Zone Base Firewall and wccp issue

gaboughanem — Mon, 11 Mar 2019 19:55:29 GMT

Hello,

i have a 2811 router with IOS 12.4(15)T10 where wccp enabled on the router to divert the traffic to waas appliance.

recently i add the Zone base firewall configuration, but caused some problems from communication from outside traffic.

if wccp alone is enable all communication work fine, if ZBF is enabled alone also all communication works fine.

But when both features are enabled, some traffic coming from outside stops. i had to create an access-list called waas and bind it to

wccp "ip wccp 62 redirect-list waas" and "ip wccp 61 redirect-list waas" in order to stop sending these traffic waas.

This is not the solution at all because i am exempting traffic from compression.

Please note there is no problem from inside to outside traffic

anybody has an idea on how to solve this problem, by enabling ZBF and wccp(without the exemptions) .

Please find below part of the configuration :

ip wccp 61 redirect-list waas
ip wccp 62 redirect-list waas

!
ip inspect log drop-pkt
ip inspect WAAS enable
!

parameter-map type inspect sgblmap
audit-trail on
tcp window-scale-enforcement loose
sessions maximum 2147483647
!
crypto isakmp policy 10
encr 3des
hash md5
authentication rsa-encr
!
!
crypto ipsec transform-set sgbl esp-3des esp-md5-hmac
!

crypto map ho1 10 ipsec-isakmp
set peer 10.5.23.1
set transform-set sgbl
match address ho
qos pre-classify

class-map type inspect match-any ZBF_IN_TO_OUT
match protocol tcp
match protocol icmp
match protocol udp
match protocol h323
match protocol h323callsigalt
class-map type inspect match-any ZBF_OUT_TO_IN
match access-group name mgmtIN

policy-map type inspect ZBF_IN_TO_OUT
class type inspect ZBF_IN_TO_OUT
inspect
class class-default

policy-map type inspect ZBF_OUT_TO_IN
class type inspect ZBF_OUT_TO_IN
inspect sgblmap
class class-default
!
zone security inside
description LAN2OUTSIDE
zone security outside
description WAN2INSIDE
zone-pair security ZBF_IN_TO_OUT source inside destination outside
service-policy type inspect ZBF_IN_TO_OUT
zone-pair security ZBF_OUT_TO_IN source outside destination inside
service-policy type inspect ZBF_OUT_TO_IN
!
!
!
interface Loopback0
ip address 10.23.23.5 255.255.255.0
!
interface FastEthernet0/0
description link to 2960 switch
no ip address
ip route-cache flow
delay 1
duplex full
speed 100

interface FastEthernet0/0.10
description MGMT VLAN
encapsulation dot1Q 10
ip address 10.10.23.4 255.255.255.0
ip wccp 61 redirect in
ip wccp 62 redirect out
zone-member security inside
!
interface FastEthernet0/0.20
description WAAS VLAN
encapsulation dot1Q 20
ip address 10.20.23.4 255.255.255.0
ip wccp redirect exclude in
zone-member security inside
standby 20 ip 10.20.23.1
standby 20 priority 120
standby 20 preempt

!
interface FastEthernet0/0.77
description ROUTING VLAN
encapsulation dot1Q 77
ip address 10.77.23.4 255.255.255.0
ip access-group ethernetIN-new in
ip wccp 61 redirect in
ip wccp 62 redirect out
zone-member security inside
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
description Connection to HQ (GDS)
no ip address
no ip unreachables
encapsulation frame-relay
load-interval 30
frame-relay traffic-shaping
frame-relay lmi-type cisco
!
interface Serial0/0/0.1 point-to-point
bandwidth 256
ip address 10.5.23.2 255.255.255.252
no ip redirects
no ip proxy-arp
zone-member security outside
snmp trap link-status
frame-relay interface-dlci 123
class mc-256
frame-relay ip rtp header-compression
crypto map ho1

!
interface Async1
bandwidth 9
ip unnumbered FastEthernet0/0.10
ip access-group ASYNC_OUT out
zone-member security outside
encapsulation ppp
dialer in-band
dialer idle-timeout 60
dialer wait-for-carrier-time 60
dialer hold-queue 100
dialer-group 1
async dynamic routing
async mode dedicated
routing dynamic

!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Async1 100

ip access-list extended ethernetIN-new
permit tcp host 10.2.23.254 eq 3389 host 10.0.134.1
permit tcp 10.22.23.0 0.0.0.255 host 10.0.1.194 eq 443
permit tcp 10.22.23.0 0.0.0.255 host 10.0.1.196 eq 443
permit tcp 10.22.23.0 0.0.0.255 eq 5000 host 10.0.1.80
permit tcp 10.22.23.0 0.0.0.255 eq 1494 192.82.134.32 0.0.0.31
permit tcp 10.4.23.0 0.0.0.255 host 10.0.1.65 eq 88
permit tcp host 10.2.23.253 host 10.0.1.65 eq 389
permit tcp host 10.2.23.253 host 10.0.1.65 eq 3268
permit tcp host 10.4.23.254 host 10.0.1.98 eq 5989
permit tcp host 10.4.23.254 eq 5989 host 10.0.1.98
permit tcp host 10.4.23.254 eq 8333 host 10.0.1.98
permit tcp host 10.4.23.254 eq 902 host 10.0.1.98
deny   udp any eq netbios-ns any
deny   icmp any any
deny   ip any any

ip access-list extended mgmtIN
permit ip 10.0.2.0 0.0.0.255 any
permit tcp host 10.0.134.1 host 10.2.23.254 eq 3389
permit tcp any any eq 1720
permit tcp any eq 1720 any
permit udp any any range 16384 32767
permit tcp 10.0.2.0 0.0.0.255 host 10.2.23.200 eq 5012
permit tcp 10.0.134.0 0.0.0.7 10.10.23.0 0.0.0.7 eq telnet
permit tcp host 10.4.0.31 host 10.3.23.2 eq ftp
permit tcp host 10.4.0.31 host 10.3.23.2 eq ftp-data
permit tcp 10.0.134.0 0.0.0.7 10.10.23.0 0.0.0.7 eq 22
permit icmp any any echo
permit icmp any any echo-reply
permit tcp host 10.0.1.190 any
permit udp host 10.0.1.132 10.10.23.0 0.0.0.7 eq 160
permit udp host 10.0.1.132 10.10.23.0 0.0.0.7 eq snmp
permit udp host 10.0.1.190 10.10.23.0 0.0.0.7 eq snmp
permit udp host 10.0.1.190 10.10.23.0 0.0.0.7 eq 160
deny ip any any

ip access-list extended waas
deny   ip any host 10.15.23.111
deny   tcp host 10.0.134.1 host 10.2.23.254 eq 3389 log
deny   tcp 10.0.136.0 0.0.0.255 host 10.2.23.254 eq 3389
deny   tcp 10.0.136.0 0.0.0.255 host 10.2.23.254 range 135 139
deny   tcp 10.0.136.0 0.0.0.255 host 10.2.23.254 eq 445
deny   tcp host 10.0.1.98 host 10.4.23.254 eq 3389
deny   ip host 10.0.1.98 host 10.4.23.254
deny   tcp host 10.0.1.98 host 10.4.23.254 eq 445
deny   tcp host 10.0.1.98 host 10.4.23.254 range 135 139
deny   tcp 10.0.136.0 0.0.0.255 host 10.2.23.253 eq 1801
deny   tcp 10.0.136.0 0.0.0.255 host 10.2.23.253 eq www
permit ip any any
!

Regards,

George

Re: Zone Base Firewall and wccp issue

PAUL GILBERT ARIAS — Wed, 23 Feb 2011 18:46:00 GMT

have you cheked your logs to see if the drop is caused by ZFW?

Re: Zone Base Firewall and wccp issue

gaboughanem — Wed, 23 Feb 2011 19:24:47 GMT

hello,

Yes i have checked the logs and there are no drop logs seen on the router.

As i mentioned that the problem is the traffic from outside, binded by access-list mgmtIN are dropped although i cannot see the logs.

If i disable wccp, everthing works fine without any problem.

Thank you and Regards,

George

topic Zone Base Firewall and wccp issue in Network Security

Zone Base Firewall and wccp issue

Re: Zone Base Firewall and wccp issue

Re: Zone Base Firewall and wccp issue