topic Re: Zone-base-firewall configuration in Network Security

Zone-base-firewall configuration

slauzon — Mon, 11 Mar 2019 18:34:47 GMT

Hello,

I am tried to understand the zone-base-firewall. I am using it on a cisco 891 with ios c890-universalk9-mz.151-2.T1

With the current configuration, everything is working fin exept the trafic from the private zone to the Internet zone. My vpn tunnel are working, I can ping from the device behind the router on vlan1 to the Internet but traffic like http or dns aren't working and I can't see what could be the issue. Probably I don't understand exacly how the zone base firewall work. My private zone is vlan1 and the Internet is Gi0 and I nat from vlan1 to the Internet. I am separating the protocol in two group, layer 4 and layer 7. In the future I would like to apply only L4 between the private zone to the wan zone and L4 and L7 between the private zone to the Internet but for now I want to concentrate on the problem I have. Any idea what could be the issue?

firewall configuration
class-map type inspect match-any L4-inspect-class match protocol tcp match protocol udp match protocol icmp class-map type inspect match-any L7-inspect-class match protocol ssh match protocol ftp match protocol pop3 match protocol pop3s match protocol imap match protocol imap3 match protocol imaps match protocol smtp match protocol http match protocol https match protocol dns ! ! policy-map type inspect private-internet-policy class type inspect L7-inspect-class inspect class type inspect L4-inspect-class inspect class class-default drop log ! zone security private zone security internet zone-pair security private-internet source private destination internet service-policy type inspect private-internet-policy !

firewall configuration

class-map type inspect match-any L4-inspect-class
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-any L7-inspect-class
match protocol ssh
match protocol ftp
match protocol pop3
match protocol pop3s
match protocol imap
match protocol imap3
match protocol imaps
match protocol smtp
match protocol http
match protocol https
match protocol dns
!
!
policy-map type inspect private-internet-policy
class type inspect L7-inspect-class
inspect
class type inspect L4-inspect-class
inspect
class class-default
drop log
!
zone security private
zone security internet
zone-pair security private-internet source private destination internet
service-policy type inspect private-internet-policy
!

Re: Zone-base-firewall configuration

praprama — Fri, 03 Sep 2010 16:20:20 GMT

Hi,

Please enable logging on the router and also the command "ip inspect log drop". In the syslogs you should now be able to see drops related to zone based firewall. Once this is odne, try accessing internet and see what logs pop up. Also, when trying to access the internet, please get the output of

show policy-map type inspect zone-pair private-internet sessions

Also, do you have a zone-pair for internet to private? what is the config of that policy-map? please paste the output of "show zone security" and "show zone-pair security" along with the above.

Regards,

Prapanch

Re: Zone-base-firewall configuration

Panos Kampanakis — Fri, 03 Sep 2010 16:25:13 GMT

Make sure your zones are configure properly on your interfaces.

Also if you are usinga loopback interface to nat the traffic going out the loopback need to be in the private zone.

I hope it helps.

Re: Zone-base-firewall configuration

slauzon — Fri, 03 Sep 2010 17:08:05 GMT

No I don't have a zone-pair from the Internet to private, I think by default the traffic from the Internet zone to the private will be inspected, Am I wrong?

Here is the info I got, I don't see any drop...

seblab001#show policy-map type inspect zone-pair private-internet sessions

policy exists on zp private-internet
Zone-pair: private-internet

Service-policy inspect : private-internet-policy

    Class-map: L7-inspect-class (match-any)
      Match: protocol ssh
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol ftp
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol pop3
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol pop3s
        7 packets, 224 bytes
        30 second rate 0 bps
      Match: protocol imap
        27 packets, 864 bytes
        30 second rate 0 bps
      Match: protocol imap3
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol imaps
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol smtp
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol http
        9 packets, 288 bytes
        30 second rate 0 bps
      Match: protocol https
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol dns
        321 packets, 14736 bytes
        30 second rate 0 bps

Inspect

      Number of Half-open Sessions = 6
      Half-open Sessions
        Session 85A7DD00 (192.168.140.74:52838)=>(209.85.225.83:80) http:tcp SIS_OPENING/TCP_SYNSENT
          Created 00:00:29, Last heard 00:00:29
          Bytes sent (initiator:responder) [0:0]
        Session 85A7D600 (192.168.140.74:57640)=>(4.2.2.2:53) dns:udp SIS_OPENING
          Created 00:00:10, Last heard 00:00:02
          Bytes sent (initiator:responder) [102:0]
        Session 85A7C480 (192.168.140.74:57640)=>(4.2.2.3:53) dns:udp SIS_OPENING
          Created 00:00:09, Last heard 00:00:02
          Bytes sent (initiator:responder) [136:0]
        Session 85A7C800 (192.168.140.74:64510)=>(4.2.2.2:53) dns:udp SIS_OPENING
          Created 00:00:08, Last heard 00:00:00
          Bytes sent (initiator:responder) [99:0]
        Session 85A7F580 (192.168.140.74:64510)=>(4.2.2.3:53) dns:udp SIS_OPENING
          Created 00:00:07, Last heard 00:00:00
          Bytes sent (initiator:responder) [132:0]
        Session 85A7E780 (192.168.140.74:64314)=>(4.2.2.2:53) dns:udp SIS_OPENING
          Created 00:00:00, Last heard 00:00:00
          Bytes sent (initiator:responder) [32:0]

    Class-map: L4-inspect-class (match-any)
      Match: protocol tcp
        1 packets, 32 bytes
        30 second rate 0 bps
      Match: protocol udp
        123 packets, 5343 bytes
        30 second rate 0 bps
      Match: protocol icmp
        22 packets, 880 bytes
        30 second rate 0 bps
      Match: protocol http
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol dns
        0 packets, 0 bytes
        30 second rate 0 bps

Inspect

    Class-map: class-default (match-any)
      Match: any
      Drop
        0 packets, 0 bytes

seblab001#show zone security
zone self
Description: System defined zone

zone private
Member Interfaces:
Vlan1

zone internet
Member Interfaces:
GigabitEthernet0

zone wan

seblab001#show zone-pair security
Zone-pair name private-internet
Source-Zone private Destination-Zone internet
service-policy private-internet-policy

Re: Zone-base-firewall configuration

Diego Armando Cambronero Arias — Fri, 03 Sep 2010 20:22:39 GMT

Since you are Inspecting the traffic then yes the return traffic will be allowed. Im seeing that you have the private security zone associated with VLAN1 could you associate the private zone to a physical interface insteat.. just for testing.

Re: Zone-base-firewall configuration

Diego Armando Cambronero Arias — Fri, 03 Sep 2010 20:24:37 GMT

Please enable logging

IP INSPECT LOG DROP-PKT

Check the logs they will tell you who is blocking what.

Re: Zone-base-firewall configuration

Diego Armando Cambronero Arias — Fri, 03 Sep 2010 20:28:54 GMT

WHat happens if you remove the zone-member of the interfaces? If you still have the problem after removing them, then it's not the ZBF it something else

Re: Zone-base-firewall configuration

praprama — Sat, 04 Sep 2010 00:14:15 GMT

Hi,

Based on the output, i can see a number of sessions being created for DNS and one HTTP (Google's IP address):

Session 85A7DD00 (192.168.140.74:52838)=>(209.85.225.83:80) http:tcp SIS_OPENING/TCP_SYNSENT
          Created 00:00:29, Last heard 00:00:29
          Bytes sent (initiator:responder) [0:0]
         Session 85A7D600 (192.168.140.74:57640)=>(4.2.2.2:53) dns:udp SIS_OPENING
          Created 00:00:10, Last heard 00:00:02
           Bytes sent (initiator:responder) [102:0]
        Session 85A7C480 (192.168.140.74:57640)=>(4.2.2.3:53) dns:udp SIS_OPENING
           Created 00:00:09, Last heard 00:00:02
          Bytes sent (initiator:responder) [136:0]

Alaso, it can be seen from the bytes sent that we do not see anything from the server back. Well i am not blaming that the ISP is blocking something but i have seen before that if we have a zone-pair from inside to internet but no zone-pair from internet private, even though we inspect packets from provate to internet, traffic does not pass through.

To check what's going on, please enable logging and also "ip inspect log drop-pkt" and we can see logs.

Also, plese try creating just a zone-pair from internet-private and see if it make any difference.

Let me know how it goes!!

Thanks and Regards,

Prapanch