zone based firewall one way access to a zone

jeffreymertz — Tue, 12 Mar 2019 04:14:21 GMT

I am trying to create a PCI zone inside a network. I am using a 1941 with security and ZFW to restrict traffic. PCI can go out to ASA and across to LAN. LAN can go to ASA but not to PCI, finally ASA can go back to both PCI and LAN to send natted traffic inside to servers respectively. Important config info below. In testing I can't ping from PCI to a LAN machine, but I can ping the LAN interface IP on the router. From LAN I can ping LAN interface IP of router, but can't ping PCI interface of router (this is desired). But I need to be able to ping LAN from PCI, think a nofoward dmz in an ASA. Initiated traffic from PCI is god traffic and can go anywhere. LAN zone can only go to other LAN zone or ASA zone.

interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description PCI Interface
ip address 192.168.201.1 255.255.255.0
zone-member security PCI
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LAN Interface
ip address 192.168.200.1 255.255.255.0
ip access-group PCItest in
zone-member security LAN
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
switchport access vlan 3
no ip address
!
interface GigabitEthernet0/0/1
switchport access vlan 2
no ip address
!
interface GigabitEthernet0/0/2
no ip address
!
interface GigabitEthernet0/0/3
no ip address
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 10.0.0.1 255.255.255.0
zone-member security LAN
ip tcp adjust-mss 1452
!
interface Vlan3
description ASA INTERFACE
ip address 172.16.20.1 255.255.255.0
zone-member security ASA

ip access-list extended ASA-INBOUND-ACL
permit ip 172.16.20.0 0.0.0.255 any
ip access-list extended LAN2any-ACL
permit ip 192.168.200.0 0.0.0.255 any
permit ip 10.0.0.0 0.0.0.255 any
permit ip 192.168.5.0 0.0.0.255 any
permit ip 192.168.50.0 0.0.0.255 any
ip access-list extended PCI2any-ACL
permit ip 192.168.201.0 0.0.0.255 any

class-map type inspect match-all PCI-ASA-CLASS
match access-group name PCI2any-ACL
class-map type inspect match-all ASA-PCI-CLASS
match access-group name ASA-INBOUND-ACL
class-map type inspect match-all PCI-LAN-CLASS
match access-group name PCI2any-ACL
class-map type inspect match-all LAN-ASA-CLASS
match access-group name LAN2any-ACL
class-map type inspect match-all ASA-LAN-CLASS
match access-group name ASA-INBOUND-ACL
!
policy-map type inspect LAN-ASA-POLICY
class type inspect LAN-ASA-CLASS
inspect
class class-default
drop
policy-map type inspect ASA-LAN-POLICY
class type inspect ASA-LAN-CLASS
inspect
class class-default
drop
policy-map type inspect ASA-PCI-POLICY
class type inspect ASA-PCI-CLASS
inspect
class class-default
drop
policy-map type inspect PCI-LAN-POLICY
class type inspect PCI-LAN-CLASS
inspect
class class-default
drop
policy-map type inspect PCI-ASA-POLICY
class type inspect PCI-ASA-CLASS
inspect
class class-default
drop
!
zone security PCI
zone security LAN
zone security ASA
zone-pair security PCI-to-LAN source PCI destination LAN
service-policy type inspect PCI-LAN-POLICY
zone-pair security PCI-to-ASA source PCI destination ASA
service-policy type inspect PCI-ASA-POLICY
zone-pair security LAN-to-ASA source LAN destination ASA
service-policy type inspect LAN-ASA-POLICY
zone-pair security ASA-to-PCI source ASA destination PCI
service-policy type inspect ASA-PCI-POLICY
zone-pair security ASA-to-LAN source ASA destination LAN
service-policy type inspect ASA-LAN-POLICY

First of all, this ACL is

Marius Gunnerud — Tue, 09 Sep 2014 12:00:47 GMT

First of all, this ACL is wrongly configured or you have just placed it on the wrong interface:

interface GigabitEthernet0/1
description LAN Interface
ip address 192.168.200.1 255.255.255.0
ip access-group PCItest in

ip access-list extended PCI2any-ACL
permit ip 192.168.201.0 0.0.0.255 any

This is saying that a source IP of 192.168.201.0/24 will be entering the LAN interface and this is not the case. in any case I suggest removing this ACL from the interface.

As you are have not included a zone pair for LAN to the PCI interface IP you will not be able to ping from LAN to the PCI interface (from my understanding of your post this is what you are trying to achieve?)

You would need to explicitly permit this traffic since you have the interfaces placed in security zones.

ip access-list extended LAN-to-PCI-ACL
permit ip any host 192.168.201.1

class-map type inspect match-all LAN-PCI-CLASS
match access-group name LAN-to-PCI-ACL

policy-map type inspect LAN-PCI-POLICY
class type inspect LAN-PCI-CLASS
inspect
class class-default
drop

zone-pair security LAN-to.PCI source LAN destination PCI
service-policy type inspect LAN-PCI-POLICY

Please remember to select a correct answer and rate helpful posts

i had forgotten about this

jeffreymertz — Tue, 09 Sep 2014 12:17:57 GMT

i had forgotten about this post!

PCI to LAN is allowed, LAN to PCI is not.

I played with the ACL's and have had it working. I'm marking your answer correct, as it does correct the one ACL issue I was having with assignment of the directions. Thanks for taking the time to respond!

topic i had forgotten about this in Network Security

zone based firewall one way access to a zone

First of all, this ACL is

i had forgotten about this