dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1426
share rss forum feed


Bigzizzzle
Premium
join:2005-01-27
Franklin, TN
kudos:1

[Config] Working on Home Network and Zone-Pair FW

Problem: Currently is with some steam games.

On select steam games MW2 im having issues with finding servers or server browsing. Per Steam site here are the required ports.

Your network must be configured to allow Steam access to the following ports (in order from highest to lowest priority for QoS users):

Steam Client
UDP 27000 to 27015 inclusive (Game client traffic)
UDP 27015 to 27030 inclusive (Typically Matchmaking and HLTV)
TCP 27014 to 27050 inclusive (Steam downloads)
UDP 4380

Dedicated or Listen Servers
TCP 27015 (SRCDS Rcon port)

Steamworks P2P Networking and Steam Voice Chat
UDP 3478 (Outbound)
UDP 4379 (Outbound)
UDP 4380 (Outbound)

Additional Ports for Call of Duty: Modern Warfare 2 Multiplayer
UDP 1500 (outbound)
UDP 3005 (outbound)
UDP 3101 (outbound)
UDP 28960

Below is a Steam ACL I created not sure if its correct.

 
ip access-list extended Steam
 remark ports required for steam games
 permit udp any range 27000 27015 any
 permit udp any range 27015 27030 any
 permit udp any eq 4380 any
 permit tcp any range 27014 27050 any
 permit udp any eq 28960 any
 permit udp any any eq 3478
 permit udp any any eq 4379
 permit udp any any eq 4380
 permit udp any any eq 1500
 permit udp any any eq 3005
 permit udp any any eq 3101
 permit ip any any
 
 

Below Is my current overall Zone-Pair Firewall setup.

 
!
class-map type inspect match-any CM_Voice_Traffic
 match protocol h323
 match protocol sip
 match protocol skinny
 match protocol sip-tls
class-map type inspect match-any Email_Client
 match protocol pop3
 match protocol pop3s
 match protocol imap
 match protocol imaps
 match protocol smtp
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any Web_Traffic
 match protocol http
 match protocol https
 match protocol dns
class-map type inspect match-any CM_IMCP
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any Steam-MW2
class-map type inspect match-all CM_ICMP_INSPECT
 match class-map CM_IMCP
class-map type inspect match-any Server-Lab(WebTraffic)
 match protocol http
 match protocol https
 match protocol dns
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
 match access-group 101
class-map type inspect match-any CM_Internet_Traffic
 match protocol tcp
 match protocol udp
 match protocol icmp
 match protocol ftp
 match protocol tftp
 match protocol sql-net
 match protocol sqlserv
 match protocol sqlsrv
 match protocol imap
 match protocol imap3
 match protocol imaps
 match protocol smtp
 match protocol pop3
 match protocol pop3s
 match protocol http
 match protocol https
 match protocol aol
 match access-group name Steam
 match protocol dns
 match protocol cuseeme
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol streamworks
 match protocol vdolive
!
!
policy-map type inspect Web-Traffic
 class type inspect Server-Lab(WebTraffic)
  inspect
 class class-default
policy-map type inspect PM_01
 class type inspect CM_Internet_Traffic
  inspect
 class type inspect CM_Voice_Traffic
  pass
 class class-default
policy-map type inspect CM_IMCP
 description ICMP_Control
policy-map type inspect PM_ICMP_REPLY
 class type inspect CM_ICMP_INSPECT
  inspect
 class class-default
  pass
policy-map type inspect Email_Client_Processing
 class type inspect Email_Client
!
zone security out-zone
zone security in-zone
zone security Server-Lab
zone-pair security CM_Internet_Traffic source in-zone destination out-zone
 service-policy type inspect PM_01
zone-pair security CM_ICMP_INSPECT source self destination out-zone
 service-policy type inspect PM_ICMP_REPLY
zone-pair security Server_LAB_Webtraffic source Server-Lab destination out-zone
 description Allowed Web Traffic from Server Lab Lan to Outside
 service-policy type inspect Web-Traffic
 
 

nosx

join:2004-12-27
00000
kudos:5

"permit ip any any " is mildly suspicious.
It means that the line "match access-group name Steam " will match all packets, negating any lines below it, and if you are permitting all traffic why bother having a firewall at all.



Bigzizzzle
Premium
join:2005-01-27
Franklin, TN
kudos:1

removed the permit ip any any.

What next.



Bigzizzzle
Premium
join:2005-01-27
Franklin, TN
kudos:1
reply to Bigzizzzle

Still doesn't look like its passing/inspecting packets with that ACL i created. Or is it how I formatted my Class Map's thats not helping finding / classifying the traffic.

 
Router#show policy-map type inspect zone-pair
 Zone-pair: CM_Internet_Traffic
 
  Service-policy inspect : PM_01
 
    Class-map: CM_Internet_Traffic (match-any)
      Match: protocol tcp
        1792646 packets, 62807815 bytes
        30 second rate 0 bps
      Match: protocol udp
        1754929 packets, 120657222 bytes
        30 second rate 0 bps
      Match: protocol icmp
        7761 packets, 168813 bytes
        30 second rate 0 bps
      Match: protocol ftp
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol tftp
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol sql-net
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol sqlserv
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol sqlsrv
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol imap
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol imap3
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol imaps
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol smtp
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol pop3
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol pop3s
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol http
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol https
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol aol
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: access-group name Steam
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol dns
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol cuseeme
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol netshow
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol shell
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol realmedia
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol rtsp
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol streamworks
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol vdolive
        0 packets, 0 bytes
        30 second rate 0 bps
      Inspect
        Packet inspection statistics [process switch:fast switch]
        tcp packets: [755839:513276469]
        udp packets: [1110195:29053783]
        icmp packets: [3991:3120]
 
        Session creations since subsystem startup or last reset 1433730
        Current session counts (estab/half-open/terminating) [30:0:0]
        Maxever session counts (estab/half-open/terminating) [6612:340:83]
        Last session created 00:00:29
        Last statistic reset never
        Last session creation rate 10
        Maxever session creation rate 2168
        Last half-open session total 0
 

HELLFIRE
Premium
join:2009-11-25
kudos:13
reply to Bigzizzzle

Do a "show ip access-list Steam" and see if you're getting any hits on any of
the lines, as a thought.

Regards



Bigzizzzle
Premium
join:2005-01-27
Franklin, TN
kudos:1

Shows no hits. Keep in mind I don't have this access list applied to any interfaces.

Let me post my full config.

 
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname MyHappyRouter
!
boot-start-marker
boot system flash c181x-advipservicesk9-mz.124-15.T9.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 52000
enable secret 5 Sanitized
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local 
!
!
aaa session-id common
clock timezone CST -6
clock summer-time CDT recurring
!
###removed the Cryto Self Sized stuff###
  quit
dot11 syslog
!
dot11 ssid Sanitized
   vlan 1
   authentication open 
   authentication key-management wpa
   wpa-psk ascii 7 Sanitized
!
no ip source-route
no ip gratuitous-arps
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.10
ip dhcp excluded-address 192.168.1.20 192.168.1.254
!
ip dhcp pool Lan
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1 
   dns-server 75.75.75.75 75.75.76.76 
   domain-name home.net
   lease 5
!
!
no ip bootp server
no ip ips notify log
login block-for 300 attempts 3 within 30
login on-failure log
!
multilink bundle-name authenticated
parameter-map type regex sdm-regex-nonascii
 pattern [^\x00-\x80]
 
!
!
no memory validate-checksum
username Sanitized privilege 15 password 7 Sanitized
! 
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
class-map type inspect match-any CM_Voice_Traffic
 match protocol h323
 match protocol sip
 match protocol skinny
 match protocol sip-tls
class-map type inspect match-any Email_Client
 match protocol pop3
 match protocol pop3s
 match protocol imap
 match protocol imaps
 match protocol smtp
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any Web_Traffic
 match protocol http
 match protocol https
 match protocol dns
class-map type inspect match-any CM_IMCP
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any Steam-MW2
class-map type inspect match-all CM_ICMP_INSPECT
 match class-map CM_IMCP
class-map type inspect match-any Server-Lab(WebTraffic)
 match protocol http
 match protocol https
 match protocol dns
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
 match access-group 101
class-map type inspect match-any CM_Internet_Traffic
 match protocol tcp
 match protocol udp
 match protocol icmp
 match protocol ftp
 match protocol tftp
 match protocol sql-net
 match protocol sqlserv
 match protocol sqlsrv
 match protocol imap
 match protocol imap3
 match protocol imaps
 match protocol smtp
 match protocol pop3
 match protocol pop3s
 match protocol http
 match protocol https
 match protocol aol
 match access-group name Steam
 match protocol dns
 match protocol cuseeme
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol streamworks
 match protocol vdolive
!
!
policy-map type inspect Web-Traffic
 class type inspect Server-Lab(WebTraffic)
  inspect
 class class-default
policy-map type inspect PM_01
 class type inspect CM_Internet_Traffic
  inspect
 class type inspect CM_Voice_Traffic
  pass
 class class-default
policy-map type inspect CM_IMCP
 description ICMP_Control
policy-map type inspect PM_ICMP_REPLY
 class type inspect CM_ICMP_INSPECT
  inspect
 class class-default
  pass
policy-map type inspect Email_Client_Processing
 class type inspect Email_Client
!
zone security out-zone
zone security in-zone
zone security Server-Lab
zone-pair security CM_Internet_Traffic source in-zone destination out-zone
 service-policy type inspect PM_01
zone-pair security CM_ICMP_INSPECT source self destination out-zone
 service-policy type inspect PM_ICMP_REPLY
zone-pair security Server_LAB_Webtraffic source Server-Lab destination out-zone
 description Allowed Web Traffic from Server Lab Lan to Outside
 service-policy type inspect Web-Traffic
bridge irb
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
 description WAN_Comcast
 ip address dhcp client-id FastEthernet0
 ip access-group 110 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet0.50
 encapsulation dot1Q 50
 no cdp enable
!
interface FastEthernet1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet2
 switchport access vlan 50
 no cdp enable
 spanning-tree portfast
!
interface FastEthernet3
 no cdp enable
 spanning-tree portfast
!
interface FastEthernet4
 no cdp enable
 spanning-tree portfast
!
interface FastEthernet5
 no cdp enable
 spanning-tree portfast
!
interface FastEthernet6
 no cdp enable
 spanning-tree portfast
!
interface FastEthernet7
 no cdp enable
 spanning-tree portfast
!
interface FastEthernet8
 no cdp enable
 spanning-tree portfast
!
interface FastEthernet9
 switchport access vlan 50
 no cdp enable
 spanning-tree portfast
!
interface Dot11Radio0
 no ip address
 no ip redirects
 no ip unreachables
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 !
 encryption mode ciphers aes-ccm 
 !
 encryption vlan 1 mode ciphers aes-ccm 
 !
 broadcast-key change 3600
 !
 broadcast-key vlan 1 change 3600 membership-termination capability-change
 !
 !
 ssid Sanitized
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 channel 2452
 station-role root
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
 no cdp enable
!
interface Vlan1
 no ip address
 bridge-group 1
!
interface Vlan50
 description Server_Lab
 ip address 10.10.50.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security Server-Lab
!
interface Async1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation slip
 shutdown
!
interface BVI1
 description $FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip route-cache flow
!
ip forward-protocol nd
!
!
no ip http server
ip http access-class 6
ip http authentication local
no ip http secure-server
ip nat inside source list 3 interface FastEthernet0 overload
ip nat inside source list 50 interface FastEthernet0 overload
!
ip access-list extended Steam
 remark ports required for steam games
 permit udp any range 27000 27015 any
 permit udp any range 27015 27030 any
 permit udp any eq 4380 any
 permit tcp any range 27014 27050 any
 permit udp any eq 28960 any
 permit udp any any eq 3478
 permit udp any any eq 4379
 permit udp any any eq 4380
 permit udp any any eq 1500
 permit udp any any eq 3005
 permit udp any any eq 3101
 permit ip any any
ip access-list extended Steam-MW2
 permit udp any eq 1500 any log-input
 permit udp any eq 3005 any log-input
 permit udp any eq 3101 any log-input
 permit udp any eq 28960 any log-input
 permit ip any any
!
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 deny   any
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny   any
access-list 3 remark NAT_Statement_VLAN1
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 4 remark HTTP Access-class list
access-list 4 remark SDM_ACL Category=1
access-list 4 permit 192.168.1.0 0.0.0.255
access-list 4 deny   any
access-list 5 remark HTTP Access-class list
access-list 5 remark SDM_ACL Category=1
access-list 5 permit 192.168.1.0 0.0.0.255
access-list 5 deny   any
access-list 6 remark HTTP Access-class list
access-list 6 remark SDM_ACL Category=1
access-list 6 permit 192.168.1.0 0.0.0.255
access-list 6 deny   any
access-list 50 permit 10.10.50.0 0.0.0.255
access-list 100 remark SDM_ACL Category=1
access-list 100 remark VTY Access-class list
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.1.1
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 192.168.1.1
access-list 104 remark SDM_ACL Category=0
access-list 104 permit ip any host 192.168.1.1
access-list 110 remark Inbound_NAT_Permit
access-list 110 permit udp any eq bootps any eq bootpc
access-list 110 permit udp host 75.75.75.75 eq domain any
access-list 110 permit udp host 75.75.76.76 eq domain any
access-list 110 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 110 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 110 deny   ip 224.0.0.0 31.255.255.255 any log
access-list 110 deny   ip host 0.0.0.0 any log
access-list 110 deny   ip host 255.255.255.255 any log
access-list 110 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 110 deny   ip 172.16.0.0 0.0.255.255 any log
access-list 110 permit ip any any
no cdp run
!
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login C  NOTICE TO USERS
NOTICE TO USERS
 
THIS IS A PRIVATE COMPUTER SYSTEM. It is for authorized use only.
Users (authorized or unauthorized) have no explicit or implicit
expectation of privacy.
 
Any or all uses of this system and all files on this system may
be intercepted, monitored, recorded, copied, audited, inspected,
and disclosed to authorized site and law enforcement personnel,
as well as authorized officials of other agencies, both domestic
and foreign.  By using this system, the user consents to such
interception, monitoring, recording, copying, auditing, inspection,
and disclosure at the discretion of authorized site personnel.
 
Unauthorized or improper use of this system may result in
administrative disciplinary action and civil and criminal penalties.
By continuing to use this system you indicate your awareness of and
consent to these terms and conditions of use.   LOG OFF IMMEDIATELY
if you do not agree to the conditions stated in this warning. 
!
line con 0
 transport output telnet
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 transport output telnet
line vty 0 4
 session-timeout 3  output
 access-class 1 in
 transport input ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end
 


Bigzizzzle
Premium
join:2005-01-27
Franklin, TN
kudos:1
reply to Bigzizzzle

For what its worth only time I got hits for steam traffic was when in introduced / removed my ACL list 110 from the WAN interface - FA0.

Doing this killed all my other non destined traffic.

I thought if i read how Zone based firewalls they didn't really use ACLS to determine traffic flow.

Got any ideas to rework my config.


HELLFIRE
Premium
join:2009-11-25
kudos:13
reply to Bigzizzzle

Even if the ACL isn't applied to an interface, it's being used to match / classify traffic,
so I would think it'd match something...

Also curious if you're using this class-map for something

class-map type inspect match-any Steam-MW2
 

as you have ACL Steam-MW2, but the above class-map isn't using any match criteria.

said by Bigzizzzle:

I thought if i read how Zone based firewalls they didn't really use ACLS to determine traffic flow.

IIRC, ZBFW config doesn't need ACLs applied on the interfaces at all.

At which point I defer to other board members more versed in ZBFW configs to give a hand.

Regards


Bigzizzzle
Premium
join:2005-01-27
Franklin, TN
kudos:1

At his pointed I kind of abandoned use for the ACL Steam-MW2. Since has been removed the form the configuration file.



Bigzizzzle
Premium
join:2005-01-27
Franklin, TN
kudos:1
reply to Bigzizzzle

Also this just in I also removed the extended 110 access list. Apparently I do not need it, traffic still flows thru at this point.

So it appears with ZBFW you don't absolutely have to use ACL's.



Bigzizzzle
Premium
join:2005-01-27
Franklin, TN
kudos:1

Any Ideas, still having issues primarily with MW2 Server browsing / match making.

I did based on another site do solid port mapping. Then create a class-map based on that.


ladino

join:2001-02-24
USA
reply to Bigzizzzle

Would it be too much to switch to an extended ACLs or even Object groups.



Bigzizzzle
Premium
join:2005-01-27
Franklin, TN
kudos:1

I would prefer staying with zone based firewalls. If you see any ACL misconfigurations let me know.



Bigzizzzle
Premium
join:2005-01-27
Franklin, TN
kudos:1
reply to Bigzizzzle

BUMP



Bigzizzzle
Premium
join:2005-01-27
Franklin, TN
kudos:1

Anyone see any problems in my class maps, policy maps, or even how I have writing my zone-pair statements. Still been having issues with specifically Multiplayer Game traffic / server finding with MW2. Other Items work fine Bad Company 2, TF2, CS-Source with there server browsing. Ill have to confirm left 4 dead.

MW2 Specific Ports per Steam KB

Additional Ports for Call of Duty: Modern Warfare 2 Multiplayer

UDP 1500 (outbound)
UDP 3005 (outbound)
UDP 3101 (outbound)
UDP 28960

Only odd thing I notice is that I never see any NAT translations for the outbound UDP 1500, 3005, 3101.


cooldude9919

join:2000-05-29
kudos:5
reply to Bigzizzzle

OK ive looked things over a bit, here is my understanding of your setupand the parts of the config that matter.

Inside interface: BVI1
Outside Interface: FA0

zone-pair security CM_Internet_Traffic source in-zone destination out-zone service-policy type inspect PM_01

policy-map type inspect PM_01
class type inspect CM_Internet_Traffic
inspect
class type inspect CM_Voice_Traffic
pass
class class-default

class-map type inspect match-any CM_Internet_Traffic
*stuff*

ip access-list extended Steam remark ports required for steam games
*stuff*

Now is there a reason for just arent inspecting ALL traffic outbound? We use ZBFW and this is how we do it, otherwise you have to put in any and every port you want to allow out, and if you miss something it simply wont work. So unless you have a GOOD reason to do it the way you are you may want to change things around.
You where somewhat on track with the permit ip any any on the steam. There is no security issue with this, as this policy is applied from your Inside zone to your outside zone. You have no zone-pair defined for your outside zone to inside zone, so by default all of this traffic is dropped. The "inspect" portion of the zbfw opens up a session in the firewall that allows bidirectional traffic to be trasmitted between the two parties. This is pretty much how any home router works as well.
BUT given that you did have that in place and it still didnt work right is a little odd, but possibily it was getting hit earlier up the chain or something and causing other issues?
To rule out ZBFW being an issue or not i suggest you simplify your config and see if it helps. If not you may need to pass the steam traffic instead of inspect, but you have to pass in both directions, so you WILL have to create a outside to inside zone and pass the class there as well as your inside to outside zone, i can help with this if we get to that point. The way you have your voice traffic class in place right now seems like it wouldnt work right without also passing from out to in. Is it even getting any hits under the show policy-map type inspect zone-pair command?

For now i suggest the following. (or similar)
config t
access-list 105 permit ip any any
class-map type inspect cls-any
match access-group 105

policy-map type inspect PM_01
no class CM_Internet_Traffic
class cls-any
inspect

Also FYI the order of your class-maps do matter under the policy-map, you always want your pass classes to be first before any inspect classes because if any traffic accidently gets caught in an inspect when you really want to pass it that will obviously cause you problems.



Bigzizzzle
Premium
join:2005-01-27
Franklin, TN
kudos:1
reply to Bigzizzzle

Cooldude9919. I appreciate your reply, prior to your feedback. I tweaked my Zone Based firewall a little and still having issues. I will try your method of "pass" statement. If you wouldn't mind I could use some help make a proper reflexive statement, or Traffic inbound statement.

Question would adding "permit ip any any" be too broad a statement for the existing ACL.

 
class-map type inspect match-any CM_Voice_Traffic
 match protocol h323
 match protocol sip
 match protocol skinny
 match protocol sip-tls
class-map type inspect match-any Email_Client
 match protocol pop3
 match protocol pop3s
 match protocol imap
 match protocol imaps
 match protocol smtp
class-map type inspect match-any Steam-Firewall-Traffic
 description Steam Protocols
 match access-group name Steam
 match protocol udp
 match protocol tcp
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any Web_Traffic
 match protocol http
 match protocol https
 match protocol dns
class-map type inspect match-any CM_IMCP
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all CM_ICMP_INSPECT
 match class-map CM_IMCP
class-map type inspect match-any Server-Lab(WebTraffic)
 match protocol http
 match protocol https
 match protocol dns
 match protocol udp
 match protocol tcp
 match protocol icmp
class-map type inspect match-any CM_Internet_Traffic
 match protocol tcp
 match protocol udp
 match protocol http
 match protocol https
 match protocol dns
 match protocol ftp
 match protocol tftp
!
!
policy-map type inspect Web-Traffic
 class type inspect Server-Lab(WebTraffic)
  inspect
 class class-default
policy-map type inspect PM_01
 class type inspect CM_Internet_Traffic
  inspect
 class type inspect Steam-Firewall-Traffic
  inspect
 class type inspect Email_Client
  inspect
 class class-default
policy-map type inspect CM_IMCP
 description ICMP_Control
 class type inspect CM_ICMP_INSPECT
  drop
 class class-default
policy-map type inspect PM_ICMP_REPLY
 class type inspect CM_ICMP_INSPECT
  inspect
 class class-default
  pass
policy-map type inspect Email_Client_Processing
 class type inspect Email_Client
!
zone security out-zone
zone security in-zone
zone security Server-Lab
zone-pair security CM_Internet_Traffic source in-zone destination out-zone
 service-policy type inspect PM_01
zone-pair security CM_ICMP_INSPECT source self destination out-zone
 service-policy type inspect PM_ICMP_REPLY
zone-pair security Server_LAB_Webtraffic source Server-Lab destination out-zone
 description Allowed Web Traffic from Server Lab Lan to Outside
 service-policy type inspect Web-Traffic
zone-pair security CM_IMCP source out-zone destination self
 service-policy type inspect CM_IMCP
 
 

cooldude9919

join:2000-05-29
kudos:5

I guess im a little confused on your question. The commands i gave would inspect all outbound traffic in a single line of an access-list, but not affect the ability to block all unsolicitedu inbound traffic. In my opinion this would be worth trying first.

If you would like to go ahead and define an out to in pair thats easy enough.
FOr example this would define the out to in pair and also pass your steam traffic both ways. To just define in, make your new policy-map and obviously dont add the steam-firewall-traffic class.

config t
policy-map type inspect PM_02
class Steam-Firewall-Traffic
pass
class-default
drop log
^
*note*
Doing a drop log will log any dropped packets, due to random bots/scanning ect it can be a lot, but it will allow you to look back and see if you can spot any legimitate packets getting dropped that you dont want to.

zone-pair security zp-out-in source out-zone destination in-zone service-policy type inspect PM_02

You would want class Steam-Firewall-Traffic to be at the top in your PM_02, only way i know of to rearrange it is to remove current classes and re-add them.

policy-map type inpsect PM_01
no class CM_Internet_Traffic
no class Steam-Firewall-Traffic
no class Email_Client

class Steam-Firewall-Traffic
pass
class CM_Internet_Traffic
inspect
class Email_Client
inspect



Bigzizzzle
Premium
join:2005-01-27
Franklin, TN
kudos:1
reply to Bigzizzzle

Good News, your method worked as well as previously dooing a permit ip any any. I have since removed the ip any any and strictly use the following.

 
class-map type inspect match-any CM_Voice_Traffic
 match protocol h323
 match protocol sip
 match protocol skinny
 match protocol sip-tls
class-map type inspect match-any Email_Client
 match protocol pop3
 match protocol pop3s
 match protocol imap
 match protocol imaps
 match protocol smtp
class-map type inspect match-any Steam-Firewall-Traffic
 description Steam Protocols
 match access-group name Steam
 match protocol udp
 match protocol tcp
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any Web_Traffic
 match protocol http
 match protocol https
 match protocol dns
class-map type inspect match-any CM_IMCP
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all CM_ICMP_INSPECT
 match class-map CM_IMCP
class-map type inspect match-any Server-Lab(WebTraffic)
 match protocol http
 match protocol https
 match protocol dns
 match protocol udp
 match protocol tcp
 match protocol icmp
class-map type inspect match-any CM_Internet_Traffic
 match protocol tcp
 match protocol udp
 match protocol http
 match protocol https
 match protocol dns
 match protocol ftp
 match protocol tftp
!
!
policy-map type inspect Web-Traffic
 class type inspect Server-Lab(WebTraffic)
  inspect
 class class-default
policy-map type inspect PM_02
 class type inspect Steam-Firewall-Traffic
  pass
 class class-default
policy-map type inspect PM_01
 class type inspect Steam-Firewall-Traffic
  pass
 class type inspect Email_Client
  inspect
 class type inspect CM_Internet_Traffic
  inspect
 class class-default
policy-map type inspect CM_IMCP
 description ICMP_Control
 class type inspect CM_ICMP_INSPECT
  drop
 class class-default
policy-map type inspect PM_ICMP_REPLY
 class type inspect CM_ICMP_INSPECT
  inspect
 class class-default
  pass
!
zone security out-zone
zone security in-zone
zone security Server-Lab
zone-pair security CM_Internet_Traffic source in-zone destination out-zone
 service-policy type inspect PM_01
zone-pair security CM_ICMP_INSPECT source self destination out-zone
 service-policy type inspect PM_ICMP_REPLY
zone-pair security Server_LAB_Webtraffic source Server-Lab destination out-zone
 description Allowed Web Traffic from Server Lab Lan to Outside
 service-policy type inspect Web-Traffic
zone-pair security CM_IMCP source out-zone destination self
 service-policy type inspect CM_IMCP
zone-pair security ZP_IN_OUT source out-zone destination in-zone
 service-policy type inspect PM_02
 

HELLFIRE
Premium
join:2009-11-25
kudos:13
reply to Bigzizzzle

Glad cooldude9919 got it sorted out for you Bigzizzzle. I guess my question is why PASS works
better than INSPECT for Steam... guess it's just entirely stateless and expects an implicit
trust from users that those packets its passing on those ports is entirely trusted.

Mind reposting your complete config again Bigzizzzle? Figure it'll make good reference material
in the future again.

Regards


cooldude9919

join:2000-05-29
kudos:5

said by HELLFIRE:

Glad cooldude9919 got it sorted out for you Bigzizzzle. I guess my question is why PASS works
better than INSPECT for Steam... guess it's just entirely stateless and expects an implicit
trust from users that those packets its passing on those ports is entirely trusted.

Mind reposting your complete config again Bigzizzzle? Figure it'll make good reference material
in the future again.

Regards

Pretty much yes. Inspect works great with things that are fairly simple, or stick to a single or small number of ports. It all has to do with what cisco calls the "initiator" and the "responder". You can see below it breaks it down to the source/dest port level per ip address. So if the remote end tries to talk back on a different port or somtehing else weird it will get dropped by the drop on the class-default on the out to in policy.

show policy-map type inspect zone-pair ses
Number of Established Sessions = 5
Established Sessions
Session 85BF4520 (10.3.130.102:49732)=>(64.4.11.160:80) tcp SIS_OPEN
Created 00:30:14, Last heard 00:30:13
Bytes sent (initiator:responder) [508:500]
Session 8906F180 (10.3.130.102:49735)=>(68.142.123.254:80) tcp SIS_OPEN
Created 00:30:14, Last heard 00:30:10
Bytes sent (initiator:responder) [1642:15714]
Session 85BF86C0 (10.3.130.122:2747)=>(65.55.17.39:80) tcp SIS_OPEN
Created 00:05:17, Last heard 00:05:16
Bytes sent (initiator:responder) [651:1774]
Session 85BF22C0 (10.3.130.122:2751)=>(207.46.216.54:80) tcp SIS_OPEN
Created 00:05:05, Last heard 00:04:54
Bytes sent (initiator:responder) [2205:1269]
Session 85BF9980 (10.3.130.122:2752)=>(65.55.170.235:443) tcp SIS_OPEN
Created 00:05:05, Last heard 00:05:03
Bytes sent (initiator:responder) [2265:4169]

A few more things inspect breaks.

TLS encryption for email
Causes problems with DHCP
You must pass isakmp and ESP for cisco dmvpn to work
The last two used to work find on inspect with 12.4.15T, but dont on 15.0.1 M.whatever.

My new project is to convert 2 configs with a LOT of zbfw from working on 12.4.15T12 to 15.0.1.M7 and theres many changes along the way. We got a NME-IPS-K9 and it doesnt work on 12.4 :(.

HELLFIRE
Premium
join:2009-11-25
kudos:13

Wonder if Cisco'd ever let us in on what does and doesn't need PASS or not in ZBFW.

Thanks for the hints cooldude9919

Regards