topic Re: Zone based Firewall --DMZ in Network Security

Zone based Firewall --DMZ

brendanhoran — Mon, 11 Mar 2019 18:12:47 GMT

Hi all,

I am very new to Cisco, and routing/ firewalls in general.
I brought my self a Cisco 1812. Its connected via Fe/0 to an ADSL modem in pure bridge mode. So the 1812 is doing all the PPP auth.
I've been following this guide Zone-Based Policy Firewall Design and Application Guide . So far I've got everything set up. PPP works, F/W works I have a single port forward working and I've port scanned the router to ensure that only the ports I've allowed are open.
I am quite stuck now. I have created a DMZ zone. I have allowed SSH and HTTPS from my LAN-zone into my DMZ-zone. This works with out a hitch. The dmz is on a diffrent subnet. and hangs off Fa/6.
Where I am suck is I want full access from the WAN-zone into the DMZ-zone. I can't seem to get this to work.
Each host in the DMZ hsa there own firewall so I don't want the Cisco to do anything.

I have attached my current runnign config.

Thanks

Re: Zone based Firewall --DMZ

Jitendriya Athavale — Sat, 17 Jul 2010 14:19:39 GMT

i havent read the config, but i think one option is putting both the wan and dmz in the same zone, so the firewall wont do anything to block the traffic as traffic is permitted between interfaces belonging to same zone

Re: Zone based Firewall --DMZ

brendanhoran — Sun, 18 Jul 2010 02:16:30 GMT

I though under ZBF, that only one interfacce can be assigned to any one zone.

So I don't quite understand how I would place Fe/0 and Fe/6 Into the same zone.

Re: Zone based Firewall --DMZ

Jitendriya Athavale — Sun, 18 Jul 2010 06:37:39 GMT

pretty much the same way as u placed other interfaces in zones

for eg

u must have done the following

int fe0/0

zone-member security public

now all u need to do is

int fe0/6

zone-member security public

hoping that both of these are L3 interfaces

Re: Zone based Firewall --DMZ

brendanhoran — Sun, 18 Jul 2010 07:15:57 GMT

Still a little confused.

I've used vlans, hopfully this won't make much of a diffrance.

The below listing only has Security zones, all other info I sniped out.

So :-
!

interface Dialer0

zone-member security WAN
!
interface Vlan90
zone-member security DMZ

interface Vlan10
zone-member security LAN

Are you saying I need to change Vlan90 to WAn, rahter then DMZ. If so how do I set up access from some internal hosts to the "dmz" hosts that will be in the WAN zone?

Thanks,

Re: Zone based Firewall --DMZ

Jitendriya Athavale — Sun, 18 Jul 2010 07:26:00 GMT

i would say that it is definately worth a shot,

you can out it in wan

now to permit your dmz networks to access your lan you can use access-list

or if you do not want to do this

setup a zone-pair between wan and dmz and permit everything using access-list

if its still confusing you can paste the snippet which has class-map, policy-map and zone-pair config, i can look it up and advise suitably

Re: Zone based Firewall --DMZ

brendanhoran — Sun, 18 Jul 2010 07:59:51 GMT

I'll give it a shot.

I still don't quite understand thoug
I currently have a zone pair for LAN-DMZ access, this works fine

!
zone-pair security LAN-to-DMZ source LAN destination DMZ
service-policy type inspect LAN-to-DMZ-policy
!
policy-map type inspect LAN-to-DMZ-policy
class type inspect L7-inspect-class
inspect
!
class-map type inspect match-any L7-inspect-class
match protocol ssh
match protocol http
match protocol https

I also set up a policy map to match an ACL for the DMZ to WAN

class-map type inspect match-any DMZ-class
match access-group 130

!
policy-map type inspect WAN-to-DMZ-policy
class type inspect DMZ-class
pass
class class-default
!
access-list 130 remark DMZ access all
access-list 130 permit ip any any
!

I don't quite understand why this is not working. I know SSH,HTTP and HTTPS work from LAN to DMZ, but why can DMZ to WAn any to any work?

If i was to change teh DMZ zone of Vlan90 to WAN, I would need to change my LAN-DMZ policy to LAN to WAN ?

Thanks

Re: Zone based Firewall --DMZ

Mohamed Sobair — Sun, 18 Jul 2010 14:18:41 GMT

Hi,

When Zone based Firewall configurec, traffic between different Zone members are blocked by default, I suggest you configure another Zone pair allowing traffic from WAN to DMZ as bellow:

zone-pair security WAN-to-DMZ source WAN destination DMZ
service-policy type inspect WAN-to-DMZ-policy

class-map type inspect match-any DMZ-class
match access-group 130

policy-map type inspect WAN-to-DMZ-policy
class type inspect DMZ-class

inspect

access-list 130 remark DMZ access all
access-list 130 permit ip any any

With the above config, traffic from WAN to DMZ are also allowed just as it was setup from the LAN to DMZ.

HTH

Mohamed

Re: Zone based Firewall --DMZ

Jitendriya Athavale — Sun, 18 Jul 2010 16:45:36 GMT

wht mohamed says is correct

but just please keep in mind if you want the traffic to be initiated from dmz to wan you will need another zone-pair with source as dmz and destination as wan

Re: Zone based Firewall --DMZ

brendanhoran — Sun, 18 Jul 2010 22:30:03 GMT

Thanks Mohamed,

I think this is right?

zone-pair security WAN-DMZ source WAN destination DMZ
service-policy type inspect WAN-to-DMZ-policy
zone-pair security DMZ-WAN source DMZ destination WAN
service-policy type inspect WAN-to-DMZ-policy
!

policy-map type inspect WAN-to-DMZ-policy
class type inspect DMZ-class
pass
class class-default
!

class-map type inspect match-any DMZ-class
match access-group 130
!
access-list 130 remark DMZ access all
access-list 130 permit ip any any
!

If thats right... Then i must have something else wrong as my machine in the DMZ still cna't access any services on the internet.

Quick question, the default gateway on machines on the Vlan90 should be 192.168.90.254 (fe/6) or should it be 192.168.0.254 (fe/1)?

Thanks

Re: Zone based Firewall --DMZ

Jitendriya Athavale — Mon, 19 Jul 2010 04:29:00 GMT

as i said before for dmz to internet you will need one more zone-pair with source as dmz and destination as wan and the rest can be same, as in you can permit everything and inspect traffic

Re: Zone based Firewall --DMZ

Jitendriya Athavale — Mon, 19 Jul 2010 04:34:54 GMT

i see you already have it

so what you can do is you can enale this command and it will show you if the firewall is dropping any packet

ip inspect log drop-pkt

eneter this command and see the logs

as far as the default gateway is concerned it will be the interface in vlan 90

Re: Zone based Firewall --DMZ

brendanhoran — Mon, 19 Jul 2010 05:22:03 GMT

Ok Looks like its dropping traffic.

From the log :-

%FW-6-DROP_PKT: Dropping dns pkt 192.168.90.250:35063 => 192.231.203.3:53

192.168.90.220, is my host on the Vlan 90.

192.231.203.3 is my ISP's DNS server.

Question now is why and how do I find out why?

Thanks

Re: Zone based Firewall --DMZ

Jitendriya Athavale — Mon, 19 Jul 2010 05:29:37 GMT

just to clarify, these hosts were able to access internet before implementing the firewall right???

so if its an dns issue you should be able to ping to anything in internet using ip address, or you should be able to access websites using their ip address

74.125.19.103, 74.125.19.147, 74.125.19.104, 74.125.19.99

my nslookup for google gave me the following ip, can you try the following from browser

http://74.125.19.103

Re: Zone based Firewall --DMZ

brendanhoran — Mon, 19 Jul 2010 05:36:53 GMT

jathaval,

The host used to be on the Vlan 10, Ping,dns ect all worked fine as they do for any host on the Vlan10.

Vlan10 is firewalled. I need this host to be in the DMZ. So i moved this host into Vlan90.

Now it can not communicat with any hosts on the internet.

If I try ping 74.125.19.103 from the host on Vlan90, I get nothing. Nothing in the logs, Nothing happens on the host.

Thanks

Re: Zone based Firewall --DMZ

Jitendriya Athavale — Mon, 19 Jul 2010 05:57:38 GMT

will it be possible for you to attach the config, so that we can look at the whole config

to isolate the issue further you can disable firewall on wan and dmz for a min by removing the zone security command and try to get to internet from dmz hosts, but be careful as you will end up disturbing traffic from lan to wan

so wht u can do is for a min you can remove zone security commands from all interfaces and test dmz-wan connectivity

i understand tihs might not be possible, so if its ok with you could you please attach the config so that we can take a look at everything

Re: Zone based Firewall --DMZ

brendanhoran — Mon, 19 Jul 2010 06:04:31 GMT

jathaval,

Config is attached to my orignal post, in a zip file.

I can not pull the firewall off, its a PROD enviroment. Anything else I can try?

Re: Zone based Firewall --DMZ

Jitendriya Athavale — Mon, 19 Jul 2010 06:17:03 GMT

you do not have ip nat inside on vlan 90

and also include this network in 101 acl

Re: Zone based Firewall --DMZ

brendanhoran — Mon, 19 Jul 2010 09:06:20 GMT

Solved
As soon as I added the ip nat inside and updated ACL 101 it worked!

Its always the simple things, its a learning experience after all.

Thanks everyone.

Re: Zone based Firewall --DMZ

Mohamed Sobair — Mon, 19 Jul 2010 10:33:50 GMT

Brendan,

Glad its solved, Just a quick answer to your previous example:

You wrote:

Thanks Mohamed,

I think this is right?

!
zone-pair security WAN-DMZ source WAN destination DMZ
service-policy type inspect WAN-to-DMZ-policy
zone-pair security DMZ-WAN source DMZ destination WAN
service-policy type inspect WAN-to-DMZ-policy
!
policy-map type inspect WAN-to-DMZ-policy
class type inspect DMZ-class
pass
class class-default
!
class-map type inspect match-any DMZ-class
match access-group 130
!
access-list 130 remark DMZ access all
access-list 130 permit ip any any
!

If thats right... Then i must have something else wrong as my machine in the DMZ still cna't access any services on the internet.
Quick question, the default gateway on machines on the Vlan90 should be 192.168.90.254 (fe/6) or should it be 192.168.0.254 (fe/1)?

If you set the pass action on the policy map , then you have to create another pair and policy that permits the return traffic from DMZ to WAN. otherwise, my example should solve your problem if you need WAN Access to DMZ which will inspect the traffic and will permit the return traffic as its stateful.

HTH

Mohamed