deny ip 192.168.0.0 0.0.255.255 any log-input
deny ip 224.0.0.0 15.255.255.255 any log-input
--More-- ��������� ��������� deny ip any 0.0.0.0 0.255.255.255 log-input
deny ip any 10.0.0.0 0.255.255.255 log-input
deny ip any 127.0.0.0 0.255.255.255 log-input
deny ip any 169.254.0.0 0.0.255.255 log-input
deny ip any 172.16.0.0 0.15.255.255 log-input
deny ip any 192.168.0.0 0.0.255.255 log-input
deny ip any 224.0.0.0 15.255.255.255 log-input
deny udp any any eq netbios-ns log-input
deny udp any any eq netbios-dgm log-input
deny udp any any eq netbios-ss log-input
permit ip any any
ip access-list extended Steam
remark ports required for steam games
permit udp any range 27000 27015 any
permit udp any range 27015 27030 any
permit udp any eq 4380 any
permit tcp any range 27014 27050 any
permit udp any eq 28960 any
permit udp any any eq 3478
permit udp any any eq 4379
permit udp any any eq 4380
permit udp any any eq 1500
permit udp any any eq 3005
--More-- ��������� ��������� permit udp any any eq 3101
!
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 deny any
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny any
access-list 3 remark INSIDE_IF=BVI1
access-list 3 remark SDM_ACL Category=2
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 3 permit 192.168.5.0 0.0.0.255
access-list 4 remark HTTP Access-class list
access-list 4 remark SDM_ACL Category=1
access-list 4 permit 192.168.1.0 0.0.0.255
access-list 4 deny any
access-list 5 remark HTTP Access-class list
access-list 5 remark SDM_ACL Category=1
access-list 5 permit 192.168.1.0 0.0.0.255
access-list 5 deny any
access-list 6 remark HTTP Access-class list
--More-- ��������� ���������access-list 6 remark SDM_ACL Category=1
access-list 6 permit 192.168.1.0 0.0.0.255
access-list 6 deny any
access-list 10 permit 192.168.5.0 0.0.0.255
access-list 100 remark SDM_ACL Category=1
access-list 100 remark VTY Access-class list
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.1.1
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 192.168.1.1
access-list 104 remark SDM_ACL Category=0
access-list 104 permit ip any host 192.168.1.1
access-list 110 remark SDM_ACL Category=17
access-list 110 permit udp any eq bootps any eq bootpc
access-list 110 permit udp host comcastdns eq domain any
access-list 110 permit udp host comcastdns eq domain any
access-list 110 deny ip 127.0.0.0 0.255.255.255 any log
access-list 110 deny ip 10.0.0.0 0.255.255.255 any log
access-list 110 deny ip 224.0.0.0 31.255.255.255 any log
access-list 110 deny ip host 0.0.0.0 any log
--More-- ��������� ���������access-list 110 deny ip host 255.255.255.255 any log
access-list 110 deny ip 192.168.0.0 0.0.255.255 any log
access-list 110 deny ip 172.16.0.0 0.0.255.255 any log
access-list 110 permit ip any any
no cdp run
!
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CC NOTICE TO USERS
NOTICE TO USERS
THIS IS A PRIVATE COMPUTER SYSTEM. It is for authorized use only.
Users (authorized or unauthorized) have no explicit or implicit
expectation of privacy.
Any or all uses of this system and all files on this system may
--More-- ��������� ���������be intercepted, monitored, recorded, copied, audited, inspected,
and disclosed to authorized site and law enforcement personnel,
as well as authorized officials of other agencies, both domestic
and foreign. By using this system, the user consents to such
interception, monitoring, recording, copying, auditing, inspection,
and disclosure at the discretion of authorized site personnel.
Unauthorized or improper use of this system may result in
administrative disciplinary action and civil and criminal penalties.
By continuing to use this system you indicate your awareness of and
consent to these terms and conditions of use. LOG OFF IMMEDIATELY
if you do not agree to the conditions stated in this warning. ^C
alias exec h help
alias exec lo logout
alias exec p ping
alias exec r resume
alias exec s show
alias exec u undebug
alias exec un undebug
alias exec w where
default-value exec-character-bits 7
default-value special-character-bits 7
default-value data-character-bits 8
--More-- ��������� ���������!
line con 0
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
transport output telnet
line vty 0 4
session-timeout 3 output
access-class 1 in
transport input ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn install svc flash:/webvpn/svc.pkg
!
webvpn context Default_context
ssl authenticate verify all
!
--More-- ��������� ��������� no inservice
|
|
| Steam KB articles for required ports..
»support.steampowered.com/kb_arti···LVN-8711 |
|
|
|
| reply to Bigzizzzle
May want to check line 149, as you have a class-map for Steam traffic,
but nothing telling it what to match on. Try adding 'match access-group Steam'
and see if that fixes the problem.
I'm no expert in ZBFW configs, but I see default TCP / UDP inspecting so
I'd've thought that would pick up any unmatched traffic. Any more experienced
ZBFW'ers want to comment?
Regards |
|
| said by HELLFIRE:May want to check line 149, as you have a class-map for Steam traffic,
but nothing telling it what to match on. Try adding 'match access-group Steam'
and see if that fixes the problem.
I'm no expert in ZBFW configs, but I see default TCP / UDP inspecting so
I'd've thought that would pick up any unmatched traffic. Any more experienced
ZBFW'ers want to comment?
Regards
^^ This, plus,
you dont have the class-map defined under your in to out policy, (sdm-inspect) or your out to in policy (sdm-pol-NATOutsideToInside-1). Personally we just do inspect all on class-default for our in to out policys, where you currently have a pass on your class-default, and with a pass there is no "hole" made in the firewall as with inspect, so the responding traffic is not allowed back through the firewall. Some IOS verisons do not support this, and if not then you can just make a class of something like cls-any, and match an access-list that has permit ip any any, for example.
you could try this,
policy-map type inspect sdm-inspect
class class-default
no pass
inspect
if that doesnt go,
access-list 105 permit ip any any
class-map type inspect cls-any
match access-group 105
policy-map type inspect sdm-inspect
class cls-any
inspect
Unless you have a reason to limit your outbound traffic, i see no reason not to do an inspect all on outbound, it should let pretty much anything work. |
|
| did a little house keeping.
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any Steam
match access-group name Steam
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
match access-group 101
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class type inspect SDM-Voice-permit
inspect
class type inspect Steam
pass
class class-default
inspect
policy-map type inspect sdm-permit
class class-default
policy-map type inspect Steam
class type inspect Steam
class class-default
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
Reminder of the ACL portion for "Steam"
ip access-list extended Steam
remark ports required for steam games
permit udp any range 27000 27015 any
permit udp any range 27015 27030 any
permit udp any eq 4380 any
permit tcp any range 27014 27050 any
permit udp any eq 28960 any
permit udp any any eq 3478
permit udp any any eq 4379
permit udp any any eq 4380
permit udp any any eq 1500
permit udp any any eq 3005
permit udp any any eq 3101
permit ip any any
|
|
| Is it working?
Typically you want to either pass or inspect both ways for a given class, you didnt post your updated out to in policy, but you would want to do the same and have a steam class pass back in. Having pass one way and inspect the other will break things.
Given that, as i said you really shouldnt need any of this and i think you are making things more complicated than you need to. I have steam on my work laptop, and we use zbfw at work and just have inspect on class-default on our "in to out" policy and steam works fine. No ports allowed on out to in, and no passing of anything on in to out. |
|
| reply to Bigzizzzle
@cooldude
Thanks for the second set of eyes... I'm still a long way from being an
expert on ZBFW 
...and I'll definately have to do some more reading about inspect VS pass.
Where I'm getting stuck is why you'd pass traffic from one zone to another
with no expectation of any return traffic. Cisco mentions it's useful for
ipsec, esp, ipsec ah and isakmp, but surely you'd need return traffic
for that?
Regards |
|
| said by HELLFIRE:@cooldude
Thanks for the second set of eyes... I'm still a long way from being an
expert on ZBFW
...and I'll definately have to do some more reading about inspect VS pass.
Where I'm getting stuck is why you'd pass traffic from one zone to another
with no expectation of any return traffic. Cisco mentions it's useful for
ipsec, esp, ipsec ah and isakmp, but surely you'd need return traffic
for that?
Regards
Yea im not sure in what case that would work either. For example we had to setup a pass class for BGP beween us and our ISP. With inspect, our bgp session would randomly reset, so pass does have its place. |
|
| by pass back and forth you mean construct the statement like
in zone-pair security saying traffic from in goes out and then set up the same return for outer to come in ?
I will update my config tonight when i get off work. |
|
| reply to Bigzizzzle
I would just try having inspect on class default for your in to out policy (sdm-inspect) first and lets see what that does.
policy-map type inspect sdm-inspect
no class sdm-insp-traffic
no class sdm-protocol-http
no class SDM-Voice-permit
no class Steam
Looking at your out to in policy more (sdm-pol-NATOutsideToInside-1)
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-user-protocol--2-1
inspect
class type inspect sdm-nat-user-protocol--3-1
inspect
class class-default
Those 3 classes dont even do anything, plus they all 3 do the same thing which is allow full access to 192.168.1.1 which is on the router, which would be in the self zone, but you have this policy-map applied on the out to in zone, so i would clean that up as well.
policy-map type inspect sdm-pol-NATOutsideToInside-1
no class sdm-nat-user-protocol--1-1
no class sdm-nat-user-protocol--2-1
no class sdm-nat-user-protocol--3-1
At this point everthing should work fine. |
|
| reply to Bigzizzzle
For grins i just connected to steam at work, and it works fine. Here is what i see.
Our in to out policy,
FCAP0002#show zone-pair sec source zone-corp dest zone-inet
Zone-pair name zp-corp-inet
Source-Zone zone-corp Destination-Zone zone-inet
service-policy pol-corp-inet
using service-policy pol-corp-inet
FCAP0002#show policy-map type inspect pol-corp-inet
Policy Map type inspect pol-corp-inet
Class cls-block-web
Drop
Class class-default
Inspect
inspect on class-default
FCAP0002#show policy-map type inspect zone-pair ses
This shows all active inspect sessions for all your policy-maps, so i dig through it for my ip.
Session 746F413C (10.xx.xx.19:27921)=>(72.165.61.143:27039) tcp SIS_OPEN
Created 00:07:26, Last heard 00:07:26
Bytes sent (initiator:responder) [490:1964]
Session 7475296C (10.xx.xx.19:27924)=>(68.142.116.179:27017) udp SIS_OPEN
Created 00:07:25, Last heard 00:00:03
Bytes sent (initiator:responder) [15228:45776]
So there are my sessions open to steam working fine. |
|
| So far still no working. I think i am going to rebuild my zone based firewall from scratch.
Just a reminder not to let SDM setup your stuff, causes a lot more hassle then its worth..
always been hardcoding this. |
|
| I want to make sure I properly formatted my "Steam" ACL. Working on the class-map setups and the policy map.
Question
Which ports do I need to open on my router or firewall for Steam?
Answer
Your network must be configured to allow Steam access to the following ports (in order from highest to lowest priority for QoS users):
Steam Client
UDP 27000 to 27015 inclusive (Game client traffic)
UDP 27015 to 27030 inclusive (Typically Matchmaking and HLTV)
TCP 27014 to 27050 inclusive (Steam downloads)
UDP 4380
Dedicated or Listen Servers
TCP 27015 (SRCDS Rcon port)
Steamworks P2P Networking and Steam Voice Chat
UDP 3478 (Outbound)
UDP 4379 (Outbound)
UDP 4380 (Outbound)
Additional Ports for Call of Duty: Modern Warfare 2 Multiplayer
UDP 1500 (outbound)
UDP 3005 (outbound)
UDP 3101 (outbound)
UDP 28960
|
|
| For what its worth, I downgraded my IOS image to c181x-advipservicesk9-mz.124-15.T9 and my problem went away. I guess T15 has a bug up its ass somewhere. I'll probably open a TAC ticket this week end when i can work on it more with them. |
|
| reply to Bigzizzzle
Dumb question, but any particular reason why you went with
ZBFW, Bigzizzzle?
Never done it in a PROD environment myself, and I don't hate
it but having seen some other vendors' implmentation of it I
think Cisco's behind the curve on it. Plus, I know Cisco's
got a few unresolved bugs in ZBFW they're still ironing out,
key one in my mind is its handling of out-of-order packets -- ooops!
Just my 00000010 bits
Regards |
|
| reply to Bigzizzzle
said by Bigzizzzle:For what its worth, I downgraded my IOS image to c181x-advipservicesk9-mz.124-15.T9 and my problem went away. I guess T15 has a bug up its ass somewhere. I'll probably open a TAC ticket this week end when i can work on it more with them.
What version where you on? We are on 15 t12, including a few 181x t12 with no issues. |
|
| reply to HELLFIRE
said by HELLFIRE:Dumb question, but any particular reason why you went with
ZBFW, Bigzizzzle?
Never done it in a PROD environment myself, and I don't hate
it but having seen some other vendors' implmentation of it I
think Cisco's behind the curve on it. Plus, I know Cisco's
got a few unresolved bugs in ZBFW they're still ironing out,
key one in my mind is its handling of out-of-order packets -- ooops!
Just my 00000010 bits
Regards
Frankly past a certain IOS revision your forced to use Zone Based Firewall.
My thoughts so far its its easy flexible concept, however it is by no means an easy solution to work with or modify / tweak. Your much better off working with juniper devices / sonicwalls / for security.
Yes cisco is light years behind in this area since the market its seeming merging lots of products together for these branch level routers. |
|
| reply to cooldude9919
said by cooldude9919:said by Bigzizzzle:For what its worth, I downgraded my IOS image to c181x-advipservicesk9-mz.124-15.T9 and my problem went away. I guess T15 has a bug up its ass somewhere. I'll probably open a TAC ticket this week end when i can work on it more with them.
What version where you on? We are on 15 t12, including a few 181x t12 with no issues. This is the IOS rev that seems to be bitchy with steam packets.
c181x-advipservicesk9-mz.124-15.T14.bin |
|
| reply to Bigzizzzle
Far as I know, CBAC is still in 15.x code, and configuring reflexive ACLs isn't IOS-dependent.
Zone-security isn't bad in concept, but try and imagine something like 24 or 48 individual interfaces
on a single device that you have to configure for zone-security. There's always tradeoffs
to everything...
Regards |
|
