11-20-2013 01:30 PM - edited 03-11-2019 08:07 PM
Hello,
I've recently purchased a Cisco 891 and I have it setup at a local office. I'm having some trouble allowing users access to servers and printers across a security zone.. I setup two different zones (MGMT, In-zone). The in-zone is where the server and applications are and the MGMT zone is for office staff.
I've gone through the guides for allowing applications through security zones, but I still cannot seem to get the access through.I've pasted a copy of the config below. Any help is greatly apreciated.
class-map type inspect match-any QBMGMT
match protocol kerberos
match protocol cddbp
match protocol mysql
match protocol dbase
match protocol sql-net
match protocol sqlserv
match protocol sqlsrv
match protocol ftp
match protocol ftps
match protocol kermit
match protocol nfs
match protocol tftp
match protocol uucp
match protocol tcp
match protocol udp
match protocol ddns-v3
match protocol dns
match protocol dnsix
match protocol ldap
match protocol ldap-admin
match protocol ldaps
match protocol netbios-ns
match protocol wins
match protocol icmp
match protocol cifs
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-all ccp-cls--1
match class-map QBMGMT
match protocol bootpc
class-map type inspect match-any QB
match protocol kerberos
match protocol cddbp
match protocol dbase
match protocol mysql
match protocol sql-net
match protocol sqlserv
match protocol sqlsrv
match protocol ftp
match protocol ftps
match protocol kermit
match protocol nfs
match protocol tftp
match protocol uucp
match protocol tcp
match protocol udp
match protocol ms-sql-m
match protocol ms-sql
match protocol icmp
match protocol echo
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any MGMT-INSIDE
description MGMT-INSIDE
match access-group name MGMT-inside
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
policy-map type inspect ccp-permit
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-policy-ccp-cls--1
class type inspect ccp-cls--1
inspect
class class-default
drop
!
zone security in-zone
zone security out-zone
zone security MGMT
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security MGMT source MGMT destination out-zone
service-policy type inspect ccp-inspect
zone-pair security MGMT-TO-INSIDE source MGMT destination in-zone
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
description Trunk to Switch
switchport mode trunk
no ip address
!
interface FastEthernet1
switchport access vlan 10
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
!
interface FastEthernet5
no ip address
!
interface FastEthernet6
switchport access vlan 40
no ip address
!
interface FastEthernet7
no ip address
!
interface FastEthernet8
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
!
interface GigabitEthernet0
description $FW_OUTSIDE$
ip address x.x.x.x 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
zone-member security out-zone
duplex auto
speed auto
!
interface Vlan1
description $ETH_LAN$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1452
!
interface Vlan10
description $FW_INSIDE$
ip address 10.9.1.250 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
!
interface Vlan20
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
!
interface Vlan30
description $FW_INSIDE$
ip address 10.9.3.250 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
!
interface Vlan40
description $FW_INSIDE$
ip address 10.9.4.250 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security MGMT
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
interface GMPLS0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
no fair-queue
no keepalive
!
ip forward-protocol nd
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source static tcp 10.9.1.200 3389 interface GigabitEthernet0 3389
ip nat inside source list 1 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
ip access-list extended MGMT-INSIDE
remark MGMT-INSIDE
remark CCP_ACL Category=128
permit ip 10.9.4.0 0.0.0.255 10.9.1.0 0.0.0.255
ip access-list extended MGMT-inside
remark MGMT to inside
remark CCP_ACL Category=1
permit tcp 10.9.4.0 0.0.0.255 10.9.1.0 0.0.0.255
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.9.4.0 0.0.0.255
access-list 1 permit 10.10.10.0 0.0.0.7
access-list 1 permit 10.9.1.0 0.0.0.255
access-list 23 remark CCP_ACL Category=17
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 10.9.4.0 0.0.0.255
access-list 23 permit 10.9.1.0 0.0.0.255 log
access-list 23 permit 10.9.3.0 0.0.0.255 log
access-list 23 permit 10.9.2.0 0.0.0.255 log
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
no cdp run
!
!
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
banner login ^CThis is a private system. Unauthorized access to this system may result in criminal or civil prosecution^C
!
line con 0
login authentication local_authen
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 23 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
line vty 5 15
access-class 23 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
! 4000 1000
scheduler interval 500
end
Solved! Go to Solution.
11-24-2013 09:01 AM
When configuring ZBF you need to remember that traffic traverses between zone-pairs and you need to allow traffic in both directions for connectivity. If you only allow it in one direction the return traffic will be dropped.
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security MGMT source MGMT destination out-zone
service-policy type inspect ccp-inspect
zone-pair security MGMT-TO-INSIDE source MGMT destination in-zone
Here you have configured a zone-pair for MGMT to the in-zone yet you have not specified a policy that it will use to for inspection to allow...or drop...traffic.
You also dont have a zone-pair from the in-zone to the MGMT zone. Add those two in and your traffic should start to flow between the two zones.
The config should look something like the following. If you need to be even more restrictive with what is allowed you would need to create a new class-map to match traffic as well as a policy map which will define actions to take on the traffic matched by the class map.
zone-pair security MGMT-TO-INSIDE source MGMT destination in-zone
service-policy type inspect ccp-inspec
zone-pair security INSIDE-TO-MGMT source in-zone destination MGMT
service policy type inspect ccp-inspec
--
Please rate all helpful posts
11-24-2013 09:01 AM
When configuring ZBF you need to remember that traffic traverses between zone-pairs and you need to allow traffic in both directions for connectivity. If you only allow it in one direction the return traffic will be dropped.
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security MGMT source MGMT destination out-zone
service-policy type inspect ccp-inspect
zone-pair security MGMT-TO-INSIDE source MGMT destination in-zone
Here you have configured a zone-pair for MGMT to the in-zone yet you have not specified a policy that it will use to for inspection to allow...or drop...traffic.
You also dont have a zone-pair from the in-zone to the MGMT zone. Add those two in and your traffic should start to flow between the two zones.
The config should look something like the following. If you need to be even more restrictive with what is allowed you would need to create a new class-map to match traffic as well as a policy map which will define actions to take on the traffic matched by the class map.
zone-pair security MGMT-TO-INSIDE source MGMT destination in-zone
service-policy type inspect ccp-inspec
zone-pair security INSIDE-TO-MGMT source in-zone destination MGMT
service policy type inspect ccp-inspec
--
Please rate all helpful posts
11-26-2013 11:48 AM
Hello,
Thank you for the help. I was trying to configure the zone -pairs through the CCP but for some reason the router was not accepting the configuration.
11-26-2013 11:55 PM
Glad I could help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide