topic Re: ZBF Issue in Network Security

ZBF Issue

andypowernet — Tue, 13 Jun 2023 08:06:32 GMT

Morning,

Im having an issue with ZBF. It needs to allow the guest zone to the inside zone to allow the guest zone to redirect to Cisco ISE webauthentication, which doesn't seem to work. Anyone any ideas? Config below:

Guest Interface:

interface GigabitEthernet0/0/1.40
description LAN Guest
encapsulation dot1Q 40
vrf forwarding internet
ip address 10.192.203.254 255.255.255.0
ip nat inside
zone-member security GUEST

Inside Interface:

interface Tunnel196
vrf forwarding customer
ip address 10.248.196.242 255.255.255.224
no ip redirects
ip mtu 1400
ip nhrp authentication customer
ip nhrp map 10.248.196.254 185.34.234.250
ip nhrp map multicast 185.34.234.250
ip nhrp map 10.248.196.253 195.88.236.250
ip nhrp map multicast 195.88.236.250
ip nhrp network-id 196
ip nhrp holdtime 60
ip nhrp nhs 10.248.196.253
ip nhrp nhs 10.248.196.254
zone-member security INSIDE
ip tcp adjust-mss 1360
qos pre-classify
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
tunnel key 196
tunnel vrf internet
tunnel protection ipsec profile dmvpn-ipsec-profile
endinterface Tunnel196
vrf forwarding customer
ip address 10.248.196.242 255.255.255.224
no ip redirects
ip mtu 1400
ip nhrp authentication customer
ip nhrp map 10.248.196.254 185.34.234.250
ip nhrp map multicast 185.34.234.250
ip nhrp map 10.248.196.253 195.88.236.250
ip nhrp map multicast 195.88.236.250
ip nhrp network-id 196
ip nhrp holdtime 60
ip nhrp nhs 10.248.196.253
ip nhrp nhs 10.248.196.254
zone-member security INSIDE
ip tcp adjust-mss 1360
qos pre-classify
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
tunnel key 196
tunnel vrf internet
tunnel protection ipsec profile dmvpn-ipsec-profile
end

Zone Pairs:

zone-pair security GUEST-TO-INSIDE source GUEST destination INSIDE
service-policy type inspect GUEST-TO-INSIDE

zone-pair security INSIDE-TO-GUEST source INSIDE destination GUEST
service-policy type inspect INSIDE-TO-GUEST

Policy Maps:

policy-map type inspect GUEST-TO-INSIDE
class type inspect GUEST-TO-INSIDE
inspect
class class-default
drop log

policy-map type inspect INSIDE-TO-GUEST
class type inspect INSIDE-TO-GUEST
inspect
class class-default
drop

Class Maps:

class-map type inspect match-any GUEST-TO-INSIDE
match access-group name ZBF-GUEST-TO-INSIDE

class-map type inspect match-any INSIDE-TO-GUEST
match access-group name ZBF-INSIDE-TO-GUEST

ACL:

Extended IP access list ZBF-INSIDE-TO-GUEST
10 permit tcp host 10.248.196.39 eq 8443 any
20 permit icmp host 10.248.196.39 any echo

Extended IP access list ZBF-GUEST-TO-INSIDE
10 permit tcp any host 10.248.196.39 eq 8443
20 permit icmp host 10.248.196.39 any echo

Re: ZBF Issue

MHM Cisco World — Tue, 13 Jun 2023 09:41:12 GMT

only TCP, what about DNS ? I think you need to include the DNS in ACL of policy map

Re: ZBF Issue

Marius Gunnerud — Tue, 13 Jun 2023 10:19:42 GMT

Adding to what MHM has mentioned, you would probably need to add entries for DNS and DHCP depending on where your DNS and DHCP servers are located and how the guest network accesses them.

Extended IP access list ZBF-INSIDE-TO-GUEST
10 permit tcp host 10.248.196.39 eq 8443 any
20 permit icmp host 10.248.196.39 any echo

Extended IP access list ZBF-GUEST-TO-INSIDE
10 permit tcp any host 10.248.196.39 eq 8443
20 permit icmp host 10.248.196.39 any echo. <-- need to swap the source and destination networks for ICMP to work

Re: ZBF Issue

andypowernet — Tue, 13 Jun 2023 10:34:57 GMT

ICMP is actually working (if i source from gi0/0/1.40 in the guest zone)
It's telnet on tcp 8443 that is failing. All dhcp services are working correctly....

Re: ZBF Issue

MHM Cisco World — Tue, 13 Jun 2023 10:38:11 GMT

only one thing then, the using of real or mapped IP,
if you use real change it to mapped IP.

Re: ZBF Issue

andypowernet — Tue, 13 Jun 2023 10:45:28 GMT

Hi,

Thanks for your replies.

Where are you referring to a mapped IP?

Regards,
Andy.

Re: ZBF Issue

MHM Cisco World — Tue, 13 Jun 2023 10:56:11 GMT

10.248.196.39 <<- this IP the and GUEST is config with IP NAT INSIDE

Re: ZBF Issue

andypowernet — Tue, 13 Jun 2023 11:01:07 GMT

Hi,

The nat is only applicable to traffic leaving the ouside interface, not Guest to Inside as in this case:

ip nat inside source route-map NAT interface GigabitEthernet0/0/0 vrf internet overload

Re: ZBF Issue

MHM Cisco World — Tue, 13 Jun 2023 20:10:14 GMT

show policy-map type inspect zone-pair sessions <<- for both Zone-pair

NOTE:- please confirm that the packet initiate from interface 0.0.1.40 to tunnel to Server
NOTE:- why the VRF in interface 0.0.1.40 is INTERENT and the tunnel is costumer ?

Re: ZBF Issue

andypowernet — Wed, 14 Jun 2023 08:19:34 GMT

Hey.

Yes, the customers packet who is trying to access the ISE guest portal arrives on the 0/0/1.40 interface. That is also where i'm testing telnet from (sourcing it from that interface)

The reason it sits on a different VRF is that 0/0/1.40 is in the guest vrf so just local internet breakout, however the route to ISE is leaked from the corporate vrf in to the internet vrf. And that route's next hop is via a tunnel. ICMP sourced from 0/0/1.40 is working so to the ISE server so quite a strange scenario, (especially given that the maps don't seem be getting matched - info requested by yourself below)

Zone-pair: GUEST-TO-INSIDE
Service-policy inspect : GUEST-TO-INSIDE

Class-map: GUEST-TO-INSIDE (match-any)
Match: access-group name ZBF-GUEST-TO-INSIDE
Inspect

Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes

Zone-pair: INSIDE-TO-GUEST
Service-policy inspect : INSIDE-TO-GUEST

Class-map: INSIDE-TO-GUEST (match-any)
Match: access-group name ZBF-INSIDE-TO-GUEST
Inspect

Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes

Re: ZBF Issue

MHM Cisco World — Wed, 14 Jun 2023 12:24:36 GMT

OK,
interface GigabitEthernet0/0/1.40
vrf forwarding customer
zone-member security GUEST
!
interface GigabitEthernet0/0/0
vrf forwarding internet
!
interface Tunnel196
vrf forwarding customer
zone-member security INSIDE
tunnel source GigabitEthernet0/0/0
tunnel vrf internet
tunnel protection ipsec profile dmvpn-ipsec-profile shared <<- this need since you use same interface for both tunnel

this must be the config of tunnel and interface

Re: ZBF Issue

andypowernet — Wed, 14 Jun 2023 13:30:35 GMT

Hey.

There is only a single tunnel configured on this router, hence no shared keyword when referencing the ipsec protection.

Regards,
Andy.

Re: ZBF Issue

MHM Cisco World — Wed, 14 Jun 2023 13:38:22 GMT

your post show two, then I check the tunnel number is same, so no need shared
interface Tunnel196 <<
vrf forwarding customer
ip address 10.248.196.242 255.255.255.224
no ip redirects
ip mtu 1400
ip nhrp authentication customer
ip nhrp map 10.248.196.254 185.34.234.250
ip nhrp map multicast 185.34.234.250
ip nhrp map 10.248.196.253 195.88.236.250
ip nhrp map multicast 195.88.236.250
ip nhrp network-id 196
ip nhrp holdtime 60
ip nhrp nhs 10.248.196.253
ip nhrp nhs 10.248.196.254
zone-member security INSIDE
ip tcp adjust-mss 1360
qos pre-classify
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
tunnel key 196
tunnel vrf internet
tunnel protection ipsec profile dmvpn-ipsec-profile
endinterface Tunnel196 <<
vrf forwarding customer
ip address 10.248.196.242 255.255.255.224
no ip redirects
ip mtu 1400
ip nhrp authentication customer
ip nhrp map 10.248.196.254 185.34.234.250
ip nhrp map multicast 185.34.234.250
ip nhrp map 10.248.196.253 195.88.236.250
ip nhrp map multicast 195.88.236.250
ip nhrp network-id 196
ip nhrp holdtime 60
ip nhrp nhs 10.248.196.253
ip nhrp nhs 10.248.196.254
zone-member security INSIDE
ip tcp adjust-mss 1360
qos pre-classify
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
tunnel key 196
tunnel vrf internet
tunnel protection ipsec profile dmvpn-ipsec-profile

Re: ZBF Issue

andypowernet — Fri, 23 Jun 2023 08:35:02 GMT

Interestingly, I did some further debugging on this, and it shows packets being dropped arriving on the tunnel interface (inside zone) destined for the guest zone. However it's showing the source as the remote tunnel endpoint rather than the original source.

That would suggest to me that it is processing the ZBF prior to decapsulation of the DMVPN headers, however Cisco documentation states otherwise....

%IOSXE-6-PLATFORM: SIP0: cpp_cp: QFP:0.0 Thread:000 TS:00031902468136318644 %FW-6-DROP_PKT: Dropping udp pkt from Tunnel196 195.88.236.250:4500 => 10.192.203.1:33446(target:class)-(INSIDE-TO-GUEST:class-default) due to Policy drop:classify result with ip ident 18807

Re: ZBF Issue

MHM Cisco World — Fri, 23 Jun 2023 10:45:17 GMT

Did you try config I suggest before ?

interface GigabitEthernet0/0/1.40
vrf forwarding customer
zone-member security GUEST
!
interface GigabitEthernet0/0/0
vrf forwarding internet
!
interface Tunnel196
vrf forwarding customer
zone-member security INSIDE
tunnel source GigabitEthernet0/0/0
tunnel vrf internet
tunnel protection ipsec profile

Re: ZBF Issue

andypowernet — Fri, 23 Jun 2023 10:54:21 GMT

Hi

This isn't really practice as the whole idea is that customer and guest are
on separate vrf. And guest traffic locally breaks out for internet on the
router. Where as the customer vrf internet goes via the data center.

Re: ZBF Issue

MHM Cisco World — Fri, 23 Jun 2023 12:17:16 GMT

I dont get your last comment
there are two VRF
there are four Zone
self
OUT
LOCAL
REMOTE

self+OUT in one VRF
LOCAL REMOTE in ONE VRF

where is issue here, I dont see any security issue with above

Re: ZBF Issue

andypowernet — Mon, 26 Jun 2023 08:28:21 GMT

Hi,

The issue is that the customer and guest vrf have to be kept seperate.

Re: ZBF Issue

Aref Alsouqi — Mon, 26 Jun 2023 09:35:22 GMT

Could you please try to swap ISE IP address with any on the ZBF ACLs and see if that makes any difference? this would help us ruling out any NAT'ing issue, if that doesn't make a difference, could you please remove temporarily the guest and customer interfaces from the ZBF? this would help confirming if routing is working as expected in the first place. You mentioned ping is working from the guest interface, however, ping is stateless so if the echo packets go one way and the replies come on another ping doesn't bother. In other words if you have asymmetric routing ping would still work, but the traffic destined to ISE portal won't as it uses TCP.

Re: ZBF Issue

MHM Cisco World — Sat, 01 Jul 2023 10:48:07 GMT

R1#wr

hostname R1
!
ip vrf Cos
rd 1:200
!
ip vrf ISP
rd 1:100
!
class-map type inspect match-all L-R-Licmp
match protocol icmp
match access-group 100
class-map type inspect match-all R-L-Rtelnet
match access-group 110
match protocol telnet
class-map type inspect match-all L-R-Ltelnet
match protocol telnet
match access-group 100
~~class-map type inspect match-all L-R-L~~
~~match protocol icmp~~
~~match protocol telnet~~
~~match protocol ssh~~
~~match access-group 100~~
class-map type inspect match-all R-L-Ricmp
match access-group 110
match protocol icmp
~~class-map type inspect match-all L-R-L2~~
~~match access-group 100~~
!
!
policy-map type inspect R-L-R
class type inspect R-L-Ricmp
inspect
class type inspect R-L-Rtelnet
inspect
class class-default
policy-map type inspect L-R-L
class type inspect L-R-Licmp
inspect
class type inspect L-R-Ltelnet
inspect
class class-default
!
zone security OUT
zone security LOCAL
zone security REMOTE
zone-pair security L-R-L source LOCAL destination REMOTE
service-policy type inspect L-R-L
zone-pair security R-L-R source REMOTE destination LOCAL
service-policy type inspect R-L-R
!
!
!
!
interface Tunnel0
ip vrf forwarding Cos
ip address 5.0.0.1 255.255.255.0
zone-member security REMOTE
tunnel source FastEthernet0/1
tunnel destination 200.0.0.2
tunnel vrf ISP
!
interface FastEthernet0/0
ip vrf forwarding Cos
ip address 10.0.0.1 255.255.255.0
zone-member security LOCAL
duplex auto
speed auto
!
interface FastEthernet0/1
ip vrf forwarding ISP
ip address 100.0.0.1 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
ip route vrf ISP 0.0.0.0 0.0.0.0 100.0.0.5
ip route vrf Cos 20.0.0.0 255.255.255.0 Tunnel0
!
access-list 100 permit ip 10.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255
access-list 110 permit ip 20.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255

this LAB for you GRE with VRF and multi security Zone

NO issue I can ping from both side of tunnel