topic that not seem to work i added in Network Security

Zone based FW blocking some eigrp routes

Mike Buyarski — Tue, 12 Mar 2019 06:09:10 GMT

with the new ZBFW now getting setup on a couple of our new routers i am finding a new issue. It appears with the ZBFW setup i have, the FW is only allowing EIGRP to build the routing table to a certain point and is missing a large number of routes this is what i have for the FW

class-map type inspect match-any SECURITY
match access-group name SECURITY
class-map type inspect match-any self-map
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-any FIREOUT
match protocol http
match protocol https
match protocol ftp
match protocol tftp
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-all from-self
match class-map self-map
class-map type inspect match-all to-self
match class-map self-map
match access-group name ACCESS
!
policy-map type inspect INTERNET-POLICY
class type inspect FIREOUT
inspect
class class-default
drop
policy-map type inspect to-self-pmap
class type inspect to-self
inspect
class class-default
drop
policy-map type inspect SEC-Policy
class type inspect SECURITY
pass
class class-default
drop
policy-map type inspect from-self-pmap
class type inspect from-self
inspect
class class-default
drop
!
zone security inside
description Bay Network
zone security outside
description Internet
zone-pair security BAY source inside destination outside
service-policy type inspect INTERNET-POLICY
zone-pair security SEC-Zone source outside destination inside
service-policy type inspect SEC-Policy

zone-pair security self-out source self destination outside
service-policy type inspect from-self-pmap
zone-pair security out-self source outside destination self
service-policy type inspect to-self-pmap
!

ip access-list extended ACCESS
permit udp any eq bootps any
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit icmp any any unreachable
permit icmp any any time-exceeded
permit tcp "xxx.xxx.xxx.xxx 0.0.0.0.xxx any eq 22
permit tcp "yyy.yyy.yyy.yyy 0.0.0.yyy any eq 22
deny ip any any
ip access-list extended SECURITY
permit gre any any
permit tcp any any eq 443
permit tcp any any eq 1723
permit tcp any eq 1723 any
permit esp any any
permit ahp any any
permit udp any eq isakmp any eq isakmp
permit udp any any eq 1701
permit udp any eq 1701 any eq 1701
permit udp any any eq isakmp
permit udp any eq non500-isakmp any
permit udp any any eq non500-isakmp
deny ip any any
!

If i remove the lines"

i will get all the eigrp routers but i open the router up to any one in the work being able to try and SSH into it.

What am i missing to make sure i get all the eigrp routes?

the routes i get are all the routes from the corp office but no routes from the other remote location subnets

HiI'm pretty sure you need to

Henrik Grankvist — Thu, 18 Jun 2015 16:14:59 GMT

I'm pretty sure you need to "pass" the traffic instead of using "inspect" to and from the self zone. At least you had to do that before.

Edit:

You haven't allowed EIGRP to the self zone. EIGRP is neither UDP or TCP.

acess-list EIGRP extended permit eigrp any any

that not seem to work i added

Mike Buyarski — Thu, 18 Jun 2015 16:46:55 GMT

that not seem to work i added the permit to the acl

ip access-list extended ACCESS
permit eigrp any any
permit udp any eq bootps any
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit icmp any any unreachable
permit icmp any any time-exceeded
permit tcp xxx.xxx.xxx.xxx 0.0.0.xxx any eq 22
permit tcp yyy.yyy.yyy 0.0.0.yyy any eq 22

but had no change in behavior even after i clear eigrp and it rebuilt. i then set the policy map to pass

policy-map type inspect to-self-pmap
class type inspect to-self
pass
class class-default
drop

that did not affect eigrp routing table but did block me from accessing the router from the external IP good thing i could still get to it via the inside IP and the VPN did not drop.

EDIT:

Ignore everything below this i tried copying parts and its did not work, and when i try to edit i see nothing below this line.

policy-map type inspect to-self-pmap
class type inspect to-self
inspect
class class-default
drop - See more at: https://supportforums.cisco.com/discussion/12537016/zone-based-fw-blocking-some-eigrp-routes#sthash.qD6nVnxe.dpuf