topic Re: ZBF - First attempt - No traffic flowing in Network Security

ZBF - First attempt - No traffic flowing

rhbmcse — Fri, 21 Feb 2020 16:23:08 GMT

Hi folks. My first attempt at configuring a ZBF on a 1117-4p ISR (I'm ccent studying for CCNA).

Prior to the ZBF commands being added to the running-config I was getting internet access (albeit with no security). Following this I get nothing - I can't PING, no web access, no DNS lookups which are the 3 types of traffic I'm initially allowing.

Not a massively complicated setup. I have no training on this but as I understand it, being stateful rules then return rules should not be required (should they) ?

In any case if anybody would be kind enough to look through my config and explain where I'm going wrong it would be massiv ely appreciated.

Script below. Cheers. Rob.

C1117ISR#sh run
Building configuration...

Current configuration : 5615 bytes
!
! Last configuration change at 09:15:14 GMT Tue Oct 23 2018 by rhbmcse
!
version 16.6
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname C1117ISR
!
boot-start-marker
boot-end-marker
!
!
enable secret 9 $9$jUR3aCOMA9OFgU$o3a79MhakpqV2vfDatrcHCxftZzba///XoF5BMiuU6Q
!
no aaa new-model
clock timezone GMT -1 0
!
ip name-server 8.8.8.8 8.8.4.4
ip domain name 21RTM.local
ip dhcp excluded-address 192.168.0.1 192.168.0.19
ip dhcp excluded-address 192.168.0.51 192.168.0.254
ip dhcp excluded-address 10.0.0.1
!
ip dhcp pool CLIENTS
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 192.168.0.1
domain-name 21RTM.local
!
ip dhcp pool MANAGEMENT
network 10.0.0.0 255.255.255.0
!
!
subscriber templating
!
!
multilink bundle-name authenticated
!

!
crypto pki trustpoint TP-self-signed-3510874038
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3510874038
revocation-check none
rsakeypair TP-self-signed-3510874038
!
!
crypto pki certificate chain TP-self-signed-3510874038
certificate self-signed 01

quit
!
!
license udi pid C1117-4P sn FGL2205927C
license boot level securityk9
!
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
username xxxxxxx privilege 15 password 7 xxxxxxx
!
redundancy
mode none
!
!
controller VDSL 0/2/0
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-any ALLOWED-PROTOCOLS
match protocol icmp
match protocol dns
match protocol http
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect ALLOWED-PROTOCOLS
inspect
!
zone security INTERNET
zone security INSIDE
zone-pair security ZP-INSIDE-TO-OUTSIDE source INSIDE destination INTERNET
!
!
interface GigabitEthernet0/0/0
no ip address
shutdown
no negotiation auto
!
interface GigabitEthernet0/1/0
description CLIENT LAN
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/1/1
shutdown
!
interface GigabitEthernet0/1/2
shutdown
!
interface GigabitEthernet0/1/3
description MANAGEMENT INTERFACE
switchport access vlan 100
switchport mode access
!
interface ATM0/2/0
no ip address
shutdown
no atm ilmi-keepalive
no atm enable-ilmi-trap
!
interface Ethernet0/2/0
mac-address xxxxxxxxx
no ip address
no negotiation auto
!
interface Ethernet0/2/0.101
description SUBINT TO INTERNET
encapsulation dot1Q 101
ip dhcp client request classless-static-route
ip dhcp client client-id hex xxxxxxxx
ip dhcp client hostname xxxxxxxx@skydsl|xxxxxxxx
ip address dhcp
no ip redirects
no ip proxy-arp
ip nat outside
zone-member security INTERNET
ip virtual-reassembly
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 192.168.0.1 255.255.252.0
ip nat inside
zone-member security INSIDE
!
interface Vlan100
ip address 10.0.0.1 255.255.255.0
!
ip nat inside source route-map OUTSIDE-POOL interface Ethernet0/2/0.101 overload
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip dns server
ip ssh version 2
!
!
ip access-list extended NAT-TO-OUTSIDE
permit ip 192.168.0.0 0.0.3.255 any
!
!
!
route-map OUTSIDE-POOL permit 10
match ip address NAT-TO-OUTSIDE
match interface Ethernet0/2/0.101
!
!
!
control-plane
!
!
line con 0
password 7 075912435E010C164E
login
transport input all
stopbits 1
line vty 0 4
login local
transport input ssh
!
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end

Re: ZBF - First attempt - No traffic flowing

rhbmcse — Tue, 23 Oct 2018 12:06:19 GMT

Seems I missed out the following line!

service-policy type inspect INSIDE-TO-OUTSIDE-POLICY

So - all appears to be working now as expected with one exception...When I perform an online port scan against my externally DHCP allocated IP, I have SSH showing as open on that interface. Rather dangerous! I expected the interface would be secured with the config I have listed.
Do I need to create a totally separate set of rules to secure the WAN interface from all incoming traffic ?

Many thanks.

Rob.

Re: ZBF - First attempt - No traffic flowing

Rob Ingram — Tue, 23 Oct 2018 13:20:57 GMT

Hi Rob,

You would need to secure the "self" zone. The Self zone is the only exception to the default “deny all” policy, all traffic to any router interface is allowed until explicitly denied.

HTH
Rob

Re: ZBF - First attempt - No traffic flowing

gbekmezi-DD — Tue, 23 Oct 2018 13:53:25 GMT

Also a best practice to put an access-class on your vty lines

line vty 0 4
access-class in

Re: ZBF - First attempt - No traffic flowing

rhbmcse — Wed, 24 Oct 2018 17:20:04 GMT

Hi Rob - thanks for that - it pointed me off to research the SELF zone - of which I was not aware.

I tried subsequently creating an IP ANY ANY deny ACL and applied it between the self and Internet zones as this is what I needed to achieve but I got no Packets going out of the router at all then weirdly. Everything was blocked. From what I've read you have to use the self zone - no getting around it.

Given my existing config would I be correct in assuming that one must configure rules to allow ALL traffic TO and FROM the self zone. Which takes care of INSIDE.

Then configure a further rule from SELF to INTERNET matching the protocols I choose to allow. This would then presumably place an implicit DENY rule on any inbound traffic from the Internet ? i.e. no match from the stateful inspection therefore DROP?

Finally - what about my existing Zones (inside-to-outside) - are these then deletable because the SELF rules have replaced them?

The way I see it (or imagine it) Simply:

CLIENTS----->INSIDE LAN I/F----->SELF ZONE----->OUTSIDE WAN I/F----->Internet

(Allow all Traffic) ----->SELF ZONE----->(Allow Filtered Traffic OUT)----->Internet

SELF ZONE<--/-x (Block all Filtered traffic IN)<-----Internet

Which replaces my existing config of INSIDE/OUTSIDE - it effectively puts another zone smack bang in the middle of my existing config. Correct ?

Many thanks for your help. Invaluable for those of us learning new Cisco technologies.

Re: ZBF - First attempt - No traffic flowing

Rob Ingram — Wed, 24 Oct 2018 17:42:29 GMT

Hi Rob,
The self zone is used for traffic TO/FROM the router itself (any interface on the router itself), not traffic going through the router. So you'd need zone pairs for to-self-zone and from-self-zone to permit/deny access to/from the router. You'd also need zone pairs from outside-to-inside and inside-to-outside and any other zone for traffic going through the router. Hope that makes sense?

Upload your configuration if you need further assistance.

HTH
Rob

Re: ZBF - First attempt - No traffic flowing

rhbmcse — Wed, 24 Oct 2018 18:08:55 GMT

I'll get there...
Literally all I need to do is block any traffic from the internet which I thought I'd done but due to the SELF zone I was able to access all sorts of nastiness from the internet within my router.

As far as management goes I just need ssh into the router from the client VLAN internally.

When I created zone pair between SELF and INTERNET with a deny rule everything stopped between outside and inside too which is what confused me. I don't really want somebody to do it for me as that's not really how I learn. Just trying to understand why a deny ANY ANY IP between Internet and Self would cause Internet and Inside to fail.

I'll re-write the config and post. Maybe something glaringly obvious will jump out?

Re: ZBF - First attempt - No traffic flowing

rhbmcse — Wed, 24 Oct 2018 20:01:00 GMT

OK - I need further assistance!
As soon as I apply the ZBF Self config to the outside/self interface I lose all connectivity with the exception of the ssh connection which Im on to configure the router (all internet traffic dies it would seem).
I'd love to understand where I'm going wrong so here in all its glory is the current config (unfinished).
Thank you so much for your assistance.

C1117ISR#sh run
Building configuration...

Current configuration : 6626 bytes
!
! Last configuration change at 18:23:01 GMT Wed Oct 24 2018 by rhbmcse
!
version 16.6
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname C1117ISR
!
boot-start-marker
boot-end-marker
!
!
enable secret 9 $9$jURxxxxxzba///XoF5BMiuU6Q
!
no aaa new-model
clock timezone GMT -1 0
!
ip name-server 8.8.8.8 8.8.4.4
no ip domain lookup
ip domain name 21RTM.local
ip dhcp excluded-address 192.168.0.1 192.168.0.19
ip dhcp excluded-address 192.168.0.51 192.168.0.254
ip dhcp excluded-address 10.0.0.1
!
ip dhcp pool CLIENTS
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 192.168.0.1
domain-name 21RTM.local
!
ip dhcp pool MANAGEMENT
network 10.0.0.0 255.255.255.0
!

!
subscriber templating
!

!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-3510874038
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3510874038
revocation-check none
rsakeypair TP-self-signed-3510874038
!
!
crypto pki certificate chain TP-self-signed-3510874038
certificate self-signed 01
30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

quit
!
!
license udi pid C1117-4P sn FGx
license boot level securityk9
!
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
username x privilege 15 password 7 0xxB5D550A7A75
!
redundancy
mode none
!
!
!
!
controller VDSL 0/2/0
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-any ALLOWED-PROTOCOLS
match protocol icmp
match protocol dns
match protocol http
match protocol https
class-map type inspect match-all CMAP-OUTSIDE-SELF
match access-group name NACL-BLOCK-INTERNET-TRAFFIC
class-map type inspect match-all INSIDE_SELF
match access-group name SELF_AND_INSIDE
!
policy-map type inspect INSIDE_SELF
class type inspect INSIDE_SELF
inspect
class class-default
policy-map type inspect SELF_INSIDE
class type inspect INSIDE_SELF
inspect
class class-default
policy-map type inspect PM-OUTSIDE-SELF
class type inspect CMAP-OUTSIDE-SELF
drop
class class-default
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect ALLOWED-PROTOCOLS
inspect
class class-default
!
zone security INTERNET
zone security INSIDE
zone-pair security Inside_to_Self source INSIDE destination self
service-policy type inspect INSIDE_SELF
zone-pair security Self-to-Inside source self destination INSIDE
service-policy type inspect SELF_INSIDE
zone-pair security ZP-INSIDE-TO-OUTSIDE source INSIDE destination INTERNET
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security ZP-INTERNET-TO-SELF source INTERNET destination self
service-policy type inspect PM-OUTSIDE-SELF
!
!

!
interface GigabitEthernet0/0/0
no ip address
shutdown
no negotiation auto
!
interface GigabitEthernet0/1/0
description CLIENT LAN
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/1/1
shutdown
!
interface GigabitEthernet0/1/2
shutdown
!
interface GigabitEthernet0/1/3
description MANAGEMENT INTERFACE
switchport access vlan 100
switchport mode access
!
interface ATM0/2/0
no ip address
shutdown
no atm ilmi-keepalive
no atm enable-ilmi-trap
!
interface Ethernet0/2/0
mac-address c03e.0f9c.268e
no ip address
no negotiation auto
!
interface Ethernet0/2/0.101
description SUBINT TO INTERNET
encapsulation dot1Q 101
ip dhcp client request classless-static-route
ip dhcp client client-id hex 6330336530663963323638
ip dhcp client hostname cx@skydsl|addx
ip address dhcp
no ip redirects
no ip proxy-arp
ip nat outside
zone-member security INTERNET
ip virtual-reassembly
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 192.168.0.1 255.255.252.0
ip nat inside
zone-member security INSIDE
!
interface Vlan100
ip address 10.0.0.1 255.255.255.0
!
ip nat inside source route-map OUTSIDE-POOL interface Ethernet0/2/0.101 overload
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip dns server
ip ssh version 2
!
!
ip access-list extended NACL-BLOCK-INTERNET-TRAFFIC
deny ip any any
ip access-list extended NAT-TO-OUTSIDE
permit ip 192.168.0.0 0.0.3.255 any
ip access-list extended SELF_AND_INSIDE
permit ip any any
!
!
!
route-map OUTSIDE-POOL permit 10
match ip address NAT-TO-OUTSIDE
match interface Ethernet0/2/0.101
!
!
!
control-plane
!
!
line con 0
transport input all
stopbits 1
line vty 0 4
login local
!
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end

Re: ZBF - First attempt - No traffic flowing

Rob Ingram — Wed, 24 Oct 2018 21:13:45 GMT

Ok, I labbed your configuration, I used your exact ZPFW configuration, I was able to communicate through the router from inside zone to internet zone. The only difference was a static ip address on the outside interface and no sub-interface.

What is the output of "show policy-map type inspect zone-pair ZP-INSIDE-TO-OUTSIDE" - I assume there will be drops. Perhaps add "log" after the drop and observe the output of the logs.

Re: ZBF - First attempt - No traffic flowing

rhbmcse — Thu, 25 Oct 2018 09:29:46 GMT

Hey Rob, and Morning!
So I tried "show policy-map type inspect zone-pair ZP-INSIDE-TO-OUTSIDE" - NO DROPS
Following this I added the LOG statement to the end of the policy-map PM-OUTSIDE-SELF and I can see 30-40 packets dropped and these did not increase when I attempted a PING outbound to google's DNS servers
I also tried changing the associated external NACL from DENY any any to PERMIT any any and still - no traffic.
Interestingly as soon as the zone-pairing is made between INTERNET and SELF the interface cannot even obtain an IP from the ISP and this is not due it would seem to the Access-list as we have seen - even with PERMIT there is still zero traffic.
I also attempted adding the main WAN interface (eth 0/2/0) to the INTERNET zone which also did not resolve the issue. Obviously the WAN connection runs on a sub-int on VLAN .101. Just a thought but it didn't help.
All I can deduce so far is that whenever ANY zone pairing is made from INTERNET to SELF, all traffic ceases. INTERNET zone is already used by ZP-INSIDE-TO-OUTSIDE. We don't need to create additional zones to separate INSIDE-INTERNET (used inside > outside for pass-through traffic) and INTERNET-SELF do we. Just wondering whether the two zone-pairings are causing issues with one another ?

Re: ZBF - First attempt - No traffic flowing

Rob Ingram — Thu, 25 Oct 2018 09:57:03 GMT

Hi Rob,
Ok, create a class map to "pass" all traffic (for now, can amend later), reference in a policy-map and then create a zone pair from self to internet. Let's get dhcp working first and then see what's left.

Rob

Re: ZBF - First attempt - No traffic flowing

rhbmcse — Thu, 25 Oct 2018 11:10:24 GMT

OK - working on that now.
So
create a NACL permit IP any any
create a CM self-to-intenet referencing the NACL
create a PM self-to-internet - should this be PASS or INSPECT ?

I'd imagine it would need to be inspect to allow the return traffic to the self zone rather than pass ?

Then create the zone pair...SELF-TO-INTERNET

What about the existing zone pair (currently removed) INTERNET-TO-SELF with the DENY rule ?

Sorry for so many questions!

Re: ZBF - First attempt - No traffic flowing

Rob Ingram — Thu, 25 Oct 2018 11:17:35 GMT

You cannot use "inspect" in self zone rules, only pass....this means the traffic is only permitted in one direction, so you'd need to permit that return traffic.

Reference here, search for "self" under the important points section for the informed I just provided above.

HTH

Re: ZBF - First attempt - No traffic flowing

rhbmcse — Thu, 25 Oct 2018 11:24:20 GMT

OK - that's weird then because in my config I definitely have a PM-SELF-INSIDE (and conversely INSIDE-SELF) with an INSPECT statement rather than PASS and it seems to not throw an error ?

Do these need changing to PASS also ?

Re: ZBF - First attempt - No traffic flowing

rhbmcse — Thu, 25 Oct 2018 14:53:24 GMT

Righto - an update.
I have amended the config so that both Self - Internet and Internet - self both share a PASS IP Any any situation which causes it to spring back in to life.
This still doesn't explain why I'm not able to just block "ip any any" from Internet to Self as by implementing bi-directional "pass" I've just blown the router wide open to the outside world again!
Latest config below and you will note that the two class-maps now both refer to the PERMIT-ALL NACL

class-map type inspect match-any CMAP-SELF-TO-INTERNET
match access-group name NACL-PERMIT-ALL-TRAFFIC

class-map type inspect match-all CMAP-OUTSIDE-SELF
match access-group name NACL-PERMIT-ALL-TRAFFIC
*******************************************************
Full config below - seriously stumped at this point. Why would blocking IP ANY ANY from INTERNET to SELF also halt the traffic from Inside to Internet ?

C1117ISR#sh run
Building configuration...

Current configuration : 7257 bytes
!
! Last configuration change at 15:38:28 GMT Thu Oct 25 2018 by rhbmcse
! NVRAM config last updated at 15:22:06 GMT Thu Oct 25 2018 by rhbmcse
!
version 16.6
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname C1117ISR
!
boot-start-marker
boot-end-marker
!
!
enable secret 9 $9$jUR3aCOMA9OFxakpqV2vfDatrcHCxftZzba///Xoxx
!
no aaa new-model
clock timezone GMT 1 0
!
ip name-server 8.8.8.8 8.8.4.4
no ip domain lookup
ip domain name 21RTM.local
ip dhcp excluded-address 192.168.0.1 192.168.0.19
ip dhcp excluded-address 192.168.0.51 192.168.0.254
ip dhcp excluded-address 10.0.0.1
!
ip dhcp pool CLIENTS
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 192.168.0.1
domain-name 21RTM.local
!
ip dhcp pool MANAGEMENT
network 10.0.0.0 255.255.255.0
!

!
subscriber templating
!

!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-3510874038
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3510874038
revocation-check none
rsakeypair TP-self-signed-3510874038
!
!
crypto pki certificate chain TP-self-signed-3510874038
certificate self-signed 01
30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33
6F305E61 B99D9BF5 D243DAE9 37848E38 992E006F 92B35E7B B8AC9995 1EDEC0C0
B25CE082 26AAFB31 E6F6B6B6 98E2BF42 94DD4F00 B2C3665E 1DC9C4C8 6E35C5B7
7984AFAF 1460956D 0A6516E8 2301EE0B 13252DB1 2DE096E8 A75FA9AA 1A344AA4
DBCC162F 1BA0BA74 CE0032E4 C892DE80 C08EA475
quit
!
!
license udi pid C1117-4P sn FGL2205927C
license boot level securityk9
!
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
username rhbmcse privilege 15 password 7 06240B2x32B5D550A7A75
!
redundancy
mode none
!
!
!
!
controller VDSL 0/2/0
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-any CMAP-SELF-TO-INTERNET
match access-group name NACL-PERMIT-ALL-TRAFFIC
class-map type inspect match-any ALLOWED-PROTOCOLS
match protocol icmp
match protocol dns
match protocol http
match protocol https
class-map type inspect match-all CMAP-OUTSIDE-SELF
match access-group name NACL-PERMIT-ALL-TRAFFIC
class-map type inspect match-all INSIDE_SELF
match access-group name SELF_AND_INSIDE
!
policy-map type inspect PM-SELF-TO-INTERNET
class type inspect CMAP-SELF-TO-INTERNET
pass
class class-default
policy-map type inspect INSIDE_SELF
class type inspect INSIDE_SELF
pass
class class-default
policy-map type inspect SELF_INSIDE
class type inspect INSIDE_SELF
pass
class class-default
policy-map type inspect PM-OUTSIDE-SELF
class type inspect CMAP-OUTSIDE-SELF
pass
class class-default
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect ALLOWED-PROTOCOLS
inspect
class class-default
!
zone security INTERNET
zone security INSIDE
zone-pair security Inside_to_Self source INSIDE destination self
service-policy type inspect INSIDE_SELF
zone-pair security Self-to-Inside source self destination INSIDE
service-policy type inspect SELF_INSIDE
zone-pair security ZP-INSIDE-TO-OUTSIDE source INSIDE destination INTERNET
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security ZP-INTERNET-TO-SELF source INTERNET destination self
service-policy type inspect PM-OUTSIDE-SELF
zone-pair security ZP-SELF-TO-INTERNET source self destination INTERNET
service-policy type inspect PM-SELF-TO-INTERNET
!
!
interface GigabitEthernet0/0/0
no ip address
shutdown
no negotiation auto
!
interface GigabitEthernet0/1/0
description CLIENT LAN
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/1/1
shutdown
!
interface GigabitEthernet0/1/2
shutdown
!
interface GigabitEthernet0/1/3
description MANAGEMENT INTERFACE
switchport access vlan 100
switchport mode access
!
interface ATM0/2/0
no ip address
shutdown
no atm ilmi-keepalive
no atm enable-ilmi-trap
!
interface Ethernet0/2/0
mac-address c03e.0f9c.268e
no ip address
no negotiation auto
!
interface Ethernet0/2/0.101
description SUBINT TO INTERNET
encapsulation dot1Q 101
ip dhcp client request classless-static-route
ip dhcp client client-id hex 6330336530663963323638
ip dhcp client hostname c0x68c@skydsl|addx
ip address dhcp
no ip redirects
no ip proxy-arp
ip nat outside
zone-member security INTERNET
ip virtual-reassembly
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 192.168.0.1 255.255.252.0
ip nat inside
zone-member security INSIDE
!
interface Vlan100
ip address 10.0.0.1 255.255.255.0
!
ip nat inside source route-map OUTSIDE-POOL interface Ethernet0/2/0.101 overload
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip dns server
ip ssh version 2
!
!
ip access-list extended NACL-BLOCK-INTERNET-TRAFFIC
deny ip any any
ip access-list extended NACL-PERMIT-ALL-TRAFFIC
permit ip any any
ip access-list extended NAT-TO-OUTSIDE
permit ip 192.168.0.0 0.0.3.255 any
ip access-list extended SELF_AND_INSIDE
permit ip any any
!
!
!
route-map OUTSIDE-POOL permit 10
match ip address NAT-TO-OUTSIDE
match interface Ethernet0/2/0.101
!
!
!
control-plane
!
!
line con 0
password 7 091A7D06090D020152
login
transport input all
stopbits 1
line vty 0 4
login local
!
ntp master
ntp server 0.uk.pool.ntp.org
ntp server 1.uk.pool.ntp.org
ntp server 3.uk.pool.ntp.org
ntp server 2.uk.pool.ntp.org
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end

Re: ZBF - First attempt - No traffic flowing

Rob Ingram — Thu, 25 Oct 2018 15:09:55 GMT

Well I don't think you necessarily need "permit ip any any" from internet to self, but you do need to receive an IP address on the wan interface. If you permit udp/67 from internet to self and udp/68 from self to internet, that should still allow you to receive the dhcp address. After that configure a deny action and make sure you log traffic, so if anything is blocked we can determine what exactly is blocked.

I notice you've got ntp servers defined, you need to permit that to/from the self zone to/from internet zone.

HTH

Re: ZBF - First attempt - No traffic flowing

rhbmcse — Thu, 25 Oct 2018 15:40:39 GMT

HI Rob!
Thanks again...
That sounds like a plan.
Re: the time servers - that's only just gone into the config (it's very much a work in progress) so I was aware that there would still be more work to be done. Slowly beginning to understand the self zone with your great assistance.
I wish I could repay the favour. It kind of makes sense once you being to understand it!
Thanks again.
"I'll be back"...
Rob.

Re: ZBF - First attempt - No traffic flowing

rhbmcse — Thu, 25 Oct 2018 16:32:50 GMT

Sighs.
OK so I configured as suggested - allowing bootp / dhcp traffic on ports 67/68.
Performed a shut on the relevant interfaces and then no shut them.
The interface gets an IP from DHCP - hallelujah! But we're back to the old no traffic flowing again.
It does seem as though something else is required to be configured in the self zone.
I added a log command to the pass statements on the policy maps.
How do I then view these logs with meaningful information as to what has been dropped so that I may be able to figure out what exactly the self zone is missing. Certainly with the pass IP any any it all worked!
I guess I need to figure out now what's preventing return traffic?
Any suggestions ? 😞

Re: ZBF - First attempt - No traffic flowing

Rob Ingram — Thu, 25 Oct 2018 17:31:09 GMT

If you modify the following:-

policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect ALLOWED-PROTOCOLS
inspect
class class-default

drop log

then any drops outbound should be logged, then type "show logging" to view the logs.

Can you provide the output of "show policy-map type inspect zone-pair ZP-INSIDE-TO-OUTSIDE" and upload here

Re: ZBF - First attempt - No traffic flowing

rhbmcse — Fri, 26 Oct 2018 11:59:24 GMT

Morning Rob!
Still ongoing I'm afraid.
The logs dont appear to hold any information on the INSIDE-TO-OUTSIDE rules as below.
The very second that I disable the zone pairing for the self zone everything springs into life.
It's almost as if everything is going through the SELF zone ?
Details are below anyway - your help is greatly appreciated.

C1117ISR#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
C1117ISR#sh logging
Syslog logging: enabled (0 messages dropped, 7 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.

Console logging: level debugging, 54 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 59 messages logged, xml disabled,
filtering disabled
Exception Logging: size (4096 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled

No active filter modules.

Trap logging: level informational, 61 message lines logged
Logging Source-Interface: VRF Name:

Log Buffer (4096 bytes):
Throughput license found, throughput set to 50000 kbps
*Oct 26 11:47:09.233: %SYS-2-PRIVCFG_DECRYPT: Successfully apply the private config file
*Oct 26 11:47:09.280: %SYS-6-CLOCKUPDATE: System clock has been updated from 11:47:09 UTC Fri Oct 26 2018 to 12:47:09 GMT Fri Oct 26 2018, configured from console by vty0.
*Oct 26 11:47:09.922: %SYS-5-CONFIG_I: Configured from memory by console
*Oct 26 11:47:09.998: %IOSXE_OIR-6-REMSPA: SPA removed from subslot 0/0, interfaces disabled
*Oct 26 11:47:09.998: %IOSXE_OIR-6-REMSPA: SPA removed from subslot 0/1, interfaces disabled
*Oct 26 11:47:09.998: %IOSXE_OIR-6-REMSPA: SPA removed from subslot 0/2, interfaces disabled
*Oct 26 11:47:10.013: %SPA_OIR-6-OFFLINECARD: SPA (C1117-1x1GE) offline in subslot 0/0
*Oct 26 11:47:10.028: %SPA_OIR-6-OFFLINECARD: SPA (C1117-ES-4) offline in subslot 0/1
*Oct 26 11:47:10.045: %SPA_OIR-6-OFFLINECARD: SPA (C1117-VADSL-A) offline in subslot 0/2
*Oct 26 11:47:10.054: %IOSXE_OIR-6-INSCARD: Card (fp) inserted in slot F0
*Oct 26 11:47:10.054: %IOSXE_OIR-6-ONLINECARD: Card (fp) online in slot F0
*Oct 26 11:47:10.092: %IOSXE_OIR-6-INSCARD: Card (cc) inserted in slot 0
*Oct 26 11:47:10.093: %IOSXE_OIR-6-ONLINECARD: Card (cc) online in slot 0
*Oct 26 11:47:10.118: %FW-6-INIT: Firewall inspection startup completed; beginning operation.
*Oct 26 11:47:10.313: %IOSXE_OIR-6-INSSPA: SPA inserted in subslot 0/0
*Oct 26 11:47:10.316: %IOSXE_OIR-6-INSSPA: SPA inserted in subslot 0/1
*Oct 26 11:47:10.316: %IOSXE_OIR-6-INSSPA: SPA inserted in subslot 0/2
*Oct 26 11:47:10.629: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to down
*Oct 26 11:47:10.631: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan100, changed state to down
*Oct 26 11:47:12.217: %SYS-5-RESTART: System restarted --
Cisco IOS Software [Everest], ISR Software (ARMV8EB_LINUX_IOSD-UNIVERSALK9_IAS-M), Version 16.6.2, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2017 by Cisco Systems, Inc.
Compiled Wed 01-Nov-17 03:00 by mcpre
*Oct 26 11:47:12.246: %SSH-5-ENABLED: SSH 2.0 has been enabled
*Oct 26 11:47:12.318: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
*Oct 26 11:47:12.319: %CRYPTO-6-GDOI_ON_OFF: GDOI is OFF
Oct 26 11:47:14.906: %SYS-6-BOOTTIME: Time taken to reboot after reload = 310 seconds
Oct 26 11:47:20.724: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
Oct 26 11:47:20.724: %CRYPTO-6-GDOI_ON_OFF: GDOI is OFF
Oct 26 11:47:25.628: %SPA_OIR-6-ONLINECARD: SPA (C1117-1x1GE) online in subslot 0/0
Oct 26 11:47:26.053: %SPA_OIR-6-ONLINECARD: SPA (C1117-ES-4) online in subslot 0/1
Oct 26 11:47:28.031: %LINK-3-UPDOWN: Interface GigabitEthernet0/1/0, changed state to down
Oct 26 11:47:28.049: %LINK-3-UPDOWN: Interface GigabitEthernet0/1/3, changed state to down
Oct 26 11:47:36.034: %LINK-3-UPDOWN: Interface GigabitEthernet0/1/0, changed state to up
Oct 26 11:47:36.038: %LINK-3-UPDOWN: Interface GigabitEthernet0/1/3, changed state to up
Oct 26 11:47:37.034: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1/0, changed state to up
Oct 26 11:47:37.039: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1/3, changed state to up
Oct 26 11:47:37.048: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up
Oct 26 11:47:37.053: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan100, changed state to up
Oct 26 11:48:29.625: %SPA_OIR-6-ONLINECARD: SPA (C1117-VADSL-A) online in subslot 0/2
Oct 26 11:48:31.620: %LINK-3-UPDOWN: Interface Ethernet0/2/0, changed state to down
Oct 26 11:49:06.616: %VDSL_DAEMON-3-VDSL_LINE_UPDOWN: Controller VDSL 0/2/0, line 0, changed state to up
Oct 26 11:49:06.616: %CONTROLLER-5-UPDOWN: Controller VDSL 0/2/0, changed state to up
Oct 26 11:49:08.615: %LINK-3-UPDOWN: Interface Ethernet0/2/0, changed state to up
Oct 26 11:49:09.613: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/2/0, changed state to up
Oct 26 11:49:44.418: %DHCP-6-ADDRESS_ASSIGN: Interface Ethernet0/2/0.101 assigned DHCP address 188.222.79.191, mask 255.255.252.0, hostname c03e0f9c268c@skydsl|addf773e

C1117ISR#sh policy-map type inspect zone-pair ZP-INSIDE-TO-OUTSIDE
Zone-pair: ZP-INSIDE-TO-OUTSIDE
Service-policy inspect : PM-INSIDE-TO-OUTSIDE-POLICY

Class-map: CMAP-ALLOWED-OUTBOUND-PROTOCOLS (match-any)
Match: protocol icmp
Match: protocol dns
Match: protocol http
Match: protocol https
Inspect
Packet inspection statistics [process switch:fast switch]
dns packets: [0:4]

Session creations since subsystem startup or last reset 2
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [1:0:0]
Last session created 00:01:12
Last statistic reset never
Last session creation rate 2
Last half-open session total 0

Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes