Solved: c2921 ZFW won't allow traffic back in

merzroger · ‎09-08-2019

Hello... I'm obviously missing something basic so hopefully someone has the time to take a look and help figure out what I missed in the Cisco manual pg 1 para 1.

C2921 15.7.3.M3 -- 2- inside int - 2 sub-net, 1-outside int dhcp. Base router config, with or without int inside/outside or zone-member, stops ALL traffic across all int. Shouldn't do that right??? Enter ZFW policy config - now allows traffic in-in, as it should, but will still not pass in-out traffic back in. Same policy! Console pings out beyond all int's in-in and in-out-in fine. Routes good. Int have proper inside/outside zone-member. Zone-pairs correct with proper (matching) service-policy. See policy-firewall config below. Parameter map "logging" is just audit-trail on. Logs show proper mapping of in-in traffic. Anything going outside shows in-out portion fine but always shows 0 bytes returned back in from whatever host. No blocked or dropped entries, just session timeouts from no return traffic like traffic back in is being blocked outside the int. But it's not. Again, identical policy just different int's and console pings anywhere fine any route. Do I need an out-out policy to create tables for outside int return traffic? My understanding is in-in and in-out covers it.

I've swapped physical int's. Tried opening up with ACL's with and without zone policy. It will not pass outside traffic back in unless from console. Period. Also same results whether to outside router or cable modem. Thanks for any insight. Love you man!!!

R1#sh policy-firewall config zone-pair

Zone-pair : in-in (0xB55E74)
Source Zone : inside
Destination Zone : inside
Service-policy inspect : generic

Class-map : basic(match-any)
Class-id : 0xCFC851
Match protocol tcp
Match protocol udp
Match protocol icmp
Match protocol http
Match protocol https
Match protocol imap
Action : inspect
Parameter-map : logging

Class-map : class-default(match-any)
Class-id : 0x639
Match any
Action : drop log

Parameter-map : Default

Zone-pair : in-out (0xB475E4)
Source Zone : inside
Destination Zone : outside
Service-policy inspect : generic
Class-map : basic(match-any)
Class-id : 0xCFC851
Match protocol tcp
Match protocol udp
Match protocol icmp
Match protocol http
Match protocol https
Match protocol imap
Action : inspect
Parameter-map : logging

Class-map : class-default(match-any)
Class-id : 0x639
Match any
Action : drop log
Parameter-map : Default

R1#

johnd2310 · ‎09-10-2019

Hi,

Do you have cable modem or such in front of your router? Does this device have routes for your LAN networks(192.168.100.0/24 and 192.168.200.0/24)?

Thanks

John

**Please rate posts you find helpful**

View solution in original post

johnd2310 · ‎09-08-2019

Hi,

Can you post the router config. Have you checked the NAT rules are ok?

Thanks

John

**Please rate posts you find helpful**

merzroger · ‎09-09-2019

...here you go. No NAT, never was. Thanks!

R1#sh run
Building configuration...

Current configuration : 2954 bytes
!
! Last configuration change at 08:59:19 EDT Mon Sep 9 2019
!
version 15.7
service timestamps debug datetime msec localtime
service timestamps log datetime localtime
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
logging buffered informational
logging persistent url flash1:/syslog size 8192000 filesize 1024000
no logging console
no logging monitor
enable password basic
!
no aaa new-model
clock timezone EST -5 0
clock summer-time EDT recurring
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.100.1 192.168.100.49
ip dhcp excluded-address 192.168.100.100 192.168.100.254
ip dhcp excluded-address 192.168.200.1 192.168.200.49
ip dhcp excluded-address 192.168.200.100 192.168.200.254
!
ip dhcp pool roger
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
dns-server 1.1.1.1 8.8.8.8
domain-name roger.net
!
ip dhcp pool josh
network 192.168.200.0 255.255.255.0
default-router 192.168.200.1
dns-server 1.1.1.1 8.8.8.8
domain-name josh.net
!
!
!
no ip domain lookup
ip cef
ipv6 unicast-routing
ipv6 cef
!
parameter-map type inspect logging
audit-trail on
multilink bundle-name authenticated
!
!
!
!
license udi pid CISCO2921/K9 sn FJC1904A16C
license accept end user agreement
!
!
!
redundancy
!
!
!
!
!
ip telnet source-interface GigabitEthernet0/1
!
class-map type inspect match-any basic
match protocol tcp
match protocol udp
match protocol icmp
match protocol http
match protocol https
match protocol imap
!
policy-map type inspect generic
class type inspect basic
inspect logging
class class-default
drop log
!
zone security inside
zone security outside
zone-pair security in-in source inside destination inside
service-policy type inspect generic
zone-pair security in-out source inside destination outside
service-policy type inspect generic
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 200.200.100.101 255.255.255.0
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description outside
ip address dhcp
zone-member security outside
duplex auto
speed auto
!
interface GigabitEthernet0/1
description roger inside
ip address 192.168.100.1 255.255.255.0
zone-member security inside
duplex auto
speed auto
!
interface GigabitEthernet0/2
description josh inside
ip address 192.168.200.1 255.255.255.0
zone-member security inside
duplex auto
speed auto
!
router rip
version 2
network 192.168.100.0
network 192.168.200.0
no auto-summary
!
no ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
logging host 192.168.100.50
!
!
!
control-plane
!
!
no vstack
!
line con 0
exec-timeout 30 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 30 0
password basic
login
transport input telnet
!
scheduler allocate 20000 1000
ntp server 129.6.15.28
!
end

R1#sh policy-firewall config zone-pair
Zone-pair : in-in (0xB55E74)
Source Zone : inside
Destination Zone : inside
Service-policy inspect : generic
Class-map : basic(match-any)
Class-id : 0xCFC851
Match protocol tcp
Match protocol udp
Match protocol icmp
Match protocol http
Match protocol https
Match protocol imap
Action : inspect
Parameter-map : logging

Class-map : class-default(match-any)
Class-id : 0x639
Match any
Action : drop log
Parameter-map : Default

Zone-pair : in-out (0xB475E4)
Source Zone : inside
Destination Zone : outside
Service-policy inspect : generic
Class-map : basic(match-any)
Class-id : 0xCFC851
Match protocol tcp
Match protocol udp
Match protocol icmp
Match protocol http
Match protocol https
Match protocol imap
Action : inspect
Parameter-map : logging

Class-map : class-default(match-any)
Class-id : 0x639
Match any
Action : drop log
Parameter-map : Default

R1#

<190>351: *Sep 9 09:13:16: %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(in-out:basic):Start udp session: initiator (192.168.100.50:53845) -- responder (8.8.8.8:53) 192.168.100.1 09/09 09:13:22.664
<190>352: *Sep 9 09:13:19: %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(in-out:basic):Start udp session: initiator (192.168.100.50:53845) -- responder (1.1.1.1:53) 192.168.100.1 09/09 09:13:25.672
<190>353: *Sep 9 09:13:23: %FW-6-SESS_AUDIT_TRAIL: (target:class)-(in-out:basic):Stop udp session: initiator (192.168.100.50:53845) sent 86 bytes -- responder (8.8.8.8:53) sent 0 bytes 192.168.100.1 09/09 09:13:29.365
<190>354: *Sep 9 09:13:23: %FW-6-SESS_AUDIT_TRAIL_START: (target:class)-(in-out:basic):Start udp session: initiator (192.168.100.50:51152) -- responder (8.8.8.8:53) 192.168.100.1 09/09 09:13:29.365
<190>355: *Sep 9 09:13:25: %FW-6-SESS_AUDIT_TRAIL: (target:class)-(in-out:basic):Stop udp session: initiator (192.168.100.50:53845) sent 43 bytes -- responder (1.1.1.1:53) sent 0 bytes 192.168.100.1 09/09 09:13:30.784
<190>356: *Sep 9 09:13:25: %FW-6-SESS_AUDIT_TRAIL: (target:class)-(in-out:basic):Stop udp session: initiator (192.168.100.50:51022) sent 86 bytes -- responder (8.8.8.8:53) sent 0 bytes 192.168.100.1 09/09 09:13:30.784
<190>357: *Sep 9 09:13:25: %FW-6-SESS_AUDIT_TRAIL: (target:class)-(in-out:basic):Stop udp session: initiator (192.168.100.50:51022) sent 215 bytes -- responder (1.1.1.1:53) sent 0 bytes 192.168.100.1 09/09 09:13:30.784

merzroger · ‎09-09-2019

...to add, I just created separate c-map and p-maps and zp's w/ new service-policy so no sharing between policies. Same result except first pkt of a ping now gets logged as DROPPED by the c-map class-default - drop - log. No subsequent pkts get logged. Thanks!

Rob Ingram · ‎09-09-2019

Hi,
I don't see a default route nor NAT configured. Does it work without ZBFW configured?

merzroger · ‎09-09-2019

Default route is picked up fine from DHCP. Route entered in table properly. Can ping anywhere from console. No NAT, never was. First things first. Really just trying to get this thing to pass traffic. My understanding is the 2921 was designed to pass and route traffic without delay. Only stipulation is it will not pass traffic between interfaces on same zone. If you want that you need to configure appropriately and any other things you want to make it do. To begin with it wouldn't pass any traffic until I tried ZFW config to allow that. I'm sure some ACL's would have accomplished that, but been there and done that on ASA's for 15 years. Not going back. So now with ZFW all I can get to pass is inside-to-inside. It seems simple. I'm obviously misunderstanding something. Prolly should've got and ASA. Thanks!

Rob Ingram · ‎09-09-2019

If no nat, how are internal devices going to access the internet?

merzroger · ‎09-10-2019

...this is a router. There is no FWSM. Why would it require NAT to forward pkts? Anyway, tried NAT twice still won't pass traffic. I'll be giving up soon and prolly just get an ASA. Thanks for all the help!

johnd2310 · ‎09-10-2019

Hi,

Do you have cable modem or such in front of your router? Does this device have routes for your LAN networks(192.168.100.0/24 and 192.168.200.0/24)?

Thanks

John

**Please rate posts you find helpful**

merzroger · ‎09-10-2019

DING! Light bulb on. Thanks John! It would seem I've managed to use the same IP as my cable modem 192.168.100.1. That poor router in the middle running RIP must have had it's head spinning. And when I was bypassing it, the cable modem was next hop both with same IP inside and another interface in between. I'm tired and don't have time to mess with it for a few days. It actually worked for about 30 seconds tonight, what fun!, then stopped. No changes. I'm pretty sure this is why and that would explain what I'm seeing in the logs. Thanks again John!