ZBF woes

Darren Hunter — Tue, 12 Mar 2019 05:01:55 GMT

Hi I’m having some difficulty in understanding the behaviour of zone based firewalls on a 887va router, I do not understand the implications of including the self zone in a zone-pair. It seems that if you include the self zone in a pair with any other zone, the self zone becomes restrictive between all zones whether paired or not. For example if I include the self zone in a pair with the OUTSIDE zone, pinging the router from a host from the INSIDE zone no longer works…..

Secondly we operate a DMVPN (this is a spoke router) and the tunnel will successfully establish with the following traffic configured to PASS

Tcp 4500

Tcp 500

ESP

GRE

However traffic through the tunnel will fail (including rip).

If however I modify the firewall policy to permit all traffic to and from the Self and OUTSIDE zones, tunnel traffic seems to work successfully between the SELF and VPN zones and the VPN and internal zones.

However given that all traffic destined for the tunnel would be encapsulated in a GRE header and GRE is permitted between the SELF and OUTSIDE Zones, I cannot see what other ports would need opening?

I’ve included some config below, any help would be greatly appreciated.

Access Lists

Extended IP access list OUTSIDE>INSIDE

10 permit ip any any

Extended IP access list OUTSIDE>SELF

( if this entry is included tunnel traffic works permit ip object-group DMVPNIPGROUP object-group SELF (818 matches))

10 permit gre object-group DMVPNIPGROUP object-group SELF

20 permit tcp object-group DMVPNIPGROUP object-group SELF eq 4500

30 permit tcp host HO host SELF eq 22 (18589 matches)

40 permit tcp object-group DMVPNIPGROUP object-group SELF eq 500

50 permit esp object-group DMVPNIPGROUP object-group SELF (424 matches)

70 deny ip any any (7570 matches)

Extended IP access list SELF>OUTSIDE

( if this entry is included tunnel traffic works 8 permit ip object-group SELF object-group DMVPNIPGROUP (1013 matches))

10 permit gre object-group SELF any

20 permit tcp object-group SELF any eq 4500

30 permit tcp object-group SELF eq 22 host HO (12899 matches)

40 permit tcp object-group SELF any eq 500

50 permit esp object-group SELF any

Extended IP access list SELF>OUTSIDE_Insp

10 permit tcp any any eq domain

20 permit udp any any eq domain (86 matches)

Extended IP access list SELF>VPN

10 permit ip any any (31 matches)

Extended IP access list SSH_Allow

20 permit tcp network_obj HO any eq 22 log (22 matches)

70 permit tcp LocalSubnet any eq 22

80 deny ip any any log (8 matches)

Extended IP access list VPN>INSIDE

10 permit ip any any (568 matches)

Extended IP access list VPN>SELF

10 permit ip any any (15 matches)

Zone: self

Description: System defined zone

Zone: OUTSIDE

Member Interfaces:

Dialer1

Zone: INSIDE

Member Interfaces:

Vlan1

Zone: VPN

Member Interfaces:

Tunnel0

Zone-pair : OUTSIDE>SELF

Source Zone : OUTSIDE

Destination Zone : self

Service-policy inspect : PM-OUTSIDE>SELF

Class-map : CM-OUTSIDE>SELF(match-any)

Action : pass log

Class-map : class-default(match-any)

Action : drop log

Zone-pair : INSIDE>OUTSIDE

Source Zone : INSIDE

Destination Zone : OUTSIDE

Service-policy inspect : PM-INSIDE>OUTSIDE

Class-map : CM-INSIDE>OUTSIDE(match-any)

Action : inspect

Service Policy: http PM-DPI_HTTP_OUT

Class-map : CM-INSIDE>OUTSIDE2(match-any)

Action : inspect

Class-map : class-default(match-any)

Action : drop log

Zone-pair : SELF>OUTSIDE

Source Zone : self

Destination Zone : OUTSIDE

Service-policy inspect : PM-SELF>OUTSIDE

Class-map : CM-SELF>OUTSIDE(match-any)

Action : pass log

Class-map : CM-SELF>OUTSIDE_Insp(match-any)

Action : inspect

Class-map : class-default(match-any)

Action : drop log

Zone-pair : VPN>INSIDE

Source Zone : VPN

Destination Zone : INSIDE

Service-policy inspect : PM-VPN>INSIDE

Class-map : CM-VPN>INSIDE(match-any)

Action : pass log

Class-map : class-default(match-any)

Action : drop log

Zone-pair : INSIDE>VPN

Source Zone : INSIDE

Destination Zone : VPN

Service-policy inspect : PM-INSIDE>VPN

Class-map : CM-INSIDE>VPN(match-any)

Action : pass log

Class-map : class-default(match-any)

Action : drop log

Zone-pair : SELF>VPN

Source Zone : self

Destination Zone : VPN

Service-policy inspect : PM-SELF>VPN

Class-map : CM-SELF>VPN(match-any)

Action : pass log

Class-map : class-default(match-any)

Action : drop log

Zone-pair : VPN>SELF

Source Zone : VPN

Destination Zone : self

Service-policy inspect : PM-VPN>SELF

Class-map : CM-VPN>SELF(match-any)

Action : pass log

Class-map : class-default(match-any)

Action : drop log

Class Map type inspect match-any CM-SELF>OUTSIDE_Insp (id 33)

Match access-group name SELF>OUTSIDE_Insp

Class Map type inspect match-any CM-VPN>INSIDE (id 29)

Match access-group name VPN>INSIDE

Class Map type inspect match-any CM-INSIDE>VPN (id 30)

Match access-group name INSIDE>VPN

Class Map type inspect match-any CM-SELF>VPN (id 47)

Match access-group name SELF>VPN

Class Map type inspect match-any CM-VPN>SELF (id 48)

Match access-group name VPN>SELF

Class Map type inspect match-any CM-OUTSIDE>SELF (id 4)

Match access-group name OUTSIDE>SELF

Class Map type inspect match-any CM-OUTSIDE>INSIDE (id 5)

Match access-group name OUTSIDE>INSIDE

Class Map type inspect match-any CM-INSIDE>OUTSIDE (id 6)

Match protocol http

Class Map type inspect match-any CM-SELF>OUTSIDE (id 7)

Match access-group name SELF>OUTSIDE

Class Map type inspect match-any CM-INSIDE>OUTSIDE2 (id 10)

Match protocol https

Match protocol smtp

HiSounds like you are having

Henrik Grankvist — Wed, 05 Nov 2014 22:33:30 GMT

Sounds like you are having some problems 🙂

It would be easier to see what has been done if you posted your running-config, instead of show commands, they are harder to follow than the running-config.

And its UDP port 500 and 4500 you want to open, not TCP.

Cannot believe I didn't see

Darren Hunter — Thu, 06 Nov 2014 16:17:49 GMT

Cannot believe I didn't see that, i'm gonna test a little more but I think that's it.

thanks for your help

topic HiSounds like you are having in Network Security

ZBF woes

HiSounds like you are having

Cannot believe I didn't see