dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
20
cooldude9919
join:2000-05-29

cooldude9919 to HELLFIRE

Member

to HELLFIRE

Re: [Config] Working on Home Network and Zone-Pair FW

said by HELLFIRE:

Glad cooldude9919 got it sorted out for you Bigzizzzle. I guess my question is why PASS works
better than INSPECT for Steam... guess it's just entirely stateless and expects an implicit
trust from users that those packets its passing on those ports is entirely trusted.

Mind reposting your complete config again Bigzizzzle? Figure it'll make good reference material
in the future again.

Regards

Pretty much yes. Inspect works great with things that are fairly simple, or stick to a single or small number of ports. It all has to do with what cisco calls the "initiator" and the "responder". You can see below it breaks it down to the source/dest port level per ip address. So if the remote end tries to talk back on a different port or somtehing else weird it will get dropped by the drop on the class-default on the out to in policy.

show policy-map type inspect zone-pair ses
Number of Established Sessions = 5
Established Sessions
Session 85BF4520 (10.3.130.102:49732)=>(64.4.11.160:80) tcp SIS_OPEN
Created 00:30:14, Last heard 00:30:13
Bytes sent (initiator:responder) [508:500]
Session 8906F180 (10.3.130.102:49735)=>(68.142.123.254:80) tcp SIS_OPEN
Created 00:30:14, Last heard 00:30:10
Bytes sent (initiator:responder) [1642:15714]
Session 85BF86C0 (10.3.130.122:2747)=>(65.55.17.39:80) tcp SIS_OPEN
Created 00:05:17, Last heard 00:05:16
Bytes sent (initiator:responder) [651:1774]
Session 85BF22C0 (10.3.130.122:2751)=>(207.46.216.54:80) tcp SIS_OPEN
Created 00:05:05, Last heard 00:04:54
Bytes sent (initiator:responder) [2205:1269]
Session 85BF9980 (10.3.130.122:2752)=>(65.55.170.235:443) tcp SIS_OPEN
Created 00:05:05, Last heard 00:05:03
Bytes sent (initiator:responder) [2265:4169]

A few more things inspect breaks.

TLS encryption for email
Causes problems with DHCP
You must pass isakmp and ESP for cisco dmvpn to work
The last two used to work find on inspect with 12.4.15T, but dont on 15.0.1 M.whatever.

My new project is to convert 2 configs with a LOT of zbfw from working on 12.4.15T12 to 15.0.1.M7 and theres many changes along the way. We got a NME-IPS-K9 and it doesnt work on 12.4 :(.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE

MVM

Wonder if Cisco'd ever let us in on what does and doesn't need PASS or not in ZBFW.

Thanks for the hints cooldude9919

Regards