topic Open up firewall reflexive in Network Security

Open up firewall reflexive

Tommy Svensson — Mon, 11 Mar 2019 20:25:30 GMT

Hi.

I want the inside of my network to be allowed to do anything and the firewall to open up ports reflexive when the traffic goes out.

If i want to use ssh to an external IP address i have to put in the following:

ip access-list extended STANDARD_IN_PERMIT

permit tcp any eq 22 any

Without this it wont work, below is a part of my running config

class-map type inspect match-any STANDARD
match protocol http
match protocol https
match protocol pop3
match protocol pop3s
match protocol imap
match protocol imaps
match protocol smtp
match protocol ssh

ip access-list extended STANDARD_IN_PERMIT
permit tcp any host 192.168.98.63 eq www
permit tcp any host 192.168.98.63 eq 443
permit tcp any host 192.168.98.53 eq www
permit tcp any host 192.168.98.53 eq 666
permit tcp any host 192.168.98.52 eq 22
permit tcp any host 192.168.98.52 eq smtp
permit tcp any host 192.168.98.52 eq www
permit tcp any host 192.168.98.52 eq 143
permit tcp any host 192.168.98.52 eq 10000
permit tcp any host 192.168.98.52 eq 20000
permit tcp any host 192.168.98.61 eq 22
permit tcp any host 192.168.98.61 eq www
permit tcp any host 192.168.98.61 eq domain
permit tcp any host 192.168.98.61 eq 10000
permit tcp any host 192.168.98.2 eq 443
permit tcp any host 192.168.98.2 eq 987
permit tcp any host 192.168.98.2 eq smtp
permit tcp any host 192.168.98.50 eq 9101
permit tcp any host 192.168.98.50 eq 9102
permit tcp any host 192.168.98.50 eq 9103
permit tcp any host 10.10.20.10 eq 443
permit tcp any host 10.10.20.10 eq 587
permit tcp any host 10.10.20.10 eq smtp
permit udp any host 10.10.20.10 eq 443
permit udp any host 10.10.20.10 eq 25
permit tcp any host 192.168.98.146 eq 873
permit tcp any host 192.168.98.210 eq 587
permit tcp any host 192.168.98.210 eq smtp
permit tcp any host 192.168.98.210 eq www

ip access-list extended STANDARD_OUT_PERMIT
permit ip any any

policy-map type inspect STANDARD
class type inspect STANDARD
inspect
class type inspect STANDARD_OUT_PERMIT
pass
class class-default
drop

policy-map type inspect STANDARD_IN
class type inspect STANDARD_IN_PERMIT
pass
class class-default
drop

zone security WAN_ZONE
zone security VLAN1_ZONE

zone-pair security WAN_TO_VLAN1 source WAN_ZONE destination VLAN1_ZONE
service-policy type inspect STANDARD_IN
zone-pair security VLAN1_TO_WAN source VLAN1_ZONE destination WAN_ZONE
service-policy type inspect STANDARD

Re: Open up firewall reflexive

Jennifer Halim — Tue, 26 Apr 2011 09:20:30 GMT

The action for class-map "STANDARD_OUT_PERMIT" should be "inspect" not "pass".

Pass will only allow traffic to pass in 1 direction.

Inspect will inspect the traffic in one direction and allow the return traffic from the same session to pass through.

Re: Open up firewall reflexive

Tommy Svensson — Tue, 26 Apr 2011 09:55:26 GMT

What does :class-map type inspect match-any STANDARD
match protocol ssh

do then?

I thought this was for outgoing traffic to open up a path back to the host.

Re: Open up firewall reflexive

Jennifer Halim — Tue, 26 Apr 2011 12:17:40 GMT

Actually, yes, you are right. But why do you create 2 class-map? In any case, the second class-map should really have the action as "inspect" anyway, not "pass"

Re: Open up firewall reflexive

Tommy Svensson — Tue, 26 Apr 2011 12:32:13 GMT

I created the second class map due to that the first does not have the options to match all protocols that i want to, for example remote desktop protocol on port 3389. Either way, the traffic is supposed to use the first Class map and match on protocol ssh witch then should allow the packet and open a path back to the host, why is this not accomplished?

Regards Tommy Svensson

Re: Open up firewall reflexive

Jennifer Halim — Tue, 26 Apr 2011 12:39:51 GMT

When did you add the match protocol ssh? Have you added that after you tried to pass the SSH traffic through? and it could have matched the second class-map first, hence it's not working.

We need to troubleshoot this further, without any data, I won't be able to tell you why it's not matching the first class-map.

Can you clear all the connection and see if it matches the SSH class map?

Also check the output of "show policy-map type inspect zone-pair" and "show policy-map type inspect zone session"

Re: Open up firewall reflexive

Tommy Svensson — Tue, 26 Apr 2011 14:29:57 GMT

Hello again, your tip is working fine, just one issue.

When i change the

class type inspect STANDARD_OUT_PERMIT
pass

class type inspect STANDARD_OUT_PERMIT
inspect

the site on
ip nat inside source static tcp 192.168.98.53 80 212.181.79.196 80 extendable
stops working. It can not be accessible externally any more. One other thing is that remote desktop into the network isnt working niether with this setup. All other works well as of now so its just these issues.

Regards Tommy Svensson

Re: Open up firewall reflexive

Jennifer Halim — Wed, 27 Apr 2011 00:11:38 GMT

Same goes for "STANDARD_IN_PERMIT" class-map, the action should also be "inspect" instead of "pass" as pass will only allow it in one direction, not the return traffic.