Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1544
Views
0
Helpful
7
Replies

Zone Firewall and ACLs

Go to solution
sergo777
Level 1
Level 1

‎08-12-2019 01:03 PM - edited ‎08-12-2019 01:16 PM

Hi Everybody

I have some problems with new ISR devices (like 4221, 4451 etc), bunch of old routers use same configuration with simple CBAC (ip inspect xxx) and incoming ACL on external interface (permit SSH from specific network, anti-spoofing, VPN and deny any), very simple.

But this configuration doesnt work with ISRs, i created Zone FW, assigned zones, but my old ACL blocks all HTTP traffic (maybe something else, but very easy to see it in HTTP). When i removed it, everything works fine, but i cannot open SSH only for specific addresses, dont know why but it doesnt work with ZBF. 

Not sure, ZBF sitting before or after NAT.. maybe this is a issue

thanks  

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
sergo777
Level 1
Level 1
In response to Rob Ingram

‎08-12-2019 03:46 PM

Thanks RJI. looks like problem was in SELF zone. but right now opposite problem, SSH locked from outside :)

in your example, when i change PASS to INSPECT, SSH is available

 

policy-map type inspect PMAP_EXTERNAL-TO-SELF
class type inspect CMAP_EXTERNAL-TO-SELF-IPSEC
pass
class type inspect CMAP_EXTERNAL-TO-SELF-MGMT
pass - (i changed to INSPECT)
class class-default

drop log

--------------------------------------------------

PASS really confused me it doesnt work in any Policy-map... everywhere change to INSPECT...

thanks

 

 

 

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Rob Ingram
VIP
VIP

‎08-12-2019 01:26 PM

Hi,
Without seeing your configuration I wouldn't be able to identify the exact issue...but you would reference the real (private) IP address in the ZBFW ACLs. Also, if you were referring to connecting the local router itself via SSH then the zone would be "self" rather than outside.

Upload your configuration and some debugs if you'd like some further pointers.
HTH
0 Helpful

Go to solution
sergo777
Level 1
Level 1
In response to Rob Ingram

‎08-12-2019 01:45 PM

Yes sure! this is my config... i think part of it is wrong, just tried to play with zones...

 

and last part is my access list, when i add it to interface Cell 0/1/0, http traffic blocks... i tried to use it in the Class-map, but in this case it doesnt work at all

 

class-map type inspect match-any All_Protocols
match protocol tcp
match protocol udp
match protocol icmp
match protocol router
!
policy-map type inspect Trusted_to_Internet
class type inspect All_Protocols
inspect
class class-default
drop

policy-map type inspect OUTSIDE_IN_POLICY
class type inspect OUTSIDE_IN_CLASS
drop
class class-default
!
zone security INSIDE
zone security OUTSIDE

zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect Trusted_to_Internet
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE_IN_POLICY
--------------------------------


interface Cellular0/1/0
description TELUS-LTE
ip address negotiated
ip nat outside
ip access-group OUTSIDE_IN in
zone-member security OUTSIDE
dialer in-band
dialer-group 1
pulse-time 1

------------------------------

interface GigabitEthernet0/0/1
description INTERNAL
ip address 10.1.1.1 255.255.255.0
ip nat inside
zone-member security INSIDE
negotiation auto
--------------------------------

 

 

ip access-list extended INTERNET_IN
permit icmp any any echo
permit udp host 8.8.8.8 eq domain any
permit udp any any eq ntp
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit tcp (my network) 0.0.0.7 any eq 22 443
deny ip any any

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to sergo777

‎08-12-2019 02:04 PM

Hi,
You shouldn't really mix and match using ZBFW for some zones and then an ACL on the Cell0/1/0 interface. You should make a zone pair from self to outside and another for outside to self. When using zones with the self interface they can only be "pass" not inspect".

 

Example (outside to self):-

ip access-list extended ACL_EXTERNAL-TO-SELF-IPSEC
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any

ip access-list extended ACL_EXTERNAL-TO-SELF-MGMT
permit icmp any any echo
permit icmp any any echo-reply
permit tcp any any eq telnet
permit tcp any any eq 22


class-map type inspect match-any CMAP_EXTERNAL-TO-SELF-IPSEC
match access-group name ACL_EXTERNAL-TO-SELF-IPSEC

class-map type inspect match-any CMAP_EXTERNAL-TO-SELF-MGMT
match access-group name ACL_EXTERNAL-TO-SELF-MGMT

policy-map type inspect PMAP_EXTERNAL-TO-SELF
class type inspect CMAP_EXTERNAL-TO-SELF-IPSEC
pass 
class type inspect CMAP_EXTERNAL-TO-SELF-MGMT
pass
class class-default
drop log

zone-pair security EXTERNAL-TO-SELF source OUTSIDE destination self
service-policy type inspect PMAP_EXTERNAL-TO-SELF

Example (self to outside):-

class-map type inspect match-any CMAP_SELF-OUT-ICMP
match protocol icmp

class-map type inspect match-any CMAP_SELF-OUT-ISAKMP 
match protocol isakmp

policy-map type inspect PMAP_SELF-OUT
class type inspect CMAP_SELF-OUT-ISAKMP 
pass
class type inspect CMAP_SELF-OUT-ICMP
pass
class class-default
drop

zone-pair security self-ext source self destination OUTSIDE
service-policy type inspect PMAP_SELF-OUT

 

Also you've not included the class-map for OUTSIDE_IN_CLASS, so I can't tell what thats doing.

 

For testing purposes define a class-default that is last in the policy, that drops and logs traffic, so you can get some hits and determine what is not matching.

 

HTH

0 Helpful

Go to solution
sergo777
Level 1
Level 1
In response to Rob Ingram

‎08-12-2019 02:25 PM

Thanks! trying now. 

and here i can change ANY to network, correct? and allow SSH only from specific address?

 

 

ip access-list extended ACL_EXTERNAL-TO-SELF-MGMT
permit icmp any any echo
permit icmp any any echo-reply
permit tcp any any eq telnet
permit tcp any any eq 22

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to sergo777

‎08-12-2019 02:34 PM

Of course. You could leave it open to begin with for testing and then restrict it further once you know it's working.
0 Helpful

Go to solution
sergo777
Level 1
Level 1
In response to Rob Ingram

‎08-12-2019 03:46 PM

Thanks RJI. looks like problem was in SELF zone. but right now opposite problem, SSH locked from outside :)

in your example, when i change PASS to INSPECT, SSH is available

 

policy-map type inspect PMAP_EXTERNAL-TO-SELF
class type inspect CMAP_EXTERNAL-TO-SELF-IPSEC
pass
class type inspect CMAP_EXTERNAL-TO-SELF-MGMT
pass - (i changed to INSPECT)
class class-default

drop log

--------------------------------------------------

PASS really confused me it doesnt work in any Policy-map... everywhere change to INSPECT...

thanks

 

 

 

0 Helpful

Go to solution
sergo777
Level 1
Level 1
In response to sergo777

‎08-13-2019 09:31 AM

Understood!

we need pairs for router itself and for internal zone!!!!

 

thanks guys!!!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card