I’ve been using the Cisco Zone Based Firewall features in IOS for a little while now. Mostly at home and in a lab environment. One of the things that was kind of frustrating was that was the lack of outbound traceroute support from the trusted network to the untrusted network. I only use Linux and MacOS X at work and at home, so I never tried it out with a Microsoft based computer. I’ve also haven’t really been able to spend a lot of time to really debug the issue. Recently, I did some digging through the documentation on Cisco’s website and it hit me and it was such a simple answer. Linux/UNIX based operating systems use a UDP method for sending traceroute packets, while Windows based operating systems use a ICMP based method. As UDP is a connectionless protocol and there isn’t any method for keeping a state table for UDP packets in the firewall, you have to allow ICMP host-unreachables and time-exceeded packets IN to the untrusted interface, destined for the trusted network. Here is a sample configuration.
jtdub-rtr#sh run | s ^ip access-list extended udp-icmp|^class-map|^policy-map|^zone|^interface Vlan[1,2]|^interface FastEthernet0
class-map type inspect match-any UDP_ICMP
match access-group name udp-icmp
class-map type inspect match-any All_Protocols
match protocol icmp
match protocol tcp
match protocol udp
policy-map type inspect Traceroute
class type inspect UDP_ICMP
pass
class class-default
drop
policy-map type inspect All_Protocols
class type inspect All_Protocols
inspect
class class-default
drop
policy-map type inspect UnTrusted
class class-default
drop
zone security Trusted
zone security Internet
zone-pair security Trusted source Trusted destination Internet
service-policy type inspect All_Protocols
zone-pair security Internet source Internet destination Trusted
service-policy type inspect Traceroute
interface FastEthernet0
ip address dhcp
ip verify unicast source reachable-via rx allow-default 101
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
zone-member security Internet
duplex auto
speed auto
no cdp enable
interface Vlan1
ip address 172.16.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security Trusted
interface Vlan2
ip address 172.16.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security Trusted
ip access-list extended udp-icmp
permit icmp any any time-exceeded
permit icmp any any host-unreachable
As you can see, there is an extended ip access-list called udp-icmp that permits time-exceeded and host-unreachable icmp types, then a class map called UDP_ICMP was created to match that access-list, Then a policy-map called Traceroute was created to allow that class-map, from there, the policy-map was applied to a zone-member and applied to the untrusted interface.