Re: [Config] Working on Home Network and Zone-Pair FW

Author	All Replies
HELLFIRE join:2009-11-25 kudos:7	reply to Bigzizzzle Re: [Config] Working on Home Network and Zone-Pair FW Glad cooldude9919 got it sorted out for you Bigzizzzle. I guess my question is why PASS works better than INSPECT for Steam... guess it's just entirely stateless and expects an implicit trust from users that those packets its passing on those ports is entirely trusted. Mind reposting your complete config again Bigzizzzle? Figure it'll make good reference material in the future again. Regards
HELLFIRE join:2009-11-25 kudos:7	to forum · permalink · 2011-12-28 12:27:36 ·
cooldude9919 join:2000-05-29 Cape Girardeau, MO kudos:5	said by HELLFIRE: Glad cooldude9919 got it sorted out for you Bigzizzzle. I guess my question is why PASS works better than INSPECT for Steam... guess it's just entirely stateless and expects an implicit trust from users that those packets its passing on those ports is entirely trusted. Mind reposting your complete config again Bigzizzzle? Figure it'll make good reference material in the future again. Regards Pretty much yes. Inspect works great with things that are fairly simple, or stick to a single or small number of ports. It all has to do with what cisco calls the "initiator" and the "responder". You can see below it breaks it down to the source/dest port level per ip address. So if the remote end tries to talk back on a different port or somtehing else weird it will get dropped by the drop on the class-default on the out to in policy. show policy-map type inspect zone-pair ses Number of Established Sessions = 5 Established Sessions Session 85BF4520 (10.3.130.102:49732)=>(64.4.11.160:80) tcp SIS_OPEN Created 00:30:14, Last heard 00:30:13 Bytes sent (initiator:responder) [508:500] Session 8906F180 (10.3.130.102:49735)=>(68.142.123.254:80) tcp SIS_OPEN Created 00:30:14, Last heard 00:30:10 Bytes sent (initiator:responder) [1642:15714] Session 85BF86C0 (10.3.130.122:2747)=>(65.55.17.39:80) tcp SIS_OPEN Created 00:05:17, Last heard 00:05:16 Bytes sent (initiator:responder) [651:1774] Session 85BF22C0 (10.3.130.122:2751)=>(207.46.216.54:80) tcp SIS_OPEN Created 00:05:05, Last heard 00:04:54 Bytes sent (initiator:responder) [2205:1269] Session 85BF9980 (10.3.130.122:2752)=>(65.55.170.235:443) tcp SIS_OPEN Created 00:05:05, Last heard 00:05:03 Bytes sent (initiator:responder) [2265:4169] A few more things inspect breaks. TLS encryption for email Causes problems with DHCP You must pass isakmp and ESP for cisco dmvpn to work The last two used to work find on inspect with 12.4.15T, but dont on 15.0.1 M.whatever. My new project is to convert 2 configs with a LOT of zbfw from working on 12.4.15T12 to 15.0.1.M7 and theres many changes along the way. We got a NME-IPS-K9 and it doesnt work on 12.4 :(.
	to forum · permalink · 2011-12-28 13:35:45 ·
HELLFIRE join:2009-11-25 kudos:7	Wonder if Cisco'd ever let us in on what does and doesn't need PASS or not in ZBFW. Thanks for the hints cooldude9919 Regards
HELLFIRE join:2009-11-25 kudos:7	to forum · permalink · 2011-12-28 14:13:44 ·

Equipment Support > Hardware By Brand > Cisco > [Config] Working on Home Network and Zone-Pair FW