04-09-2013 02:18 PM - edited 03-11-2019 06:25 PM
Hello , i'm testing IOS firewall using zone based firewall zone pairs , users can access the internet , but i have a problem that i can't ping my external dns servers or even ping , trace any internet destination. For example ping to www.yahoo.com fails. i wanna know if there is something wrong in this config.
class map, policy map , and zone pair is marked as bold.
Thanks
Current configuration : 4919 bytes
!
! Last configuration change at 15:12:16 UTC Tue Apr 9 2013 by admin
!
version 15.1
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service udp-small-servers
service tcp-small-servers
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
no logging buffered
!
no aaa new-model
!
!
no ipv6 cef
ip source-route
ip gratuitous-arps
ip icmp rate-limit unreachable 1
ip cef
!
!
!
!
!
ip name-server 163.121.128.134
ip name-server 163.121.128.135
ip port-map user-custom-fleet port tcp 2000 list 1
!
multilink bundle-name authenticated
!
!
redundancy
!
!
!
!
ip finger
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any Inside-Outside
match protocol tcp
match protocol udp
class-map type inspect match-any ALLOW-ICMP
match access-group name ACL-ICMP-REPLY
!
!
policy-map type inspect Inside-Outside
class type inspect Inside-Outside
inspect
class class-default
drop
policy-map type inspect OUTSIDE-SELF
class type inspect ALLOW-ICMP
pass
class class-default
drop
!
zone security IN
zone security OUT
zone-pair security INSIDE/OUTSIDE source IN destination OUT
service-policy type inspect Inside-Outside
zone-pair security PM-OUTSIDE-SELF source OUT destination self
service-policy type inspect OUTSIDE-SELF
!
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 101.101.100.245 255.255.255.0
ip mask-reply
ip directed-broadcast
ip flow ingress
duplex auto
speed auto
!
interface GigabitEthernet0/1
description $FW_INSIDE$
ip address xx.xx..150.xx 255.255.255.248
ip mask-reply
ip directed-broadcast
ip flow ingress
zone-member security IN
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
ip mask-reply
ip directed-broadcast
ip flow ingress
encapsulation frame-relay IETF
no fair-queue
clock rate 2000000
frame-relay lmi-type q933a
!
interface Serial0/0/0.16 point-to-point
description $FW_OUTSIDE$
ip address xx.xx.18.xx 255.255.255.252
ip mask-reply
ip directed-broadcast
ip flow ingress
ip verify unicast reverse-path
zone-member security OUT
frame-relay interface-dlci 16
!
interface Serial0/0/1
no ip address
ip mask-reply
ip directed-broadcast
ip flow ingress
shutdown
clock rate 2000000
!
ip forward-protocol nd
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 Serial0/0/0.16
ip identd
!
ip access-list extended ACL-ICMP-REPLY
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any ttl-exceeded
permit icmp any any packet-too-big
permit icmp any any echo-reply
04-09-2013 03:12 PM
Hello,
Seems like to allow icmp you need:
class-map type inspect match-any Inside-Outside
match protocol icmp
Regards,
Felipe.
04-10-2013 12:57 AM
Hello jcarvaja thanks for help i did as what you said i've created self to outside zone pair but the problem is not solved
when i try internet addresses a line is logged saying
000030: *Apr 10 07:23:42.543 UTC: %FW-6-PASS_PKT: (target:class)-(SELF-OUTSIDE-ZP:SELF-OUTSIDE-ECHO) Passing icmp pkt XX.XX.18.XX:0 => 163.121.128.135:0 with ip ident 0
Lines that are added to configuration
class-map type inspect match-any SELF-OUTSIDE-ECHO
match access-group name ICMP-ECHO
policy-map type inspect SELF-OUTSIDE-PM
class type inspect SELF-OUTSIDE-ECHO
pass log
class class-default
drop
Extended IP access list ICMP-ECHO
10 permit icmp any any echo
zone-pair security SELF-OUTSIDE-ZP source self destination OUT
service-policy type inspect SELF-OUTSIDE-PM
Please help
Regards
04-09-2013 03:18 PM
Hello Mahmoud and Felipe,
You do not have any zone from self to Out
Create a zone-pair from self-to-out
Add that match the protocol ICMP and set the action as pass
That should do it
Regards,
Remember to rate all of the helpful posts
Julio Carvajal
04-09-2013 03:31 PM
One clarification on this.
A zone-pair from self to out will be needed to ping from the router itself to the internet.
Seems like here the issue is ping from internal users to the internet(users can access the internet, but i have a problem that i can't ping...), in that case the commands I suggested will be needed.
Let us know if you have any question.
Regards,
Felipe.
04-10-2013 01:23 AM
Hello Felipe , i can't ping from router itself to internet not from inside zone , but there is another thing to mention that when i show access-lists i see. This is the ACL which added to self to outside zone pair , so i suspect the returning traffic
Extended IP access list ICMP-ECHO
10 permit icmp any any echo (65 matches)
another suggesstion ?
04-10-2013 09:31 AM
Hello Mahmoud,
Exactly, that's what I understood.. From the router itself to the outside world.
Okey, add the following line
ip inspect log drop-pkt
Then try to ping and provide the logs, I want to see if there is any clue about this issue
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide