topic I have no idea what is going in Network Security

zone Based Firewall on 881W

DavidDemland — Tue, 12 Mar 2019 04:02:46 GMT

I have an 881W that I am trying to setup a zoned based firewall. Here is what an excerpt of it looks like:

----------------------------------------------------------------
Current Config:
----------------------------------------------------------------

ip dhcp excluded-address 192.168.42.1 192.168.42.149
ip dhcp excluded-address 192.168.42.171 192.168.42.254
ip dhcp excluded-address 10.0.42.1 10.0.42.149
ip dhcp excluded-address 10.0.42.171 10.0.42.254
ip dhcp excluded-address 172.16.42.1 172.16.42.149
ip dhcp excluded-address 172.16.42.171 172.16.42.254
ip dhcp excluded-address 10.42.0.1
ip dhcp excluded-address 10.42.0.253
!
ip dhcp pool ccp-pool
import all
network 10.42.0.0 255.255.255.0
default-router 10.42.0.1
!
ip dhcp pool GuessData
import all
network 172.16.42.0 255.255.255.0
dns-server 68.105.28.12 68.105.29.12 68.105.28.11
default-router 172.16.42.254
!
ip dhcp pool DMZData
import all
network 10.0.42.0 255.255.255.0
default-router 10.0.42.254
dns-server 68.105.28.12 68.105.29.12 68.105.28.11
!
ip dhcp pool InternalData
import all
network 192.168.42.0 255.255.255.0
dns-server 192.168.42.1 68.105.28.12 68.105.29.12 68.105.28.11
default-router 192.168.42.254
lease 2
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
no ipv6 cef
!
!
license udi pid CISCO881W-GN-A-K9 sn FTX1702852X
!
!
username daved privilege 15 secret 4 qe8J3v.JBWtcOXpekg566rrPI0ITGNFB/9NQecxoOLU
!
!
!
!
!
class-map match-any CLASS_COX_OUT
match any
class-map type inspect match-any INTERNET-CLASS
match protocol icmp
match protocol udp
match protocol tcp
!
!
policy-map POLICY_COX_OUT
class CLASS_COX_OUT
policy-map type inspect INTERNET-POLICY
class type inspect INTERNET-CLASS
inspect
class class-default
drop
!
zone security INTERNAL
description Firewall Zone for Internal Users
zone security DMZ
description Firewall Zone for DMZ Systems
zone security GUEST
description Firewall Zone for Guest Wireless Users
zone security INTERNET
description Firewall Zone for ISP
zone-pair security INTERNET-INTERNAL source INTERNAL destination INTERNET
service-policy type inspect INTERNET-POLICY
zone-pair security INTERNAL-INTERNET source INTERNET destination INTERNAL
service-policy type inspect INTERNET-POLICY
zone-pair security INTERNET-DMZ source DMZ destination INTERNET
service-policy type inspect INTERNET-POLICY
zone-pair security DMZ-INTERNET source INTERNET destination DMZ
service-policy type inspect INTERNET-POLICY
zone-pair security INTERNET-GUEST source GUEST destination INTERNET
service-policy type inspect INTERNET-POLICY
zone-pair security GUEST-INTERNET source INTERNET destination GUEST
service-policy type inspect INTERNET-POLICY
!
!
!
!
!
!
!
interface FastEthernet0
switchport access vlan 10
no ip address
!
interface FastEthernet1
switchport access vlan 20
no ip address
!
interface FastEthernet2
no ip address
shutdown
!
interface FastEthernet3
no ip address
shutdown
!
interface FastEthernet4
description Cox ISP Interface for all data
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security INTERNET
duplex auto
speed auto
no cdp enable
service-policy output POLICY_COX_OUT
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan30
ip flow ingress
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.42.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan10
description Internal Users Network Vlan
ip address 192.168.42.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security INTERNAL
!
interface Vlan20
description DMZ Network Vlan
ip address 10.0.42.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security DMZ
!
interface Vlan30
description Guest Wireless Network Vlan
ip address 172.16.42.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security GUEST
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map COX_NAT interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 dhcp
!
access-list 23 permit 10.42.0.0
access-list 110 permit ip 192.168.42.0 0.0.0.255 any
access-list 110 permit ip 172.16.42.0 0.0.0.255 any
access-list 110 permit ip 10.0.42.0 0.0.0.255 any
access-list 110 permit ip 10.42.0.0 0.0.0.255 any
access-list 110 deny ip any any
no cdp run
!
!
!
!
route-map COX_NAT permit 10
match ip address 110
match interface FastEthernet4

My problem is that traffic is not being passed from the INTERNAL Zone to the DMZ zone. I have tried everything I can think of. What do I have to do to allow this traffic to pass through?

Thank You,

David Demland

Hello David,I cannot see any

Bilal Nawaz — Mon, 21 Apr 2014 12:39:05 GMT

Hello David,

I cannot see any zone-pair configuration from internal to DMZ. If you create this with the correct policy then this should work.

Hope this helps.

After re-looking at the

DavidDemland — Thu, 24 Apr 2014 03:08:33 GMT

After re-looking at the configuration, I have corrected everything I think was wrong and here is the configuration of the ZBW I have:

lass-map type inspect match-any CLASS-INTERNET-DMZ
match protocol icmp
match protocol udp
match protocol tcp
class-map type inspect match-any CLASS-INTERNAL-DMZ
match protocol icmp
match protocol udp
match protocol tcp
class-map match-any CLASS_COX_OUT
match any
class-map type inspect match-any INTERNET-CLASS
match protocol icmp
match protocol udp
match protocol tcp
!
!
policy-map POLICY_COX_OUT
class CLASS_COX_OUT
policy-map type inspect INTERNET-POLICY
class type inspect INTERNET-CLASS
inspect
class class-default
drop
policy-map type inspect POLICY-INTERNET-DMZ
class type inspect CLASS-INTERNET-DMZ
inspect
class class-default
drop
policy-map type inspect POLICY-INTERNAL-DMZ
class type inspect CLASS-INTERNAL-DMZ
inspect
class class-default
drop
!
zone security INTERNAL
description Firewall Zone for Internal Users
zone security DMZ
description Firewall Zone for DMZ Systems
zone security GUEST
description Firewall Zone for Guest Wireless Users
zone security INTERNET
description Firewall Zone for ISP
zone-pair security INTERNAL-INTERNET source INTERNAL destination INTERNET
service-policy type inspect INTERNET-POLICY
zone-pair security DMZ-INTERNET source DMZ destination INTERNET
service-policy type inspect INTERNET-POLICY
zone-pair security GUEST-INTERNET source GUEST destination INTERNET
service-policy type inspect INTERNET-POLICY
zone-pair security INTERNAL-DMZ source INTERNAL destination DMZ
service-policy type inspect POLICY-INTERNAL-DMZ
zone-pair security INTERNET-DMZ source INTERNET destination DMZ
service-policy type inspect POLICY-INTERNET-DMZ

The problem still exists, the internet host cannot ping the DMZ host. What am I missing?

Thank You,

David

I have no idea what is going

DavidDemland — Thu, 24 Apr 2014 21:06:24 GMT

I have no idea what is going on but I have done some more testing with WireShark running. The system on the internal network sends out pings to the system in the DMZ. The system in the DMZ seems to see the ping since WireShark on that system show the echo request. However, neither system gets an echo reply. Now I am not sure if my problem is the ZBF or something else. I have attached my complete configuration. Can anyone help me understand what I am missing?

Thank You,

David

Hello David,Please try

Bilal Nawaz — Fri, 25 Apr 2014 06:44:13 GMT

Hello David,

Please try this

Conf t

ip access-list extended INTERNET-TO-DMZ

permit icmp any any

permit tcp any any

permit udp any any

class-map type inspect match-any CLASS-INTERNET-DMZ
no match protocol icmp
no match protocol udp
no match protocol tcp

match access-group name INTERNET-TO-DMZ

Please try this and also the same with the class-map "INTERNET-CLASS"

Bilal,Just to clarify, how

DavidDemland — Sat, 26 Apr 2014 05:20:48 GMT

Bilal,

Just to clarify, how would the changes to the Internet to DMZ affect the Internal to DMZ communications? Or do you mean to make these changes to the Internal to DMZ configurations?

Thank You,

David

Hello David, Your reply 2

Bilal Nawaz — Sat, 26 Apr 2014 05:46:15 GMT

Hello David, Your reply 2 days ago suggested you were having problems with internet to DMZ " internet host cannot ping the DMZ host."

Anyway, lets do this then (if the problem is internal to DMZ)

ip access-list extended 100
 permit ip 192.168.42.0 0.0.0.255 10.0.42.0 0.0.0.255

class-map type inspect match-any CLASS-INTERNAL-DMZ
 no match access-group name INSIDE-TO-DMZ <------------ make it a numbered ACL

match access-group 100

Bilal,I cannot believe what

DavidDemland — Mon, 28 Apr 2014 16:41:24 GMT

Bilal,

I cannot believe what the problem is. It seems to be in the Windows 7 host I was testing with. I have replaced that host with two different Linux hosts and both work with my original configuration. Which means I have a better understanding of ZBF what I felt I did. Even though I still cannot ping the original Windows 7 hosts, I can ping both the Linux hosts as well as FTP and SSH to both of them. Thank you for your help and I am sorry I was not able to discover this issue sooner.

David

Hello David, that is good

Bilal Nawaz — Mon, 28 Apr 2014 17:01:21 GMT

Hello David, that is good news! glad you worked it out in the end. The reason I asked to change to a numbered ACL, just in case we ever come across a problem with ZBFW, in some code the IOS does not behave with named ACLs.

That's okay, as long as you got there in the end, and your post will no doubt help someone else in the future with a similar scenario.