cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3438
Views
5
Helpful
11
Replies

Unable to apply firewall policy in cisco umbrella

vishal77
Level 1
Level 1

Hello Team,

 

Created a Firewall policy in cisco umbrella to block http://portquiz.net:444 but anyhow that policy is not applying and page is opening in browser. Please help me how can i troubleshoot this.

Attaching image for your reference

11 Replies 11

vishal77
Level 1
Level 1

Hello,

Please help me how to solve this issue. As tunnnel is successfully configured with umbrella but anyhow Firewall Policy is not getting applied and also no hits on policy.

Please find below csr Router tunnel configuration alongwith Attached image of Firewall Policy.

 

CSR#terminal length 0
CSR#show running-config | section crypto ikev2
crypto ikev2 proposal default
encryption aes-gcm-256
prf sha256
group 19
crypto ikev2 keyring umbrella-keyring
peer umbrella-ash
address 146.112.82.8
pre-shared-key Umbrellaisnumber1
!
peer umbrella-lax
address 146.112.67.8
pre-shared-key Umbrellaisnumber1
!
peer umbrella-nyc
address 146.112.83.8
pre-shared-key Umbrellaisnumber1
!
peer umbrella-pao
address 146.112.66.8
pre-shared-key Umbrellaisnumber1
!
peer umbrella-lon
address 146.112.97.8
pre-shared-key Umbrellaisnumber1
!
peer umbrella-fra
address 146.112.96.8
pre-shared-key Umbrellaisnumber1
!
peer umbrella-sng
address 146.112.113.8
pre-shared-key Umbrellaisnumber1
!
peer umbrella-tok
address 146.112.112.8
pre-shared-key Umbrellaisnumber1
!
peer umbrella-syd
address 146.112.118.8
pre-shared-key Umbrellaisnumber1
!
peer umbrella-mel
address 146.112.119.8
pre-shared-key Umbrellaisnumber1
!
crypto ikev2 profile umbrella
match identity remote address 0.0.0.0
identity local email Mainoffice@2669434-470449286-umbrella.com
authentication remote pre-share
authentication local pre-share
keyring local umbrella-keyring
dpd 10 2 periodic


CSR#show running-config | section ipsec 
crypto ipsec transform-set umbrella esp-gcm 256
mode tunnel
crypto ipsec profile umbrella
set transform-set umbrella
set ikev2-profile umbrella
tunnel mode ipsec ipv4
tunnel protection ipsec profile umbrella


CSR#show crypto ikev2 sa

Tunnel-id Local Remote fvrf/ivrf Status
5 198.18.133.254/4500 146.112.113.8/4500 none/none READY
Encr: AES-GCM, keysize: 256, PRF: SHA256, Hash: None, DH Grp:19, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/9806 sec

IPv6 Crypto IKEv2 SA

 

CSR#show running-config interface tunnel1
Building configuration...

Current configuration : 229 bytes
!
interface Tunnel1
ip unnumbered GigabitEthernet2
ip nat outside
ip tcp adjust-mss 1280
tunnel source GigabitEthernet2
tunnel mode ipsec ipv4
tunnel destination 146.112.113.8
tunnel protection ipsec profile umbrella
end

 

Hi,

Is traffic being even routed through the VPN tunnel?

Provide the output of "show crypto ipsec sa" to determine whether encaps|decaps counters are increasing.

Hi Rob,

Thanks for your reply. 

 

No packets are being observed and no hits on firewall policy also. But tunnel is successfully establish between umbrella and csr router.

 

Please find below show crpyto ipsec sa output alongwith  image of tunnel status on umbrella dashboard 

 

CSR#show crypto ipsec sa

interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 198.18.133.254

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 146.112.113.8 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 198.18.133.254, remote crypto endpt.: 146.112.113.8
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet2
current outbound spi: 0xC1FCDDFE(3254574590)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x94C58444(2495972420)
transform: esp-gcm 256 ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2097, flow_id: CSR:97, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4608000/2288)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xC1FCDDFE(3254574590)
transform: esp-gcm 256 ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2098, flow_id: CSR:98, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4608000/2288)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

Hi Rob,

 

As per your suggestion i have checked my configuration and didnt find anything missing. Attaching output of my router with respect to commands in that link and also complete configuration of router also.

 

 

You've not included your configuration.

Hi Rob,

 Please find attached configuration and suggest if im missing somwhere

 

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2020.09.03 08:46:42 =~=~=~=~=~=~=~=~=~=~=~=
admin
Keyboard-interactive authentication prompts from server:
| Password:
End of keyboard-interactive prompts from server


------------------------------------------------
CSR#sh crypto ikev2 sa
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
5 198.18.133.254/4500 146.112.113.8/4500 none/none READY
Encr: AES-GCM, keysize: 256, PRF: SHA256, Hash: None, DH Grp:19, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/13295 sec

IPv6 Crypto IKEv2 SA
----------------------------------------------------------------------------------

CSR#show crypto ipsec sa

interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 198.18.133.254

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 146.112.113.8 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 198.18.133.254, remote crypto endpt.: 146.112.113.8
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet2
current outbound spi: 0xC3EB03C2(3286959042)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x414E6B58(1095658328)
transform: esp-gcm 256 ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2099, flow_id: CSR:99, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4608000/2532)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xC3EB03C2(3286959042)
transform: esp-gcm 256 ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2100, flow_id: CSR:100, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4608000/2532)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:
--------------------------------------------------------------------
CSR#show running-config | section crypto ikev2
crypto ikev2 proposal default
encryption aes-gcm-256
prf sha256
group 19
crypto ikev2 keyring umbrella-keyring
peer umbrella-ash
address 146.112.82.8
pre-shared-key Umbrellaisnumber1
!
peer umbrella-lax
address 146.112.67.8
pre-shared-key Umbrellaisnumber1
!
peer umbrella-nyc
address 146.112.83.8
pre-shared-key Umbrellaisnumber1
!
peer umbrella-pao
address 146.112.66.8
pre-shared-key Umbrellaisnumber1
!
peer umbrella-lon
address 146.112.97.8
pre-shared-key Umbrellaisnumber1
!
peer umbrella-fra
address 146.112.96.8
pre-shared-key Umbrellaisnumber1
!
peer umbrella-sng
address 146.112.113.8
pre-shared-key Umbrellaisnumber1
!
peer umbrella-tok
address 146.112.112.8
pre-shared-key Umbrellaisnumber1
!
peer umbrella-syd
address 146.112.118.8
pre-shared-key Umbrellaisnumber1
!
peer umbrella-mel
address 146.112.119.8
pre-shared-key Umbrellaisnumber1
!
crypto ikev2 profile umbrella
match identity remote address 0.0.0.0
identity local email Mainoffice@2669434-470449286-umbrella.com
authentication remote pre-share
authentication local pre-share
keyring local umbrella-keyring
dpd 10 2 periodic
--------------------------------------------------------------------
CSR#show running-config interface tunnel1
Building configuration...

Current configuration : 229 bytes
!
interface Tunnel1
ip unnumbered GigabitEthernet2
ip nat outside
ip tcp adjust-mss 1280
tunnel source GigabitEthernet2
tunnel mode ipsec ipv4
tunnel destination 146.112.113.8
tunnel protection ipsec profile umbrella
end

---------------------------------------------------------------
CSR#show crypto ikev2 proposal defau ult
IKEv2 proposal: default
Encryption : AES-GCM-256
Integrity : none
PRF : SHA256
DH Group : DH_GROUP_256_ECP/Group 19
CSR#show crypto ikev2 proposal defaultrunning-config interface tunnel1 running-config | section crypto ipsec sa
CSR#show running-config | section crypto ipsec sa   
crypto ipsec transform-set umbrella esp-gcm 256
mode tunnel
crypto ipsec profile umbrella
set transform-set umbrella
set ikev2-profile umbrella
------------------------------------------------------
CSR#sh running-config
Building configuration...

Current configuration : 4911 bytes
!
! Last configuration change at 14:27:02 UTC Tue Sep 1 2020 by admin
!
version 16.3
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname CSR
!
boot-start-marker
boot system bootflash:csr1000v-universalk9.16.03.08.SPA.bin
boot-end-marker
!
!
enable secret 5 $1$QM6b$BppNWDbqtAjOPOnSG3SqG0
!
no aaa new-model
!
!
!
!
!
!
!
!
!
ip domain name dcloud.cisco.com
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3467280968
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3467280968
revocation-check none
rsakeypair TP-self-signed-3467280968
!
!
crypto pki certificate chain TP-self-signed-3467280968
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33343637 32383039 3638301E 170D3136 30313037 30323333
35385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34363732
38303936 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B039 A5A5AEB4 760E8B55 5260E80A CC88F9E0 92DB631F 24BAB802 A79592E8
D8176387 9399AB7A 8FE23C24 5D783EEE 603F4985 855796D8 E83E6CB2 A94EC075
622684E6 9574F6D6 0511C4A6 C43EE035 ACA755EC C565070A 069CFBB1 89828E0B
ACFBC4DC 4704453E 47205F8C 9FE6926E AFD6FD2C 937DD421 6EE34F4A 55C5DC9C
719F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14ACF601 FB694AD2 873E04E4 80B95E64 CF68DE13 BA301D06
03551D0E 04160414 ACF601FB 694AD287 3E04E480 B95E64CF 68DE13BA 300D0609
2A864886 F70D0101 05050003 81810049 1396ECB8 F9A27641 413C4E3D 94EC4DA7
53339873 0CA7505F A7870386 E40B6786 26B3E326 2054F1D4 AF58339C 82D569F3
D072CD3F 255EED8C ED3BBF3E 8A32231B FD9C96A7 69C808A2 1D4827D0 5F4B2E34
605E1DA7 87B01442 18DEFA53 348C50DF 5B4FCAC2 B24A5400 4A5492D7 ACCD6E03
ED479307 462F1761 2B0FFDD6 7BC057
quit
!
!
!
!
!
!
!
!
license udi pid CSR1000V sn 9FYNU87ZC0B
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
username admin privilege 15 secret 5 $1$udz.$NmINH.AiuyMoyYqX5aJDP/
!
redundancy
!
crypto ikev2 proposal default
encryption aes-gcm-256
prf sha256
group 19
!
!
crypto ikev2 keyring umbrella-keyring
peer umbrella-ash
address 146.112.82.8
pre-shared-key Umbrellaisnumber1
!
peer umbrella-lax
address 146.112.67.8
pre-shared-key Umbrellaisnumber1
!
peer umbrella-nyc
address 146.112.83.8
pre-shared-key Umbrellaisnumber1
!
peer umbrella-pao
address 146.112.66.8
pre-shared-key Umbrellaisnumber1
!
peer umbrella-lon
address 146.112.97.8
pre-shared-key Umbrellaisnumber1
!
peer umbrella-fra
address 146.112.96.8
pre-shared-key Umbrellaisnumber1
!
peer umbrella-sng
address 146.112.113.8
pre-shared-key Umbrellaisnumber1
!
peer umbrella-tok
address 146.112.112.8
pre-shared-key Umbrellaisnumber1
!
peer umbrella-syd
address 146.112.118.8
pre-shared-key Umbrellaisnumber1
!
peer umbrella-mel
address 146.112.119.8
pre-shared-key Umbrellaisnumber1
!
!
!
crypto ikev2 profile umbrella
match identity remote address 0.0.0.0
identity local email Mainoffice@2669434-470449286-umbrella.com
authentication remote pre-share
authentication local pre-share
keyring local umbrella-keyring
dpd 10 2 periodic
!
!
!
!
!
!
!
!
!
!
!
crypto ipsec transform-set umbrella esp-gcm 256
mode tunnel
!
!
crypto ipsec profile umbrella
set transform-set umbrella
set ikev2-profile umbrella
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Tunnel1
ip unnumbered GigabitEthernet2
ip nat outside
ip tcp adjust-mss 1280
tunnel source GigabitEthernet2
tunnel mode ipsec ipv4
tunnel destination 146.112.113.8
tunnel protection ipsec profile umbrella
!
interface GigabitEthernet1
ip address 198.19.10.1 255.255.255.0
ip nat inside
ip policy route-map umbrella_rm
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet2
ip address 198.18.133.254 255.255.192.0
ip nat outside
negotiation auto
no mop enabled
no mop sysid
!
!
virtual-service csr_mgmt
ip shared host-interface GigabitEthernet1
activate
!
ip nat pool NAT-POOL-dCloud 10.10.10.1 10.10.10.254 netmask 255.255.255.0 type match-host
ip nat inside source list VPN-NAT-dCloud pool NAT-POOL-dCloud overload
ip forward-protocol nd
no ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 198.18.128.1
!
ip access-list extended VPN-NAT-dCloud
permit ip 198.19.10.0 0.0.0.255 any
!
!
!
route-map umbrella_rm permit 10
match ip address VPN-NAT-dCloud
set interface Tunnel1
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
stopbits 1
line vty 0 4
exec-timeout 0 0
login local
!
!
!
!
!
!
end

CSR#

Are you actually running this in dcloud?

 

What is your source IP address? Are you generating traffic from 198.19.10.0/24 network?

 

I don't think there is any need to have "ip nat outside" enabled on the tunnel interface.

 

What is the ouput of show route-map umbrella_rm and show ip access-list

You need to modify your NAT ACL to exclude DNS traffic being sent through the CDFW.

 

ip access-list extended VPN-NAT-dCloud
 deny ip any host 208.67.220.220
deny ip any host 208.67.222.222
permit ip 198.19.10.0 0.0.0.255 any

 

How are you routing traffic to the tunnel?

 

Do you have the PBR and route-map as per Step 4 - Routing rules in the following document - https://docs.umbrella.com/umbrella-user-guide/docs/add-a-tunnel-cisco-isr

 

If you don't have in place, this traffic will never be sent via the tunnel and therefore the CDFW will not filter the traffic.

Ruben Cocheno
Spotlight
Spotlight

Give a look to the routing, if you don't enforce it will take the default route, static routes or PBR are the options. It seems that you are using the dCloud, the configs more than often are right, so if you looking to change something based on your use case, reach out to the dCloud team. They will be more than happy to give a look on it for you. 

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

chrilau
Cisco Employee
Cisco Employee

I am not sure if this issue being addressed and resolved?

alirafaleiro
Level 1
Level 1

The Umbrella cloud-delivered firewall provides firewall services, without the need to deploy, maintain and upgrade physical or virtual appliances at each site. The cloud-delivered firewall relies on your on-premise appliances to build tunnels to the Umbrella cloud without the need to upgrade or deploy any additional physical or virtual appliances.

https://docs.umbrella.com/umbrella-user-guide/docs/add-a-firewall-policy#:~:text=Umbrella%20evaluates%20each%20firewall%20policy,a%20matching%20firewall%20policy%20rule.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: