|reply to HELLFIRE |
Re: [Config] Working on Home Network and Zone-Pair FW
said by HELLFIRE:Pretty much yes. Inspect works great with things that are fairly simple, or stick to a single or small number of ports. It all has to do with what cisco calls the "initiator" and the "responder". You can see below it breaks it down to the source/dest port level per ip address. So if the remote end tries to talk back on a different port or somtehing else weird it will get dropped by the drop on the class-default on the out to in policy.
Glad cooldude9919 got it sorted out for you Bigzizzzle. I guess my question is why PASS works
better than INSPECT for Steam... guess it's just entirely stateless and expects an implicit
trust from users that those packets its passing on those ports is entirely trusted.
Mind reposting your complete config again Bigzizzzle? Figure it'll make good reference material
in the future again.
show policy-map type inspect zone-pair ses
Number of Established Sessions = 5
Session 85BF4520 (10.3.130.102:49732)=>(22.214.171.124:80) tcp SIS_OPEN
Created 00:30:14, Last heard 00:30:13
Bytes sent (initiator:responder) [508:500]
Session 8906F180 (10.3.130.102:49735)=>(126.96.36.199:80) tcp SIS_OPEN
Created 00:30:14, Last heard 00:30:10
Bytes sent (initiator:responder) [1642:15714]
Session 85BF86C0 (10.3.130.122:2747)=>(188.8.131.52:80) tcp SIS_OPEN
Created 00:05:17, Last heard 00:05:16
Bytes sent (initiator:responder) [651:1774]
Session 85BF22C0 (10.3.130.122:2751)=>(184.108.40.206:80) tcp SIS_OPEN
Created 00:05:05, Last heard 00:04:54
Bytes sent (initiator:responder) [2205:1269]
Session 85BF9980 (10.3.130.122:2752)=>(220.127.116.11:443) tcp SIS_OPEN
Created 00:05:05, Last heard 00:05:03
Bytes sent (initiator:responder) [2265:4169]
A few more things inspect breaks.
TLS encryption for email
Causes problems with DHCP
You must pass isakmp and ESP for cisco dmvpn to work
The last two used to work find on inspect with 12.4.15T, but dont on 15.0.1 M.whatever.
My new project is to convert 2 configs with a LOT of zbfw from working on 12.4.15T12 to 15.0.1.M7 and theres many changes along the way. We got a NME-IPS-K9 and it doesnt work on 12.4 :(.