topic Problem with Zone_based Firewall in Network Security

Problem with Zone_based Firewall

Sabby0115 — Tue, 12 Mar 2019 00:05:53 GMT

Hello

I have ISR router with (C2800NM-ADVENTERPRISEK9-M), Version 15.1(4)M3. The router has normal internet connection settings with nat & all the users are accessing internet via this router, everything is working fine till this point.

I decided to configure zone based firewall on the router i have configured my router with basic config to check the results & everything stop working. No one can access internet neither other apps (outlook) after this config.

I am very much new to cisco security & I am looking help if someone checks my config is it correct or not & why these setting are nt working.

N-ROUTER#sh running-config | section class-map

class-map type inspect match-any CLASS_MAP_IN_TO_OUT

match protocol icmp

match protocol http

match protocol https

match protocol pop3

match protocol smtp

N-ROUTER#sh running-config | section policy-map

policy-map type inspect POLICY_MAP_IN_TO_OUT

class type inspect CLASS_MAP_IN_TO_OUT

pass (I used pass & inspect both)

class class-default

drop

N-ROUTER#s run | sec zone-pair

zone-pair security ZONE_PAIR_IN_TO_OUT source INSIDE destination OUTSIDE

service-policy type inspect POLICY_MAP_IN_TO_OUT

Problem with Zone_based Firewall

cadet alain — Mon, 08 Oct 2012 08:11:40 GMT

Hi,

could you add in global config: ip inspect log drop-pkt and also add a log to your class-default

You must have an inspect for the traffic in class-map in-to-out otherwise you shall have to do another policy from out to in with a pass for the return traffic.

Could you also post the output of sh run interface to see which is inside and which is outside.

Regards.

Alain

Don't forget to rate helpful posts.

Problem with Zone_based Firewall

Harish Balakrishnan — Mon, 08 Oct 2012 08:17:26 GMT

Hello Sarbjit,

If you have pass configured then you need to have another policy to permit the traffic from outside to inside as follows

access-list 100 permit ip any any

class-map type inspect match-all out_in

match access-group 100

policy-map type inspect out_in

class type inspect out_in

pass

zone-pair security out_in source outside destination inside

service-policy type inspect out_in

If you give inspect instead of pass, in your present policy ( please give no pass) and the incoming traffic should work wven without the outside to inside permission

Try it out and let me know

Harish.

Re: Problem with Zone_based Firewall

Sabby0115 — Mon, 08 Oct 2012 08:47:43 GMT

cadet alain

& Harish Balakrishnan

Thank you to both of you...

As suggested I changed pass to inspect.

I believe it was a silly mistake made by me , i did not put match protocol dns now I insert it in class map & everything back on track.

Here is my config kindly check it & please tell me if anything else is wrong with it

Thanks again

=========================================

N-ROUTER#sh running-config | section class-map

class-map type inspect match-any CLASS_MAP_IN_TO_OUT

match protocol icmp

match protocol http

match protocol https

match protocol pop3

match protocol smtp

match protocol dns

N-ROUTER#sh running-config | section policy-map

policy-map type inspect POLICY_MAP_IN_TO_OUT

class type inspect CLASS_MAP_IN_TO_OUT

inspect

class class-default

drop log

N-ROUTER#s run | sec zone

zone security INSIDE

zone security OUTSIDE

zone-pair security ZONE_PAIR_IN_TO_OUT source INSIDE destination OUTSIDE

service-policy type inspect POLICY_MAP_IN_TO_OUT

zone-member security OUTSIDE

zone-member security INSIDE

interface FastEthernet0/0

ip address x.x.x.x 255.255.255.248

ip nat outside

ip virtual-reassembly in

zone-member security OUTSIDE

duplex auto

speed auto

end

interface FastEthernet0/1

ip address x.x.x.x 255.255.255.0

ip access-group TRAFFIC_SHAPE in

ip nbar protocol-discovery

ip nat inside

ip virtual-reassembly in

zone-member security INSIDE

duplex auto

speed auto

end

Problem with Zone_based Firewall

Harish Balakrishnan — Mon, 08 Oct 2012 09:20:28 GMT

Hello Sarbjit,

Could you remove the ACL TRAFFIC_SHAPE from the interface f0/1 as zone based firewall and acl are not advisable to use together

regards

Harish.

Problem with Zone_based Firewall

Sabby0115 — Tue, 09 Oct 2012 10:05:43 GMT

Hello

I removed the acl & checked it is working fine but I have proxy server configure inside my network & I am using that access list to block uncontrolled users it is just one one allowed statement...

one more thing after configuring ios firewll i have notice that my sip link is not working. which is configured on PBX (panasonic). but if i am using same sip link from my mobile (connected to wireless) it is working... any idea?

Ip access-list ext TRAFFIC_SHAPE

permit tcp host x.x.x.x any eq www

Pls suggest will it ok to use or not?

Problem with Zone_based Firewall

Harish Balakrishnan — Tue, 09 Oct 2012 10:25:33 GMT

Hello

For SIP to work, you can modify the class map to accomodate

match protocol sip

regarding the proxy you can achive this with the following

access-list 100 permit ip host any

access-list 100 deny ip any any

class-map type inspect match-all NEW_CLASS

match class-map CLASS_MAP_IN_TO_OUT

match access-group 100

policy-map type inspect POLICY_MAP_IN_TO_OUT

no class type inspect CLASS_MAP_IN_TO_OUT

class-map type inspect match-all NEW_CLASS

inspect

.. and you should be done

please rate all helpful post!

Harish.

Re: Problem with Zone_based Firewall

Sabby0115 — Tue, 09 Oct 2012 11:22:39 GMT

hello

Sorry I am troubling you

I think this is typo class-map type inspect match-all NEW_CLASS it should be class class type inspect NEW_CLASS

====

match protocol sip

i already configured, but as i mentioned it is working on cell phones but it is not working from PBX.....

====

as i understand, is it gouping the multiple class-maps under another class-map?

Thanks for you kind help

Problem with Zone_based Firewall

Harish Balakrishnan — Tue, 09 Oct 2012 11:56:31 GMT

hello Sarbjit,

No problem at all...

no it is not a typo.. it should be like that only.. yes they are nested class maps and new class map with match all tag..

regarding SIP .. Not sure.. why it is broken.. i have faced the issue in ASA but after disabling the inspection it got worked.. what you can do here is to create another access list that matches SIP device IP and create another class map and call that as the first class map in policy map then 'pass' it instead of 'inspect'.. but then you need to have another policy map in outside- inside direction to allow the retun traffic to the SIP

hope this helps

Harish.

Re: Problem with Zone_based Firewall

Sabby0115 — Tue, 09 Oct 2012 14:07:10 GMT

kindly chk my config.....& pls make the changes if requried

sh run | sec policy-map

policy-map type inspect POLICY_MAP_IN_TO_OUT

class type inspect CLASS_MAP_TORRENT

drop log

class type inspect PROXY_CLIENTS

inspect

class type inspect CLASS_MAP_IN_TO_OUT

inspect

class class-default

drop log

sh run | sec class-map

class-map type inspect match-any CLASS_MAP_IN_TO_OUT

match protocol icmp

match protocol http

match protocol https

match protocol pop3

match protocol smtp

match protocol dns

match protocol sip

match protocol stun

class-map type inspect match-any CLASS_MAP_TORRENT

match protocol bittorrent

match protocol kazaa2

match protocol edonkey

match protocol gnutella

match protocol winmx

match protocol rtsp

match protocol realmedia

match protocol streamworks

match protocol fasttrack

class-map type inspect match-all PROXY_CLIENTS

match class-map CLASS_MAP_IN_TO_OUT

match access-group 101

Thanks