Cisco Zone Based Firewall and UDP based Traceroute
I've been using the Cisco Zone Based Firewall features in IOS for a little while now. Mostly at home and in a lab environment. One of the things that was kind of frustrating was that was the lack of outbound traceroute support from the trusted network to the untrusted network. I only use Linux and MacOS X at work and at home, so I never tried it out with a Microsoft based computer. I've also haven't really been able to spend a lot of time to really debug the issue. Recently, I did some digging through the documentation on Cisco's website and it hit me and it was such a simple answer. Linux/UNIX based operating systems use a UDP method for sending traceroute packets, while Windows based operating systems use a ICMP based method. As UDP is a connectionless protocol and there isn't any method for keeping a state table for UDP packets in the firewall, you have to allow ICMP host-unreachables and time-exceeded packets IN to the untrusted interface, destined for the trusted network. Here is a sample configuration.
jtdub-rtr#sh run | s ^ip access-list extended udp-icmp|^class-map|^policy-map|^zone|^interface Vlan[1,2]|^interface FastEthernet0 class-map type inspect match-any UDP_ICMP match access-group name udp-icmp class-map type inspect match-any All_Protocols match protocol icmp match protocol tcp match protocol udp policy-map type inspect Traceroute class type inspect UDP_ICMP pass class class-default drop policy-map type inspect All_Protocols class type inspect All_Protocols inspect class class-default drop policy-map type inspect UnTrusted class class-default drop zone security Trusted zone security Internet zone-pair security Trusted source Trusted destination Internet service-policy type inspect All_Protocols zone-pair security Internet source Internet destination Trusted service-policy type inspect Traceroute interface FastEthernet0 ip address dhcp ip verify unicast source reachable-via rx allow-default 101 no ip redirects no ip unreachables no ip proxy-arp ip nbar protocol-discovery ip nat outside ip virtual-reassembly zone-member security Internet duplex auto speed auto no cdp enable interface Vlan1 ip address 172.16.1.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly zone-member security Trusted interface Vlan2 ip address 172.16.2.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly zone-member security Trusted ip access-list extended udp-icmp permit icmp any any time-exceeded permit icmp any any host-unreachable
As you can see, there is an extended ip access-list called udp-icmp that permits time-exceeded and host-unreachable icmp types, then a class map called UDP_ICMP was created to match that access-list, Then a policy-map called Traceroute was created to allow that class-map, from there, the policy-map was applied to a zone-member and applied to the untrusted interface.