topic can't ping or tracert from self zone to internet in Network Security

can't ping or tracert from self zone to internet

Mahmoud Saad — Tue, 12 Mar 2019 01:25:58 GMT

Hello , i'm testing IOS firewall using zone based firewall zone pairs , users can access the internet , but i have a problem that i can't ping my external dns servers or even ping , trace any internet destination. For example ping to www.yahoo.com fails. i wanna know if there is something wrong in this config.

class map, policy map , and zone pair is marked as bold.

Thanks

Current configuration : 4919 bytes

! Last configuration change at 15:12:16 UTC Tue Apr 9 2013 by admin

version 15.1

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

no service password-encryption

service udp-small-servers

service tcp-small-servers

service sequence-numbers

hostname Router

boot-start-marker

boot-end-marker

security authentication failure rate 3 log

security passwords min-length 6

no logging buffered

no aaa new-model

no ipv6 cef

ip source-route

ip gratuitous-arps

ip icmp rate-limit unreachable 1

ip cef

ip name-server 163.121.128.134

ip name-server 163.121.128.135

ip port-map user-custom-fleet port tcp 2000 list 1

multilink bundle-name authenticated

redundancy

ip finger

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

class-map type inspect match-any Inside-Outside

match protocol tcp

match protocol udp

class-map type inspect match-any ALLOW-ICMP

match access-group name ACL-ICMP-REPLY

policy-map type inspect Inside-Outside

class type inspect Inside-Outside

inspect

class class-default

drop

policy-map type inspect OUTSIDE-SELF

class type inspect ALLOW-ICMP

pass

class class-default

drop

zone security IN

zone security OUT

zone-pair security INSIDE/OUTSIDE source IN destination OUT

service-policy type inspect Inside-Outside

zone-pair security PM-OUTSIDE-SELF source OUT destination self

service-policy type inspect OUTSIDE-SELF

interface GigabitEthernet0/0

ip address 101.101.100.245 255.255.255.0

ip mask-reply

ip directed-broadcast

ip flow ingress

duplex auto

speed auto

interface GigabitEthernet0/1

description $FW_INSIDE$

ip address xx.xx..150.xx 255.255.255.248

ip mask-reply

ip directed-broadcast

ip flow ingress

zone-member security IN

duplex auto

speed auto

interface Serial0/0/0

no ip address

ip mask-reply

ip directed-broadcast

ip flow ingress

encapsulation frame-relay IETF

no fair-queue

clock rate 2000000

frame-relay lmi-type q933a

interface Serial0/0/0.16 point-to-point

description $FW_OUTSIDE$

ip address xx.xx.18.xx 255.255.255.252

ip mask-reply

ip directed-broadcast

ip flow ingress

ip verify unicast reverse-path

zone-member security OUT

frame-relay interface-dlci 16

interface Serial0/0/1

no ip address

ip mask-reply

ip directed-broadcast

ip flow ingress

shutdown

clock rate 2000000

ip forward-protocol nd

ip http server

ip http access-class 2

ip http authentication local

ip http secure-server

ip route 0.0.0.0 0.0.0.0 Serial0/0/0.16

ip identd

ip access-list extended ACL-ICMP-REPLY

permit icmp any any host-unreachable

permit icmp any any port-unreachable

permit icmp any any ttl-exceeded

permit icmp any any packet-too-big

permit icmp any any echo-reply

can't ping or tracert from self zone to internet

lcambron — Tue, 09 Apr 2013 22:12:21 GMT

Hello,

Seems like to allow icmp you need:

class-map type inspect match-any Inside-Outside

match protocol icmp

Regards,

Felipe.

Re: can't ping or tracert from self zone to internet

Julio Carvajal — Tue, 09 Apr 2013 22:18:50 GMT

Hello Mahmoud and Felipe,

You do not have any zone from self to Out

Create a zone-pair from self-to-out

Add that match the protocol ICMP and set the action as pass

That should do it

Regards,

Remember to rate all of the helpful posts

Julio Carvajal

Re: can't ping or tracert from self zone to internet

lcambron — Tue, 09 Apr 2013 22:31:25 GMT

One clarification on this.

A zone-pair from self to out will be needed to ping from the router itself to the internet.

Seems like here the issue is ping from internal users to the internet(users can access the internet, but i have a problem that i can't ping...), in that case the commands I suggested will be needed.

Let us know if you have any question.

Regards,

Felipe.

can't ping or tracert from self zone to internet

Mahmoud Saad — Wed, 10 Apr 2013 07:57:01 GMT

Hello jcarvaja thanks for help i did as what you said i've created self to outside zone pair but the problem is not solved

when i try internet addresses a line is logged saying

000030: *Apr 10 07:23:42.543 UTC: %FW-6-PASS_PKT: (target:class)-(SELF-OUTSIDE-ZP:SELF-OUTSIDE-ECHO) Passing icmp pkt XX.XX.18.XX:0 => 163.121.128.135:0 with ip ident 0

Lines that are added to configuration

class-map type inspect match-any SELF-OUTSIDE-ECHO

match access-group name ICMP-ECHO

policy-map type inspect SELF-OUTSIDE-PM

class type inspect SELF-OUTSIDE-ECHO

pass log

class class-default

drop

Extended IP access list ICMP-ECHO

10 permit icmp any any echo

zone-pair security SELF-OUTSIDE-ZP source self destination OUT

service-policy type inspect SELF-OUTSIDE-PM

Please help

Regards

can't ping or tracert from self zone to internet

Mahmoud Saad — Wed, 10 Apr 2013 08:23:50 GMT

Hello Felipe , i can't ping from router itself to internet not from inside zone , but there is another thing to mention that when i show access-lists i see. This is the ACL which added to self to outside zone pair , so i suspect the returning traffic

Extended IP access list ICMP-ECHO

10 permit icmp any any echo (65 matches)

another suggesstion ?

can't ping or tracert from self zone to internet

Julio Carvajal — Wed, 10 Apr 2013 16:31:26 GMT

Hello Mahmoud,

Exactly, that's what I understood.. From the router itself to the outside world.

Okey, add the following line

ip inspect log drop-pkt

Then try to ping and provide the logs, I want to see if there is any clue about this issue

Regards