ZBF and loopback interfaces

fsebera — Tue, 12 Mar 2019 05:46:49 GMT

In my ZBF setup, I assign the physical and logical interface (tunnel) to different zones.

I.E. G0/0 is Trusted zone and Tunnel1 is assigned to a Tunnel zone.

Dynamic NAT is tied to the Loopback1 interface but this interface is not assigned to a zone.

My setup is fully function but am now wondering if I missed something BIG. My understanding is ALL interfaces MUST be assigned to a zone to enable INTER-zone and INTRA-zone communications. Perhaps this rule does not apply to traffic originating from the router itself.

My questions is, do loopback interfaces need to be assigned to a zone to communicate with other zones on the same router?

Thanks

Frank

Nope..if self zone is not

Pranay Prasoon — Wed, 15 Apr 2015 18:28:55 GMT

Nope..if self zone is not configured on router, then loopback belongs to router and you don't need it in a zone to communicate to other zone.

Sorry, I should have

fsebera — Wed, 15 Apr 2015 18:38:29 GMT

Sorry, I should have indicated I have a self zone configured (albeit perhaps incorrectly :()

I don't want to impose but I could provide my config for review!!!

Thanks

Frank

okay...but do change your IP

Pranay Prasoon — Wed, 15 Apr 2015 18:40:56 GMT

okay...but do change your IP scheme

Already SANITIZED due to

fsebera — Wed, 15 Apr 2015 20:14:32 GMT

Already SANITIZED due to backend private connections!!!!

R10# sh run
! Last configuration change at 16:48:12 EST Tue Apr 14 2015 by ?
! NVRAM config last updated at 16:48:15 EST Tue Apr 14 2015 by ?
! NVRAM config last updated at 16:48:15 EST Tue Apr 14 2015 by ?
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
no service dhcp
!
hostname R10
!
boot-start-marker
boot system flash:c1841-advsecurityk9-mz.151-4.M10.bin
boot-end-marker
!
logging userinfo
logging buffered 32768
!
clock timezone EST -5 0
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1637678459
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1637678459
revocation-check none
rsakeypair TP-self-signed-1637678459
!
crypto pki certificate chain TP-self-signed-1637678459
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
--snip--
        quit
dot11 syslog
no ip source-route
no ip gratuitous-arps
ip dhcp bootp ignore
!
ip cef
no ip bootp server
no ip domain lookup
!
multilink bundle-name authenticated
!
vtp version 2
username ? privilege 15 password --gone--
!
redundancy
!
ip tcp selective-ack
ip tcp synwait-time 10
ip ssh time-out 20
ip ssh version 2
!
class-map type inspect match-all TELNET
match access-group name TELNET
match protocol telnet
class-map type inspect match-all OSPF
match access-group name OSPF
class-map type inspect match-all ISAKMP
match access-group name ISAKMP
class-map type inspect match-all OUTBOUND
match protocol icmp
class-map type inspect match-all SSH
match access-group name SSH
match protocol ssh
class-map type inspect match-all IPSEC
match access-group name IPSEC
class-map type inspect match-any WEB
match protocol http
match protocol https
class-map type inspect match-all BGP
match access-group name BGP
class-map type inspect match-any ALLOWED
match protocol ssh
match protocol https
match protocol telnet
match protocol icmp
match access-group name HTTP-REDIR
!
policy-map type inspect OUTBOUND
class type inspect OUTBOUND
inspect
class class-default
pass
policy-map type inspect TO-AWS2
class type inspect ALLOWED
inspect
class class-default
drop
policy-map type inspect TO-AWS1
class type inspect ALLOWED
inspect
class class-default
drop
policy-map type inspect INBOUND
class type inspect IPSEC
pass
class type inspect ISAKMP
pass
class type inspect OSPF
pass
class type inspect BGP
pass
class type inspect TELNET
pass
class type inspect SSH
pass
class type inspect WEB
pass
class class-default
drop
!
zone security TUN1
zone security TUN2
zone security TRUSTED
zone-pair security F0/0->TUN1 source TRUSTED destination TUN1
service-policy type inspect TO-AWS1
zone-pair security F0/0->TUN2 source TRUSTED destination TUN2
service-policy type inspect TO-AWS2
zone-pair security INBOUND source TRUSTED destination self
service-policy type inspect INBOUND
zone-pair security OUTBOUND source self destination TRUSTED
service-policy type inspect OUTBOUND
!
crypto keyring KEYRING-VPN-344BFC4B-0
local-address 192.168.90.1
pre-shared-key address 192.168.0.34 key --gone--
crypto keyring KEYRING-VPN-344BFC4B-1
local-address 192.168.90.1
pre-shared-key address 192.168.0.50 key --gone--
!
crypto isakmp policy 200
encr aes
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 201
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp keepalive 10 10
crypto isakmp profile ISAKMP-VPN-344BFC4B-0
   keyring KEYRING-VPN-344BFC4B-0
   match identity address 192.168.0.34 255.255.255.255
   local-address 192.168.90.1
crypto isakmp profile ISAKMP-VPN-344BFC4B-1
   keyring KEYRING-VPN-344BFC4B-1
   match identity address 192.168.0.50 255.255.255.255
   local-address 192.168.90.1
!
crypto ipsec security-association replay window-size 128
!
crypto ipsec transform-set IPSEC-PROP-VPN-344BFC4B-0 esp-aes esp-sha-hmac
crypto ipsec transform-set IPSEC-PROP-VPN-344BFC4B-1 esp-aes esp-sha-hmac
crypto ipsec df-bit clear
!
crypto ipsec profile IPSEC-VPN-344BFC4B-0
set transform-set IPSEC-PROP-VPN-344BFC4B-0
set pfs group2
!
crypto ipsec profile IPSEC-VPN-344BFC4B-1
set transform-set IPSEC-PROP-VPN-344BFC4B-1
set pfs group2
!
interface Loopback1
ip address 172.16.6.1 255.255.255.0
!
interface Tunnel1
description BORDER1
ip address xxx.yyy.zzz.22 255.255.255.252
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
zone-member security TUN1
ip tcp adjust-mss 1387
tunnel source 192.168.90.1
tunnel mode ipsec ipv4
tunnel destination 192.168.0.34
tunnel protection ipsec profile IPSEC-VPN-344BFC4B-0
!
interface Tunnel2
description BORDER2
ip address xxx.yyy.zzz.18 255.255.255.252
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
zone-member security TUN2
ip tcp adjust-mss 1387
tunnel source 192.168.90.1
tunnel mode ipsec ipv4
tunnel destination 192.168.0.50
tunnel protection ipsec profile IPSEC-VPN-344BFC4B-1
!
interface FastEthernet0/0
ip address 192.168.90.1 255.255.255.240
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
zone-member security TRUSTED
load-interval 30
!
router ospf 110
router-id 172.16.6.1
redistribute bgp 6 subnets route-map AWS-NETS
passive-interface default
no passive-interface FastEthernet0/0
network xxx.yyy.zzz.16 0.0.0.3 area 64
network xxx.yyy.zzz.20 0.0.0.3 area 64
network 172.16.6.0 0.0.0.255 area 64
network 192.168.90.0 0.0.0.15 area 64
!
router bgp 6
bgp router-id 172.16.6.1
bgp log-neighbor-changes
redistribute ospf 110 route-map OSPF-NETS
neighbor xxx.yyy.zzz.17 remote-as 10
neighbor xxx.yyy.zzz.17 description AWS2-Tun2
neighbor xxx.yyy.zzz.17 soft-reconfiguration inbound
neighbor xxx.yyy.zzz.17 prefix-list AWS-BORDER2 out
neighbor xxx.yyy.zzz.21 remote-as 10
neighbor xxx.yyy.zzz.21 description AWS1-Tun1
neighbor xxx.yyy.zzz.21 soft-reconfiguration inbound
neighbor xxx.yyy.zzz.21 prefix-list AWS-BORDER1 out
maximum-paths 2
!
no ip forward-protocol nd
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat pool LOOP1 172.16.6.1 172.16.6.1 netmask 255.255.255.0
ip nat inside source list HQ-AWS1-AWS2 pool LOOP1 overload
!
ip access-list standard AWS-NETS
permit 172.16.3.0 0.0.0.255
permit 172.16.4.0 0.0.0.255
permit 172.16.5.0 0.0.0.255
!
ip access-list extended HQ-AWS1-AWS2
deny   tcp host xxx.yyy.zzz.18 eq bgp host xxx.yyy.zzz.17
deny   tcp host xxx.yyy.zzz.18 host xxx.yyy.zzz.17 eq bgp
deny   tcp host xxx.yyy.zzz.22 eq bgp host xxx.yyy.zzz.21
deny   tcp host xxx.yyy.zzz.22 host xxx.yyy.zzz.21 eq bgp
permit ip any any
!
ip access-list extended HTTP-REDIR
permit tcp 192.168.2.0 0.0.0.255 host 172.16.5.2 eq 9999
permit tcp 192.168.2.0 0.0.0.255 host 172.16.5.1 eq 8888
permit tcp 192.168.1.0 0.0.0.255 host 172.16.5.2 eq 9999
permit tcp 192.168.1.0 0.0.0.255 host 172.16.5.1 eq 8888
!
ip access-list extended IPSEC
permit esp any any
!
ip access-list extended ISAKMP
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
!
ip access-list extended OSPF
permit ospf any any
!
ip access-list extended SSH
permit tcp 192.168.1.0 0.0.0.255 any eq 22
permit tcp 192.168.2.0 0.0.0.255 any eq 22
!
ip access-list extended TELNET
permit tcp 192.168.1.0 0.0.0.255 any eq telnet
permit tcp 192.168.2.0 0.0.0.255 any eq telnet
!
ip prefix-list AWS-BORDER1 seq 10 permit 172.16.4.0/24
ip prefix-list AWS-BORDER1 seq 30 permit 172.16.6.0/24
!
ip prefix-list AWS-BORDER2 seq 10 permit 172.16.3.0/24
ip prefix-list AWS-BORDER2 seq 30 permit 172.16.6.0/24
!
logging history size 100
logging history debugging
!
access-list 1 permit 2.0.0.0 0.0.0.15
access-list 1 permit 192.168.90.0 0.0.0.255
access-list 1 permit 172.16.6.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
!
route-map OSPF-NETS permit 10
match ip address 1
!
route-map AWS-NETS permit 10
match ip address AWS-NETS
set tag 10
!
line con 0
exec-timeout 3 0
privilege level 15
password --gone--
session-limit 2
logging synchronous
no vacant-message
login
transport preferred telnet
transport output telnet
speed 4800
line aux 0
exec-timeout 0 1
login
line vty 0 15
exec-timeout 5 0
privilege level 15
password --gone--
absolute-timeout 15
session-limit 2
no vacant-message
login local
transport preferred telnet
transport input telnet ssh
transport output telnet

okay so just that i

Pranay Prasoon — Wed, 15 Apr 2015 20:14:33 GMT

okay so just that I am understanding your requirement correctly,

Is the traffic going to come from trusted zone, get NATed with the loop back IP address and go through tunnel interface?

YES!!

fsebera — Wed, 15 Apr 2015 21:12:46 GMT

YES!!

...... but also traffic ingresses the TRUSTED interface to the router itself.

Thanks

Frank

you don't need to have loop

Pranay Prasoon — Wed, 15 Apr 2015 22:11:13 GMT

you don't need to have loop back into any zone.

When traffic will come from trusted to tunnel, it will represent source from trusted and destination tunnel, even if the traffic changes its source IP address to NAT IP.

You just need to make sure that your traffic is allowed from trusted to tunnel and tunnel to trusted if traffic is coming back tunneled.

Thanks Pranay, Thanks for

fsebera — Thu, 16 Apr 2015 12:01:57 GMT

Thanks Pranay,

Thanks for your assistance!

Frank

topic okay...but do change your IP in Network Security

ZBF and loopback interfaces

Nope..if self zone is not

Sorry, I should have

okay...but do change your IP

Already SANITIZED due to

okay so just that i

YES!!

you don't need to have loop

Thanks Pranay, Thanks for