topic Do you have NAT configured? in Network Security

CCP Firewall setup

carlo4511 — Tue, 26 Mar 2019 00:57:34 GMT

hello,

i'm trying to setup basic firewall using cisco configuration professional after configuring router using terminal.

After I run "create firewall wizard" and apply rules, inside clients cannot browse internet (from router I can ping outside).

Can anyone help me?

Config:

attached txt

Firewall configuration summary:

Inside(trusted) Interfaces:
FastEthernet0/1 (192.168.10.254)

Outside(untrusted) Interface:
Dialer1 {FastEthernet0/0} (Easy IP)

Service Policy Configuration:

In-zone -> Out-zone:
Inspect TCP,UDP,H323,SIP,SCCP and other protocols
Deny packets with invalid ip address as source

Self -> Out-zone:
Inspect router generated ICMP traffic

Out-zone -> Self:
Deny all other traffic.

Commands delivered after finishing wizard:

access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
exit
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
exit
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
exit
class-map type inspect match-all ccp-protocol-http
match protocol http
exit
class-map type inspect match-all ccp-invalid-src
match access-group 101
exit
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
exit
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
exit
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
exit
class-map type inspect match-any ccp-h323-inspect
match protocol h323
exit
class-map type inspect match-any ccp-sip-inspect
match protocol sip
exit
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
exit
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
exit
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
no drop
inspect
exit
class class-default
no drop
pass
exit
exit
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
exit
class type inspect ccp-protocol-http
no drop
inspect
exit
class type inspect ccp-insp-traffic
no drop
inspect
exit
class type inspect ccp-sip-inspect
no drop
inspect
exit
class type inspect ccp-h323-inspect
no drop
inspect
exit
class type inspect ccp-h323annexe-inspect
no drop
inspect
exit
class type inspect ccp-h225ras-inspect
no drop
inspect
exit
class type inspect ccp-h323nxg-inspect
no drop
inspect
exit
class type inspect ccp-skinny-inspect
no drop
inspect
exit
exit
policy-map type inspect ccp-permit
class class-default
exit
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
exit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
exit
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
exit
interface Dialer1
description HT$FW_OUTSIDE$
zone-member security out-zone
exit
interface FastEthernet0/1
description LAN$FW_INSIDE$
zone-member security in-zone
exit

After finishing wizard I cannot browse internet from inside.

Thanks.

hi,

johnlloyd_13 — Thu, 03 Dec 2015 05:15:43 GMT

hi,

could you do below and try web browsing again?

class-map type inspect match-any ccp-cls-insp-traffic
match protocol http

zone-pair security ccp-zp-in-out source in-zone destination out-zone
no service-policy type inspect ccp-inspect
service-policy type inspect ccp-cls-insp-traffic

Thanks for your answer but I

carlo4511 — Thu, 03 Dec 2015 07:35:12 GMT

Thanks for your answer but I had no luck.

r1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
r1(config)#zone-pair security ccp-zp-in-out source in-zone destination out-zone
r1(config-sec-zone-pair)#no service-policy type inspect ccp-inspect
Firewall service-policy detachment failed
r1(config-sec-zone-pair)#

hi,

johnlloyd_13 — Thu, 03 Dec 2015 08:43:27 GMT

hi,

try removing ZBF on the interfaces, do again the suggested above and re-apply the interface zone-member security command.

interface Dialer1
no zone-member security out-zone

interface FastEthernet0/1
no zone-member security in-zone

Thanks, now I get error:

carlo4511 — Thu, 03 Dec 2015 12:33:32 GMT

Thanks, now I get error:

r1(config)#zone-pair security ccp-zp-in-out source in-zone destination out-zone
r1(config-sec-zone-pair)#no service-policy type inspect ccp-inspect
r1(config-sec-zone-pair)#service-policy type inspect ccp-cls-insp-traffic
Firewall service-policy attachment failed, policy ccp-cls-insp-traffic does not exist

New config is attached

Try This

Andre Neethling — Thu, 03 Dec 2015 12:43:39 GMT

Try This

policy-map type inspect ccp-cls-insp-traffic
class type inspect ccp-cls-insp-traffic
inspect
class class-default
drop

Then add it to your Zone Pair Service Policy again. Make sure you added the command earlier from John

class-map type inspect match-any ccp-cls-insp-traffic
match protocol http

Still no internet for lan

carlo4511 — Thu, 03 Dec 2015 13:59:56 GMT

Still no internet for lan clients.

This is how it looks now

Thanks

Add https to your class map

Andre Neethling — Thu, 03 Dec 2015 14:14:30 GMT

Add https to your class map and remove your outside to self policy

Still nothing.

carlo4511 — Thu, 03 Dec 2015 14:39:33 GMT

Still nothing.

Do you have NAT configured?

Andre Neethling — Thu, 03 Dec 2015 14:43:58 GMT

Do you have NAT configured?

Yes. Before applying fw rules

carlo4511 — Thu, 03 Dec 2015 14:47:23 GMT

Yes. Before applying fw rules I can get to outside.

My configs are attached in previous messages.

I had to add

carlo4511 — Thu, 03 Dec 2015 14:56:38 GMT

I had to add

access-list 101 permit ip any any

Thanks