Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1908
Views
0
Helpful
4
Replies

zone-member security Outside drop all the internet access

andresitotubia
Level 1
Level 1

‎12-10-2010 07:19 AM - edited ‎03-11-2019 12:20 PM

Hello,

I was looking to put on my Cisco 1801 router local content filtering. I made the configuration but after i put the zone-member secutrity outside in my wan interface all the internet conection drop.

Someone can give me an idea of what is happening

here is my config

Current configuration : 7679 bytes

!

version 12.4

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname jjinet

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 100200

logging console critical

enable secret 5 $1$unp8$i8mCJA/lI5E5qeqY3q8oc/

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

!

aaa session-id common

clock timezone PCTime -3

!

!

no ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.100.1

ip dhcp excluded-address 192.168.100.2

ip dhcp excluded-address 192.168.100.3

ip dhcp excluded-address 192.168.100.4

ip dhcp excluded-address 192.168.100.5

ip dhcp excluded-address 192.168.100.6

ip dhcp excluded-address 192.168.100.7

ip dhcp excluded-address 192.168.100.8

ip dhcp excluded-address 192.168.100.9

ip dhcp excluded-address 192.168.100.10

!

ip dhcp pool ine

   network 192.168.100.0 255.255.255.0

   dns-server 208.67.220.220 208.67.222.222

   default-router 192.168.100.1

   lease 2

!

!

ip domain name yourdomain.com

ip name-server xxx.xxx.48.233

ip name-server xxx.xxx.191.35

!

multilink bundle-name authenticated

parameter-map type urlfilter bloqueourl

alert off

source-interface FastEthernet0

allow-mode on

exclusive-domain deny www.youtube.com

exclusive-domain deny www.facebook.com

exclusive-domain deny www.twitter.com

exclusive-domain deny .taringa.net

exclusive-domain deny .rapidshare.com

exclusive-domain deny .megaupload.com

exclusive-domain deny .rojadirecta.com

exclusive-domain deny .justin.tv

exclusive-domain deny .rojadirecta.org

!

!

archive

log config

  hidekeys

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

class-map type inspect match-any Control

match protocol dns

match protocol icmp

class-map type inspect match-any Web

match protocol http

class-map match-all SecureWeb

match protocol secure-http

class-map type inspect match-all WebSecure

match protocol https

!

!

policy-map type inspect http bloqueourl

policy-map type inspect InsideToOutside

class type inspect Web

  inspect

class type inspect Control

  inspect

class type inspect WebSecure

  inspect

class class-default

  drop

!

zone security Inside

zone security Outside

zone-pair security Inside_to_Outside source Inside destination Outside

service-policy type inspect InsideToOutside

!

!

interface FastEthernet0

description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$

ip address xxx.xxx.xxx.xxx 255.255.255.248

ip nat outside

no ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

!

interface BRI0

no ip address

encapsulation hdlc

ip route-cache flow

shutdown

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

switchport access vlan 100

!

interface FastEthernet6

switchport access vlan 100

!

interface FastEthernet7

switchport access vlan 100

switchport mode trunk

!

interface FastEthernet8

switchport access vlan 100

!

interface ATM0

no ip address

shutdown

no atm ilmi-keepalive

dsl operating-mode auto

!

interface Vlan1

description FW_INSIDE

ip address 10.96.50.3 255.255.254.0

ip nat inside

ip virtual-reassembly

zone-member security Inside

ip route-cache flow

ip tcp adjust-mss 1452

!

interface Vlan100

description JJJJJ

ip address 192.168.100.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx

!

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat pool rdesktop 172.18.1.57 172.18.1.57 netmask 255.255.255.0 type rotary

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload

ip nat inside destination list 100 pool rdesktop

!

ip access-list extended SDM_HTTPS

remark SDM_ACL Category=1

permit tcp any any eq 443

ip access-list extended SDM_SHELL

remark SDM_ACL Category=1

permit tcp any any eq cmd

ip access-list extended SDM_SSH

remark SDM_ACL Category=1

permit tcp any any eq 22

!

logging trap debugging

logging xxx.xxx.xxx.100

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 172.18.1.0 0.0.0.255

access-list 100 permit tcp any any eq 3389

access-list 101 remark SDM_ACL Category=4

access-list 101 remark IPSec Rule

access-list 101 permit ip 172.18.1.0 0.0.0.255 172.18.2.0 0.0.0.255

access-list 102 remark SDM_ACL Category=2

access-list 102 remark IPSec Rule

access-list 102 deny   ip 172.18.1.0 0.0.0.255 172.18.2.0 0.0.0.255

access-list 102 permit ip 172.18.1.0 0.0.0.255 any

access-list 102 permit ip 10.96.0.0 0.0.255.255 any

access-list 102 permit ip 192.168.100.0 0.0.0.255 any

access-list 102 permit icmp 192.168.100.0 0.0.0.255 any

access-list 103 remark SDM_ACL Category=128

access-list 103 permit ip host 255.255.255.255 any

access-list 103 permit ip 127.0.0.0 0.255.255.255 any

access-list 103 permit ip 190.226.229.56 0.0.0.7 any

access-list 103 permit ip 192.0.0.0 0.255.255.255 any

access-list 103 permit ip 10.96.0.0 0.0.255.255 any

access-list 104 remark SDM_ACL Category=128

access-list 104 permit ip 10.96.50.0 0.0.1.255 any

access-list 105 permit ip 192.168.100.0 0.0.0.255 any

access-list 105 permit icmp any any

snmp-server community as RO

no cdp run

!

!

!

route-map SDM_RMAP_1 permit 1

match ip address 102

!

!

!

!

control-plane

!

banner login ^CCAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

transport output telnet

line aux 0

transport output telnet

line vty 0 4

!

end

Labels:
0 Helpful
4 Replies 4

cadet alain
VIP Alumni
VIP Alumni

‎12-10-2010 07:53 AM

Hi,

I don't see any zone-member security outside but only zone-member security inside and as traffic can't flow between a zone and a non-zone that's why you are blocking internet traffic.

Regards.

Don't forget to rate helpful posts.
0 Helpful

andresitotubia
Level 1
Level 1
In response to cadet alain

‎12-10-2010 08:52 AM

I didnt put it in the config but when i define the zone-member security Outside in the FastEthernet0 all the internet connection goes down.

Any idea ?

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to andresitotubia

‎12-10-2010 10:52 AM

Hi,

put this command : ip inspect log drop-pkt in global config.

try to go to a website and post output from log.

You can also add a log option in class-default.

I think you messed with the filtering, take a look here : http://wiki.nil.com/Local_Content_Filtering_in_Cisco_IOS

Regards.

Don't forget to rate helpful posts.
0 Helpful

lcuevas1
Level 1
Level 1

‎12-15-2010 01:46 PM

Hi, do the basics test again

  • Check extended ping
  • Traceroute
  • Check Nat Translations table
  • Check Ip route table
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card