topic Re: Zone-based firewall blocks DNS replies, even though configur in Network Security

Zone-based firewall blocks DNS replies, even though configured to allow

jimwillsher — Mon, 11 Mar 2019 19:04:45 GMT

Hi all,

IOS 15.1, Cisco 877.

I have a rpoblem with zone-based firewalls. With my current configuration, if I use the router as a DNS server then DNS replies get blocked by the firewall, even though I've explicity allowed them. This is true if I ping an external domain from the router, and also if I ping an external domain from the LAN whilst having my DNS pointing to the router.

Immediately after executing the ping, this gets logged:

Dropping udp session <OpenDNS IP>:53 <my external IP>:58259 on zone-pair OutsideToRouter class class-default due to DROP action found in policy-map with ip ident 0

Changing the class-default on pm-OutsideToRouter to pass allows DNS to work correctly.

My config is below, with the key lines in bold.

Many thanks,

Jim

!
! Last configuration change at 15:55:15 BST Fri Oct 22 2010 by xx
!
version 15.1
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service internal
!
hostname Cisco877
!
boot-start-marker
boot system flash c870-advipservicesk9-mz.151-2.T1.bin
boot-end-marker
!
!
logging buffered 16386
logging rate-limit 100 except warnings
no logging console
no logging monitor
enable secret 5 xxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
!
!
!
!
!
aaa session-id common
!
clock timezone GMT 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
crypto pki token default removal timeout 0
!
!
dot11 syslog
ip source-route
!
!
!
!
!
no ip cef
ip domain name willsher.local
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip port-map user-PassiveFTP port tcp from 50000 to 50050 description Passive FTP
ip port-map user-BNIRDP port tcp xxxxx description BNI Remote Desktop
ip port-map user-RDP port tcp 3389 description Terminal Services
ip port-map user-ExtraSMTP port tcp yyyyy description Additional SMTP Listener
ip inspect log drop-pkt
ip inspect WAAS flush-timeout 10
login block-for 180 attempts 3 within 180
login on-failure log
login on-success log
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
l2tp tunnel timeout no-session 15
!
parameter-map type inspect global
log dropped-packets enable
parameter-map type inspect pmap-audit
audit-trail on
!
!
archive
log config
hidekeys
object-group network og-L1-DNS-Servers
description Allowed external DNS servers
host 208.67.222.222
host 208.67.220.220
!
object-group network og-L1-Mermaid
description Mermaid
host xx.xx.104.xxx
!
object-group network og-L1-NTP-Servers
description Allowed external NTP servers
host 129.6.15.28
!
object-group network og-L1-Perth
description Perth
host xx.xx.152.XXX
!
object-group network og-L1-Cub
description Cub (Main)
host 109.224.143.242
!
object-group network og-L1-Cub-TS
description Cub (TS)
host 109.224.143.242
!
object-group network og-L2-Allow-SSH
description Allow SSH to router from these external hosts
group-object og-L1-Mermaid
group-object og-L1-Perth
group-object og-L1-Cub-TS
!
username vpn-xx password 7 xx
username vpn-xx password 7 xx
username xx privilege 15 secret 5 $1$xx$xx.
!
!
ip ssh version 2
!
track 10 ip sla 10 reachability
delay down 180 up 10
!
track 20 ip sla 20 reachability
delay down 180 up 10
!
class-map type inspect match-any cm-Allow-SSH
description Allow SSH access to router
match access-group name acl-Allow-SSH
class-map type inspect match-any cm-ExtVisBNIProtocols
description Externally visible protocols on the BNI VPC
match protocol user-BNIRDP
class-map type inspect match-any cm-AllowedOut
description Permitted Traffic to internet
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-any cm-ExtVisWebserverProtocols
description Externally visible protocols on the Webserver
match protocol http
match protocol https
match protocol pop3s
match protocol user-ExtraSMTP
match protocol user-PassiveFTP
match protocol ftp
match protocol smtp
class-map type inspect match-all cm-PPTP-Passthrough
match access-group name acl-PPTP-Passthrough
class-map type inspect match-all cm-ICMP-Request
description Only certain pings permitted to router
match access-group name acl-ICMP-Request
match protocol icmp
class-map type inspect match-all cm-ICMP-Reply
description Only certain pings permitted to router
match access-group name acl-ICMP-Reply
class-map type inspect match-all cm-ExtVisBNIServices
description Externally-visible protocols headed to BNI VPC
match access-group name acl-BNI_VPC
match class-map cm-ExtVisBNIProtocols
class-map type inspect match-all cm-PPTP-Terminated-Traffic
match access-group name acl-PPTP-Terminated
class-map type inspect match-all cm-ExtVisWebserverServices
description Externally-visible protocols headed to webserver
match class-map cm-ExtVisWebserverProtocols
match access-group name acl-WebServer
class-map type inspect match-all cm-Allow-NTP-Replies
description Allow NTP replies
match access-group name acl-Allow-NTP-Replies
match protocol ntp
class-map type inspect match-all cm-Allow-DNS-Replies
description Allow DNS replies
match access-group name acl-Allow-DNS-Replies
match protocol dns
!
!
policy-map type inspect pm-RouterToInside
description Router to LAN
class class-default
pass
policy-map type inspect pm-InsideToRouter
description LAN to router
class class-default
pass
policy-map type inspect pm-InsideToOutside
description LAN to Internet
class type inspect cm-AllowedOut
inspect
class type inspect cm-PPTP-Passthrough
pass
class class-default
drop log
policy-map type inspect pm-OutsideToInside
description Internet to LAN (server)
class type inspect cm-ExtVisBNIServices
inspect
class type inspect cm-ExtVisWebserverServices
inspect
class type inspect cm-Allow-NTP-Replies
inspect pmap-audit
class type inspect cm-PPTP-Passthrough
pass
class type inspect cm-Allow-DNS-Replies
pass
class class-default
drop log
policy-map type inspect pm-OutsideToRouter
class type inspect cm-Allow-NTP-Replies
pass
class type inspect cm-Allow-SSH
pass
class type inspect cm-ICMP-Reply
pass
class type inspect cm-PPTP-Terminated-Traffic
pass
class type inspect cm-ICMP-Request
inspect
class type inspect cm-Allow-DNS-Replies
pass
class class-default
drop log
policy-map type inspect pm-RouterToOutside
description Router to internet
class type inspect cm-PPTP-Terminated-Traffic
pass
class class-default
pass
!
zone security Inside
zone security Outside
zone-pair security InsideToOutside source Inside destination Outside
service-policy type inspect pm-InsideToOutside
zone-pair security RouterToInside source self destination Inside
service-policy type inspect pm-RouterToInside
zone-pair security InsideToRouter source Inside destination self
service-policy type inspect pm-InsideToRouter
zone-pair security OutsideToRouter source Outside destination self
service-policy type inspect pm-OutsideToRouter
zone-pair security RouterToOutside source self destination Outside
service-policy type inspect pm-RouterToOutside
zone-pair security OutsideToInside source Outside destination Inside
service-policy type inspect pm-OutsideToInside
!
!
!
!
!
!
!
interface ATM0
description ADSL Connection
no ip address
no atm ilmi-keepalive
dsl enable-training-log
dsl bitswap both
hold-queue 200 in
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1
ip unnumbered Vlan1
ip nat inside
ip virtual-reassembly in
zone-member security Inside
peer default ip address pool VPNPOOL
no keepalive
ppp encrypt mppe auto required
ppp authentication ms-chap-v2
!
interface Vlan1
description An Teallach LAN
ip address 192.168.0.252 255.255.255.0 secondary
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly in
zone-member security Inside
ip tcp adjust-mss 1452
hold-queue 100 in
hold-queue 100 out
!
interface Dialer0
bandwidth inherit
ip address negotiated
ip nat outside
ip virtual-reassembly in
zone-member security Outside
encapsulation ppp
ip tcp header-compression iphc-format
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname xx@xx.xx.co.uk
ppp chap password 7 xx
ppp ipcp dns request
ppp ipcp wins request
no cdp enable
ip rtp header-compression iphc-format
!
ip local pool VPNPOOL 192.168.1.251 192.168.1.253
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
no ip nat service sip udp port 5060
ip nat inside source static tcp 192.168.1.50 25 interface Dialer0 25
ip nat inside source static tcp 192.168.1.50 80 interface Dialer0 80
ip nat inside source static tcp 192.168.1.50 443 interface Dialer0 443
ip nat inside source static tcp 192.168.1.50 995 interface Dialer0 995
ip nat inside source static tcp 192.168.1.50 yyyyy interface Dialer0 yyyyy
ip nat inside source static tcp 192.168.1.50 20 interface Dialer0 20
ip nat inside source static tcp 192.168.1.50 21 interface Dialer0 21
ip nat inside source static tcp 192.168.1.20 3389 interface Dialer0 3389
ip nat inside source static tcp 192.168.1.65 xxxxx interface Dialer0 xxxxx
ip nat inside source list acl-NAT-Ranges interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list standard Allowed_SNMP
ip access-list standard acl-NAT-Ranges
remark Define NAT internal ranges
permit 192.168.1.0 0.0.0.255
permit 192.168.9.0 0.0.0.255
!
ip access-list extended acl-Allow-DNS-Replies
permit udp object-group og-L1-DNS-Servers any eq domain
ip access-list extended acl-Allow-NTP-Replies
permit udp object-group og-L1-NTP-Servers any eq ntp
ip access-list extended acl-Allow-SSH
remark Allow SSH from these external hosts
permit tcp object-group og-L2-Allow-SSH any eq 22
ip access-list extended acl-BNI_VPC
remark Traffic to BNI VPN
permit ip any host 192.168.1.65
ip access-list extended acl-ICMP-Reply
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any ttl-exceeded
permit icmp any any packet-too-big
permit icmp any any echo-reply
ip access-list extended acl-ICMP-Request
permit icmp any any echo
ip access-list extended acl-PPTP-Passthrough
permit gre any any
ip access-list extended acl-PPTP-Terminated
permit gre any any
permit tcp any any eq 1723
ip access-list extended acl-SSH-Port
permit tcp any any eq 22
ip access-list extended acl-WebServer
remark Traffic to Webserver
permit ip any host 192.168.1.50
!
ip sla 10
icmp-echo 8.8.8.8 source-interface Vlan1
threshold 3000
timeout 3000
frequency 10
ip sla schedule 10 life forever start-time after 00:10:00
ip sla 20
icmp-echo 208.67.222.222 source-interface Vlan1
threshold 3000
timeout 3000
frequency 10
ip sla schedule 20 life forever start-time after 00:10:00
ip access-list logging interval 10
logging esm config
logging trap debugging
logging facility local6
logging 192.168.1.50
dialer-list 1 protocol ip permit
!
!
!
!
snmp-server community XXX RW Allowed_SNMP
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
no modem enable
transport output all
line aux 0
transport output all
line vty 0 4
exec-timeout 0 0
privilege level 15
length 40
width 160
transport input ssh
transport output all
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
ntp logging
ntp master
ntp server 129.6.15.28
time-range WEEKDAY
periodic weekdays 8:00 to 18:00
!
event manager applet ema-ADSL-Down
event tag PingDown1 track 10 state down
event tag PingDown2 track 20 state down
trigger
correlate event PingDown1 and event PingDown2
action 10 syslog msg "********** WARNING! ADSL Line Down! **********"
action 20 reload
event manager applet ema-ADSL-Up
event tag PingUp1 track 10 state up
event tag PingUp2 track 20 state up
trigger
correlate event PingUp1 or event PingUp2
action 10 syslog msg "********** ADSL Line UP **********"
!
end

Re: Zone-based firewall blocks DNS replies, even though configur

Panos Kampanakis — Thu, 04 Nov 2010 18:32:18 GMT

You are probably not matching that class that passes dns. And the reason is that your ACL is wrong. Change it to

ip access-list extended acl-Allow-DNS-Replies
permit udp object-group og-L1-DNS-Servers eq domain any <----og-L1-DNS-Servers should be matching the OpenDNS ip address

I suggest to change the class-map also

class-map type inspect match-all cm-Allow-DNS-Replies
description Allow DNS replies
match access-group name acl-Allow-DNS-Replies
match protocol dns <-------- remove this no need for it

I hope it helps.

Re: Zone-based firewall blocks DNS replies, even though configur

jimwillsher — Thu, 04 Nov 2010 19:58:12 GMT

Many thanks pk. Unfortunate that OG *is* matching the OpenDNS servers, and removing the match line didn't work.

Thank you for taking the time to reply though.

Jim

Re: Zone-based firewall blocks DNS replies, even though configur

Panos Kampanakis — Thu, 04 Nov 2010 20:24:49 GMT

Note the port. The source port of the dns reply should be 53, not the destination

permit udp object-group og-L1-DNS-Servers eq domain any

Did it help?

Re: Zone-based firewall blocks DNS replies, even though configur

jimwillsher — Thu, 04 Nov 2010 20:31:57 GMT

Hmmm....yes, actually it did. It worked Thank you!

But why

Shouldn't the packets be returning back to the source port of 53?

Jim

Re: Zone-based firewall blocks DNS replies, even though configur

Panos Kampanakis — Thu, 04 Nov 2010 20:47:34 GMT

You were passing a packet from the server to any destined to port 53.

But it was a packet source from the server and port 53 and destined to anything. The dns reply is sourced from port 53, the dns request is destined to 53.

Please mark this as answere for other people's benefit.

Re: Zone-based firewall blocks DNS replies, even though configur

jimwillsher — Thu, 04 Nov 2010 22:13:54 GMT

Gotcha Thank you! Can;t believe I missed that

Ok,, i just changed my ACL to this:

ip access-list extended acl-Allow-DNS-Replies
permit udp object-group og-L1-DNS-Servers eq domain any

from this

ip access-list extended acl-Allow-DNS-Replies
permit udp object-group og-L1-DNS-Servers any eq domain

and it works. So yes, I was lookigng for packets return TO port 53 instead of FROM 53. Doh 🙂

Very much appreciated. Thank you.

Jim

Re: Zone-based firewall blocks DNS replies, even though configur

Panos Kampanakis — Thu, 04 Nov 2010 23:10:13 GMT

Take care,