03-21-2013 03:24 AM - edited 03-11-2019 06:17 PM
I have a simple setup where I have a 2911 router with three interfaces, Inside, Outside and a second "Inside" interface which is labelled as a DMZ. The Zone Firewall applied to the "DMZ" is actually Inside (until I can work through problems).
I need to be able to access a device on the DMZ via its external IP so I have designed NAT to use IP Nat Enable commands. This is now working for me fine. However, since utilising IP Nat Enable, my zone firewall now denies return TCP / UDP traffic and consequently I no longer have any internet access. Looking at the syslog messages, the reason for this is that the router is denying these return flows not because they are matching the outside-to-inside policy, but rather they are matching the outside-to-SELF policy. The router seems the detect that the internet traffic is being returned to SELF, when in reality the NAT rule should pick this up and forward it to inside.
I can understand why this is happening, because I am NATting all private / inside traffic behind the external IP of the router, which is assigned to the Gi0/0 interface.
My firewall is simple:
inside to outside - inspect tcp, udp and icmp
outside to inside - drop all traffic except some specifically defined ports
outside to SELF - drop all traffic except management ports (ssh etc)
SELF to outside - No policy: : Permit all traffic so that it is not a requirement to inspect (firewall was set up at a time when Self to outside inspection was not working due to a bug)
Here is my configuration:
version 15.2
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CG-2911
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 3 log
logging buffered 51200 warnings
enable secret 4 OmFIbRBJhBai/2o.
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization console
!
!
!
!
!
aaa session-id common
clock timezone GMT 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00
!
no ip source-route
ip cef
!
!
!
!
!
!
no ip bootp server
ip domain name yourdomain.com
no ipv6 cef
!
parameter-map type ooo global
tcp reassembly queue length 64
multilink bundle-name authenticated
!
!
!
object-group network SIP-TIPICALL-NETS
host 194.110.241.122
host 81.3.68.42
!
object-group service TELEWORKER-INBOUND
description Ports required opened to Teleworker DMZ from Internet
tcp eq 3300
udp range 20000 23000
tcp eq 2114
tcp eq 2116
tcp range 6801 6802
tcp eq 3998
tcp eq 6880
tcp eq 37000
tcp eq 35000
tcp eq www
tcp eq 443
!
vtp mode transparent
username admin privilege 15 secret 4 OmFIbRbCOARHxaBJhBai/2o.
!
redundancy
!
!
!
!
!
ip tcp synwait-time 10
no ip ftp passive
lldp run
!
class-map type inspect match-any PING
match protocol icmp
class-map type inspect match-any DEF-VOICE-INSP
match protocol h323
match protocol sip
class-map type inspect match-all ALLOW-SIP-ITSP-IN
match protocol sip
match access-group name ALLOW-TIPICALL-ITSP
class-map type inspect match-any GRE-INSPECT
match access-group name GRE
class-map type inspect match-any DEFAULT-INSPECT
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any SDM-ESP
match access-group name SDM-ESP
class-map type inspect match-any OFFICE-MGMT
match protocol icmp
match protocol ssh
match protocol https
class-map type inspect match-any NTP
match protocol ntp
class-map type inspect match-any TELEWORKER-PORTS
match access-group name TELEWORKER-INBOUND-PORTS
class-map type inspect match-all MGMT-TO-SELF
match class-map OFFICE-MGMT
match access-group name CS-SUPPORT-NETS
class-map type inspect match-any VPN-PROTOCOLS
match protocol isakmp
match protocol ipsec-msft
match class-map SDM-ESP
class-map type inspect match-all TELEWORKER-IN
match access-group name TELEWORKER-DMZ
match class-map TELEWORKER-PORTS
class-map type inspect match-all ALLOW-NTP
match class-map NTP
match access-group name NTP
!
policy-map type inspect GUEST-OUTSIDE
class type inspect DEFAULT-INSPECT
inspect
class class-default
pass
policy-map type inspect INSPECT-OUTBOUND
class type inspect DEFAULT-INSPECT
inspect
class type inspect DEF-VOICE-INSP
inspect
class class-default
pass
policy-map type inspect OUT-SELFBOUND
class type inspect PING
pass
class type inspect MGMT-TO-SELF
pass
class type inspect ALLOW-NTP
pass
class type inspect VPN-PROTOCOLS
pass
class class-default
drop log
policy-map type inspect OUTSIDE-GUEST
class class-default
drop log
policy-map type inspect INSPECT-INBOUND
class type inspect GRE-INSPECT
pass
class type inspect ALLOW-SIP-ITSP-IN
inspect
class type inspect TELEWORKER-IN
inspect
class class-default
drop log
!
zone security OUTSIDE
zone security INSIDE
zone security GUEST
zone-pair security INSIDE-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSPECT-OUTBOUND
zone-pair security OUTSIDE-IN source OUTSIDE destination INSIDE
service-policy type inspect INSPECT-INBOUND
zone-pair security OUT-SELF source OUTSIDE destination self
service-policy type inspect OUT-SELFBOUND
zone-pair security GUEST-OUTSIDE source GUEST destination OUTSIDE
service-policy type inspect GUEST-OUTSIDE
zone-pair security OUTSIDE-GUEST source OUTSIDE destination GUEST
service-policy type inspect OUTSIDE-GUEST
!
!
!
interface Loopback0
description Loopback Interface for OSPF process
ip address 172.22.255.127 255.255.255.255
no ip redirects
no ip unreachables
ip flow ingress
!
!
interface Null0
no ip unreachables
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description WAN facing Internet 10MB Auto link
ip address 217.0.32.83 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
ip flow ingress
ip nat enable
ip virtual-reassembly in max-reassemblies 256
zone-member security OUTSIDE
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description LAN facing interface$FW_INSIDE$$ETH-LAN$
ip address 172.23.131.252 255.255.255.0
ip helper-address 172.23.128.31
ip helper-address 172.23.128.32
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat enable
zone-member security INSIDE
ip ospf message-digest-key 1 md5 7 130647
ip ospf hello-interval 1
ip ospf cost 20
standby 131 ip 172.23.131.254
standby 131 timers 1 4
standby 131 priority 90
standby 131 preempt delay minimum 60 reload 60
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1.441
description Office DMZ interface
encapsulation dot1Q 441
ip address 172.23.141.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat enable
zone-member security INSIDE
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
!
interface Vlan1
no ip address
!
router ospf 1
passive-interface default
no passive-interface GigabitEthernet0/1
no passive-interface Tunnel438
no passive-interface Tunnel439
network 172.23.131.0 0.0.0.255 area 0
network 172.23.132.0 0.0.0.255 area 0
network 172.23.138.0 0.0.0.255 area 0
network 172.23.139.0 0.0.0.255 area 0
network 172.23.140.0 0.0.0.255 area 0
!
ip forward-protocol nd
no ip forward-protocol udp tftp
no ip forward-protocol udp nameserver
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
!
ip http server
ip http access-class 80
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat source static tcp 172.23.132.240 5060 interface GigabitEthernet0/0 5060
ip nat source static udp 172.23.132.240 5060 interface GigabitEthernet0/0 5060
ip nat source route-map NAT-MAP interface GigabitEthernet0/0 overload
ip nat source static 8.6.6.7 172.23.128.31
ip nat source static 208.8.8.220 172.23.128.32
ip nat source static 172.23.141.241 217.0.32.84
ip route 0.0.0.0 0.0.0.0 217.0.32.81
!
ip access-list standard VTY-ACCESS
permit 192.168.250.0 0.0.1.255
permit 172.23.32.0 0.0.0.255
permit 172.23.131.0 0.0.0.255
!
ip access-list extended ALLOW-TIPICALL-ITSP
permit ip object-group SIP-TIPICALL-NETS host 172.23.132.240
ip access-list extended CS-NETS
permit ip host 80.8.8.8 any
ip access-list extended GRE
permit gre any any
ip access-list extended NAT
permit ip 172.23.128.0 0.0.15.255 any
ip access-list extended NTP
permit ip host 130.88.
ip access-list extended SDM-ESP
permit esp any any
ip access-list extended TELEWORKER-DMZ
permit ip any host 172.23.141.241
ip access-list extended TELEWORKER-INBOUND-PORTS
permit object-group TELEWORKER-INBOUND any any
!
access-list 80 permit 172.23.32.0 0.0.0.255
access-list 80 permit 172.23.128.0 0.0.15.255
access-list 80 permit 192.168.250.0 0.0.1.255
!
route-map NAT-MAP permit 100
match ip address NAT
!
!
!
!
!
control-plane
!
!
!
line con 0
logging synchronous
transport output telnet
line aux 0
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class VTY-ACCESS in
privilege level 15
transport input telnet ssh
line vty 5 1114
access-class VTY-ACCESS in
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 130.88.
!
end
Solved! Go to Solution.
03-25-2013 04:38 AM
Hi
it seems that you are hitting this bug CSCsh12490 (Zone Firewall and NVI NAT do not interoperate)
Regards,
Mohammad
03-25-2013 04:38 AM
Hi
it seems that you are hitting this bug CSCsh12490 (Zone Firewall and NVI NAT do not interoperate)
Regards,
Mohammad
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide