10-14-2012 10:16 AM - edited 03-12-2019 06:04 PM
Hello, all! First-time post!
I'm having problems with a lab. My network is 192.168.3.0. I'm supposed to block pings and tcp connections from specific networks (in this case, the 10.1.1.0 and 10.2.2.0 networks), and allow icmp and http in from the 192.168.1.0 network. At this point, with my current cli config, pings from the 10.1.1.0 network are blocked if my class-maps are set up as "match protocol icmp", but as soon as I match the access-group to the acls, the pings get through. What am I doing wrong? Here's my config:
hostname R3
!
!
class-map type inspect match-all OUTBOUND_TRAFFIC
match access-group 102
class-map type inspect match-all INBOUND-TRAFFIC
match access-group 101
!
policy-map type inspect PM_OUTBOUND-TRAFFIC
class type inspect OUTBOUND_TRAFFIC
drop
!
policy-map type inspect PM_INBOUND_TRAFFIC
class type inspect INBOUND-TRAFFIC
drop
!
!
!
zone security OUTSIDE
zone security INSIDE
zone-pair security INSIDEtoOUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect PM_OUTBOUND-TRAFFIC
zone-pair security OUTSIDEtoINSIDE source OUTSIDE destination INSIDE
service-policy type inspect PM_INBOUND_TRAFFIC
!
interface FastEthernet0/0
bandwidth 256
ip address 10.2.2.1 255.255.255.0
zone-member security OUTSIDE
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
bandwidth 256
ip address 192.168.3.1 255.255.255.0
zone-member security INSIDE
ip nat inside
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
router eigrp 1
network 192.168.3.0
network 10.0.0.0
auto-summary
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static 192.168.3.3 192.168.3.3
ip classless
!
!
access-list 101 deny ip any any
access-list 101 deny icmp any any echo
access-list 101 deny icmp any any echo-reply
access-list 102 deny ip any any
access-list 102 deny icmp any any echo
access-list 102 deny icmp any any echo-reply
!
!
!
!
!
line con 0
line vty 0 4
login
!
!
!
end
Thank you very much for your help!
Ryan
Solved! Go to Solution.
10-14-2012 12:40 PM
Hi,
No I mean that by default 2 interfaces in different zones won't be able to communicate unless there is a service-policy with an inspect action from one zone to another or 2 service-policy with a pass action each applied to zone A to zone B and zone B to zone A.
Now if you want to use an ACL in a class-map, you must use the permit statement in your ACL because this ACL is for matching traffic not filtering it. The filtering is done either with a drop action in a policy-map for a class or implicitly if ther is no policy.
So in your case if we suppose the 10.1.1.0 , 10.2.2.0 , 192.168.1.0 networks are on the outside zone
and you want to block pings from 2 first network you should do something like this:
access-list 100 permit icmp 10.1.1.0 0.0.0.255 any
access-list 100 permit icmp 10.2.2.0 0.0.0.255 any
class-map type inspect test
match access-group 100
policy-map type inspect test
class type inspect test
drop
zone-pair security out_in source outside destination inside
service-policy type inspect test
Regards.
Alain
Don't forget to rate helpful posts.
10-14-2012 11:26 AM
Hi,
in ZBF the ACL must have a permit statement as it is used to match the traffic not to filter it( which would be the case if you applied the ACL to an interface as a traffic filter with the ip access-group command).
Regards.
Alain
Don't forget to rate helpful posts.
10-14-2012 12:15 PM
Thank you for your reply! The lab instructions explicitly say that I can't assign ACLs to interfaces, and only use a ZBF. Are you saying that I can use the ip access-group command, create the required "deny" ACLs, then associate it?
10-14-2012 12:40 PM
Hi,
No I mean that by default 2 interfaces in different zones won't be able to communicate unless there is a service-policy with an inspect action from one zone to another or 2 service-policy with a pass action each applied to zone A to zone B and zone B to zone A.
Now if you want to use an ACL in a class-map, you must use the permit statement in your ACL because this ACL is for matching traffic not filtering it. The filtering is done either with a drop action in a policy-map for a class or implicitly if ther is no policy.
So in your case if we suppose the 10.1.1.0 , 10.2.2.0 , 192.168.1.0 networks are on the outside zone
and you want to block pings from 2 first network you should do something like this:
access-list 100 permit icmp 10.1.1.0 0.0.0.255 any
access-list 100 permit icmp 10.2.2.0 0.0.0.255 any
class-map type inspect test
match access-group 100
policy-map type inspect test
class type inspect test
drop
zone-pair security out_in source outside destination inside
service-policy type inspect test
Regards.
Alain
Don't forget to rate helpful posts.
10-14-2012 01:21 PM
Thank you. I'll try that and post my results.
Sincerely,
Ryan
10-14-2012 05:47 PM
Thank you so much, Alain. It's working properly. I have the 10.1.1.0 and 10.2.2.0 networks blocked (thanks to your information), then I added ACLS allowing the 192.168.1.0 network http and icmp (after I figured out that I couldn't use multiple service policies, but I COULD add multiple class types), and finally I effectively blocked off all other traffic with the "inspect class-default/drop" class type. Here's my final config:
hostname R3
!
!
!
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
!
!
!
!
!
username cisco password 7 0822455D0A16
!
!
!
!
!
ip ssh version 1
no ip domain-lookup
ip domain-name class.com
!
!
!
class-map type inspect match-all OUTBOUND_TRAFFIC
match access-group 102
class-map type inspect match-all INBOUND-TRAFFIC
match access-group 101
class-map type inspect match-any ALLOWED_OUTBOUND_TRAFFIC
match access-group 103
class-map type inspect match-any ALLOWED_INBOUND-TRAFFIC
match access-group 104
!
policy-map type inspect PM_OUTBOUND-TRAFFIC
class type inspect OUTBOUND_TRAFFIC
drop
class type inspect ALLOWED_OUTBOUND_TRAFFIC
pass
class type inspect class-default
drop
!
policy-map type inspect PM_INBOUND_TRAFFIC
class type inspect INBOUND-TRAFFIC
drop
class type inspect ALLOWED_INBOUND-TRAFFIC
pass
class type inspect class-default
drop
!
!
!
zone security OUTSIDE
zone security INSIDE
zone-pair security INSIDEtoOUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect PM_OUTBOUND-TRAFFIC
zone-pair security OUTSIDEtoINSIDE source OUTSIDE destination INSIDE
service-policy type inspect PM_INBOUND_TRAFFIC
!
interface FastEthernet0/0
bandwidth 256
ip address 10.2.2.1 255.255.255.0
zone-member security OUTSIDE
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
bandwidth 256
ip address 192.168.3.1 255.255.255.0
zone-member security INSIDE
ip nat inside
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
router eigrp 1
network 192.168.3.0
network 10.0.0.0
auto-summary
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static 192.168.3.3 192.168.3.3
ip classless
!
!
access-list 101 permit ip 10.1.1.0 0.0.0.3 any
access-list 101 permit icmp 10.1.1.0 0.0.0.3 any echo
access-list 101 permit icmp 10.1.1.0 0.0.0.3 any echo-reply
access-list 101 permit ip 10.2.2.0 0.0.0.3 any
access-list 101 permit icmp 10.2.2.0 0.0.0.3 any echo
access-list 101 permit icmp 10.2.2.0 0.0.0.3 any echo-reply
access-list 101 permit ip 169.254.0.0 0.1.255.255 any
access-list 101 permit icmp 169.254.0.0 0.1.255.255 any echo
access-list 101 permit icmp 169.254.0.0 0.1.255.255 any echo-reply
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 permit icmp 127.0.0.0 0.255.255.255 any echo
access-list 101 permit icmp 127.0.0.0 0.255.255.255 any echo-reply
access-list 102 permit ip any 10.1.1.0 0.0.0.3
access-list 102 permit icmp any 10.1.1.0 0.0.0.3 echo
access-list 102 permit icmp any 10.1.1.0 0.0.0.3 echo-reply
access-list 102 permit ip any 10.2.2.0 0.0.0.3
access-list 102 permit icmp any 10.2.2.0 0.0.0.3 echo
access-list 102 permit icmp any 10.2.2.0 0.0.0.3 echo-reply
access-list 102 permit ip any 169.254.0.0 0.1.255.255
access-list 102 permit icmp any 169.254.0.0 0.1.255.255 echo
access-list 102 permit icmp any 169.254.0.0 0.1.255.255 echo-reply
access-list 102 permit ip any 127.0.0.0 0.255.255.255
access-list 102 permit icmp any 127.0.0.0 0.255.255.255 echo
access-list 102 permit icmp any 127.0.0.0 0.255.255.255 echo-reply
access-list 103 permit tcp any 192.168.1.0 0.0.0.255 eq www
access-list 103 permit icmp any 192.168.1.0 0.0.0.255 echo
access-list 103 permit icmp any 192.168.1.0 0.0.0.255 echo-reply
access-list 103 permit eigrp any any
access-list 104 permit tcp 192.168.1.0 0.0.0.255 any eq www
access-list 104 permit icmp 192.168.1.0 0.0.0.255 any echo
access-list 104 permit icmp 192.168.1.0 0.0.0.255 any echo-reply
access-list 104 permit eigrp any any
!
no cdp run
!
!
!
!
!
line con 0
line vty 0 4
login local
transport input ssh
!
!
!
end
Thanks again, you couldnt've been any more helpful!
Ryan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide