cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1161
Views
5
Helpful
5
Replies
Ryconnection
Beginner

Acls not working in ZBF

Hello, all! First-time post!

I'm having problems with a lab. My network is 192.168.3.0. I'm supposed to block pings and tcp connections from specific networks (in this case, the 10.1.1.0 and 10.2.2.0 networks), and allow icmp and http in from the 192.168.1.0 network. At this point, with my current cli config, pings from the 10.1.1.0 network are blocked if my class-maps are set up as "match protocol icmp", but as soon as I match the access-group to the acls, the pings get through. What am I doing wrong? Here's my config:

hostname R3

!

!

class-map type inspect match-all OUTBOUND_TRAFFIC

match access-group 102

class-map type inspect match-all INBOUND-TRAFFIC

match access-group 101

!

policy-map type inspect PM_OUTBOUND-TRAFFIC

class type inspect OUTBOUND_TRAFFIC

  drop

!

policy-map type inspect PM_INBOUND_TRAFFIC

class type inspect INBOUND-TRAFFIC

  drop

!

!

!

zone security OUTSIDE

zone security INSIDE

zone-pair security INSIDEtoOUTSIDE source INSIDE destination OUTSIDE

service-policy type inspect PM_OUTBOUND-TRAFFIC

zone-pair security OUTSIDEtoINSIDE source OUTSIDE destination INSIDE

service-policy type inspect PM_INBOUND_TRAFFIC

!

interface FastEthernet0/0

bandwidth 256

ip address 10.2.2.1 255.255.255.0

zone-member security OUTSIDE

ip nat outside

duplex auto

speed auto

!

interface FastEthernet0/1

bandwidth 256

ip address 192.168.3.1 255.255.255.0

zone-member security INSIDE

ip nat inside

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

router eigrp 1

network 192.168.3.0

network 10.0.0.0

auto-summary

!

ip nat inside source list 1 interface FastEthernet0/0 overload

ip nat inside source static 192.168.3.3 192.168.3.3

ip classless

!

!

access-list 101 deny ip any any

access-list 101 deny icmp any any echo

access-list 101 deny icmp any any echo-reply

access-list 102 deny ip any any

access-list 102 deny icmp any any echo

access-list 102 deny icmp any any echo-reply

!

!

!

!

!

line con 0

line vty 0 4

login

!

!

!

end

Thank you very much for your help!

Ryan

1 ACCEPTED SOLUTION

Accepted Solutions

Hi,

No I mean that by default 2 interfaces in different zones won't be able to communicate unless there is a service-policy with an inspect action from one zone to another or 2 service-policy with a pass action each applied to zone A to zone B and zone B to zone A.

Now if you want to use an ACL in a class-map, you must use the permit statement in your ACL because this ACL is for matching traffic not filtering it. The filtering is done either with a drop action in a policy-map for a class or implicitly if ther is no policy.

So in your case  if we suppose the 10.1.1.0 , 10.2.2.0 , 192.168.1.0 networks are on the outside zone

and you want to block  pings from 2 first network you should do something like this:

access-list 100 permit icmp 10.1.1.0 0.0.0.255 any

access-list 100 permit icmp 10.2.2.0 0.0.0.255 any

class-map type inspect test

match access-group 100

policy-map type inspect test

class type inspect test

drop

zone-pair security out_in source outside destination inside

service-policy type inspect test

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

5 REPLIES 5
cadet alain
Mentor

Hi,

in ZBF the ACL must  have a permit statement as it is used to match the traffic  not to filter it( which would be the case if you applied the ACL to an interface as a traffic filter with the ip access-group command).

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Thank you for your reply! The lab instructions explicitly say that I can't assign ACLs to interfaces, and only use a ZBF. Are you saying that I can use the ip access-group command, create the required "deny" ACLs, then associate it?

Hi,

No I mean that by default 2 interfaces in different zones won't be able to communicate unless there is a service-policy with an inspect action from one zone to another or 2 service-policy with a pass action each applied to zone A to zone B and zone B to zone A.

Now if you want to use an ACL in a class-map, you must use the permit statement in your ACL because this ACL is for matching traffic not filtering it. The filtering is done either with a drop action in a policy-map for a class or implicitly if ther is no policy.

So in your case  if we suppose the 10.1.1.0 , 10.2.2.0 , 192.168.1.0 networks are on the outside zone

and you want to block  pings from 2 first network you should do something like this:

access-list 100 permit icmp 10.1.1.0 0.0.0.255 any

access-list 100 permit icmp 10.2.2.0 0.0.0.255 any

class-map type inspect test

match access-group 100

policy-map type inspect test

class type inspect test

drop

zone-pair security out_in source outside destination inside

service-policy type inspect test

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Thank you. I'll try that and post my results.

Sincerely,

Ryan

Thank you so much, Alain. It's working properly. I have the 10.1.1.0 and 10.2.2.0 networks blocked (thanks to your information), then I added ACLS allowing the 192.168.1.0 network http and icmp (after I figured out that I couldn't use multiple service policies, but I COULD add multiple class types), and finally I effectively blocked off all other traffic with the "inspect class-default/drop" class type. Here's my final config:

hostname R3

!

!

!

enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0

!

!

!

!

!

!

username cisco password 7 0822455D0A16

!

!

!

!

!

ip ssh version 1

no ip domain-lookup

ip domain-name class.com

!

!

!

class-map type inspect match-all OUTBOUND_TRAFFIC

match access-group 102

class-map type inspect match-all INBOUND-TRAFFIC

match access-group 101

class-map type inspect match-any ALLOWED_OUTBOUND_TRAFFIC

match access-group 103

class-map type inspect match-any ALLOWED_INBOUND-TRAFFIC

match access-group 104

!

policy-map type inspect PM_OUTBOUND-TRAFFIC

class type inspect OUTBOUND_TRAFFIC

  drop

class type inspect ALLOWED_OUTBOUND_TRAFFIC

  pass

class type inspect class-default

  drop

!

policy-map type inspect PM_INBOUND_TRAFFIC

class type inspect INBOUND-TRAFFIC

  drop

class type inspect ALLOWED_INBOUND-TRAFFIC

  pass

class type inspect class-default

  drop

!

!

!

zone security OUTSIDE

zone security INSIDE

zone-pair security INSIDEtoOUTSIDE source INSIDE destination OUTSIDE

service-policy type inspect PM_OUTBOUND-TRAFFIC

zone-pair security OUTSIDEtoINSIDE source OUTSIDE destination INSIDE

service-policy type inspect PM_INBOUND_TRAFFIC

!

interface FastEthernet0/0

bandwidth 256

ip address 10.2.2.1 255.255.255.0

zone-member security OUTSIDE

ip nat outside

duplex auto

speed auto

!

interface FastEthernet0/1

bandwidth 256

ip address 192.168.3.1 255.255.255.0

zone-member security INSIDE

ip nat inside

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

router eigrp 1

network 192.168.3.0

network 10.0.0.0

auto-summary

!

ip nat inside source list 1 interface FastEthernet0/0 overload

ip nat inside source static 192.168.3.3 192.168.3.3

ip classless

!

!

access-list 101 permit ip 10.1.1.0 0.0.0.3 any

access-list 101 permit icmp 10.1.1.0 0.0.0.3 any echo

access-list 101 permit icmp 10.1.1.0 0.0.0.3 any echo-reply

access-list 101 permit ip 10.2.2.0 0.0.0.3 any

access-list 101 permit icmp 10.2.2.0 0.0.0.3 any echo

access-list 101 permit icmp 10.2.2.0 0.0.0.3 any echo-reply

access-list 101 permit ip 169.254.0.0 0.1.255.255 any

access-list 101 permit icmp 169.254.0.0 0.1.255.255 any echo

access-list 101 permit icmp 169.254.0.0 0.1.255.255 any echo-reply

access-list 101 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 permit icmp 127.0.0.0 0.255.255.255 any echo

access-list 101 permit icmp 127.0.0.0 0.255.255.255 any echo-reply

access-list 102 permit ip any 10.1.1.0 0.0.0.3

access-list 102 permit icmp any 10.1.1.0 0.0.0.3 echo

access-list 102 permit icmp any 10.1.1.0 0.0.0.3 echo-reply

access-list 102 permit ip any 10.2.2.0 0.0.0.3

access-list 102 permit icmp any 10.2.2.0 0.0.0.3 echo

access-list 102 permit icmp any 10.2.2.0 0.0.0.3 echo-reply

access-list 102 permit ip any 169.254.0.0 0.1.255.255

access-list 102 permit icmp any 169.254.0.0 0.1.255.255 echo

access-list 102 permit icmp any 169.254.0.0 0.1.255.255 echo-reply

access-list 102 permit ip any 127.0.0.0 0.255.255.255

access-list 102 permit icmp any 127.0.0.0 0.255.255.255 echo

access-list 102 permit icmp any 127.0.0.0 0.255.255.255 echo-reply

access-list 103 permit tcp any 192.168.1.0 0.0.0.255 eq www

access-list 103 permit icmp any 192.168.1.0 0.0.0.255 echo

access-list 103 permit icmp any 192.168.1.0 0.0.0.255 echo-reply

access-list 103 permit eigrp any any

access-list 104 permit tcp 192.168.1.0 0.0.0.255 any eq www

access-list 104 permit icmp 192.168.1.0 0.0.0.255 any echo

access-list 104 permit icmp 192.168.1.0 0.0.0.255 any echo-reply

access-list 104 permit eigrp any any

!

no cdp run

!

!

!

!

!

line con 0

line vty 0 4

login local

transport input ssh

!

!

!

end

Thanks again, you couldnt've been any more helpful!

Ryan

Create
Recognize Your Peers
Content for Community-Ad