can't ping or tracert from self zone to internet

Mahmoud Saad · ‎04-09-2013

Hello , i'm testing IOS firewall using zone based firewall zone pairs , users can access the internet , but i have a problem that i can't ping my external dns servers or even ping , trace any internet destination. For example ping to www.yahoo.com fails. i wanna know if there is something wrong in this config.

class map, policy map , and zone pair is marked as bold.

Thanks

Current configuration : 4919 bytes

!

! Last configuration change at 15:12:16 UTC Tue Apr 9 2013 by admin

!

version 15.1

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

no service password-encryption

service udp-small-servers

service tcp-small-servers

service sequence-numbers

!

hostname Router

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

no logging buffered

!

no aaa new-model

!

no ipv6 cef

ip source-route

ip gratuitous-arps

ip icmp rate-limit unreachable 1

ip cef

!

ip name-server 163.121.128.134

ip name-server 163.121.128.135

ip port-map user-custom-fleet port tcp 2000 list 1

!

multilink bundle-name authenticated

!

redundancy

!

ip finger

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

class-map type inspect match-any Inside-Outside

match protocol tcp

match protocol udp

class-map type inspect match-any ALLOW-ICMP

match access-group name ACL-ICMP-REPLY

!

policy-map type inspect Inside-Outside

class type inspect Inside-Outside

inspect

class class-default

drop

policy-map type inspect OUTSIDE-SELF

class type inspect ALLOW-ICMP

pass

class class-default

drop

!

zone security IN

zone security OUT

zone-pair security INSIDE/OUTSIDE source IN destination OUT

service-policy type inspect Inside-Outside

zone-pair security PM-OUTSIDE-SELF source OUT destination self

service-policy type inspect OUTSIDE-SELF

!

interface GigabitEthernet0/0

ip address 101.101.100.245 255.255.255.0

ip mask-reply

ip directed-broadcast

ip flow ingress

duplex auto

speed auto

!

interface GigabitEthernet0/1

description $FW_INSIDE$

ip address xx.xx..150.xx 255.255.255.248

ip mask-reply

ip directed-broadcast

ip flow ingress

zone-member security IN

duplex auto

speed auto

!

interface Serial0/0/0

no ip address

ip mask-reply

ip directed-broadcast

ip flow ingress

encapsulation frame-relay IETF

no fair-queue

clock rate 2000000

frame-relay lmi-type q933a

!

interface Serial0/0/0.16 point-to-point

description $FW_OUTSIDE$

ip address xx.xx.18.xx 255.255.255.252

ip mask-reply

ip directed-broadcast

ip flow ingress

ip verify unicast reverse-path

zone-member security OUT

frame-relay interface-dlci 16

!

interface Serial0/0/1

no ip address

ip mask-reply

ip directed-broadcast

ip flow ingress

shutdown

clock rate 2000000

!

ip forward-protocol nd

!

ip http server

ip http access-class 2

ip http authentication local

ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 Serial0/0/0.16

ip identd

!

ip access-list extended ACL-ICMP-REPLY

permit icmp any any host-unreachable

permit icmp any any port-unreachable

permit icmp any any ttl-exceeded

permit icmp any any packet-too-big

permit icmp any any echo-reply

lcambron · ‎04-09-2013

Hello,

Seems like to allow icmp you need:

class-map type inspect match-any Inside-Outside

match protocol icmp

Regards,

Felipe.

Mahmoud Saad · ‎04-10-2013

Hello jcarvaja thanks for help i did as what you said i've created self to outside zone pair but the problem is not solved

when i try internet addresses a line is logged saying

000030: *Apr 10 07:23:42.543 UTC: %FW-6-PASS_PKT: (target:class)-(SELF-OUTSIDE-ZP:SELF-OUTSIDE-ECHO) Passing icmp pkt XX.XX.18.XX:0 => 163.121.128.135:0 with ip ident 0

Lines that are added to configuration

class-map type inspect match-any SELF-OUTSIDE-ECHO

match access-group name ICMP-ECHO

policy-map type inspect SELF-OUTSIDE-PM

class type inspect SELF-OUTSIDE-ECHO

pass log

class class-default

drop

Extended IP access list ICMP-ECHO

10 permit icmp any any echo

zone-pair security SELF-OUTSIDE-ZP source self destination OUT

service-policy type inspect SELF-OUTSIDE-PM

Please help

Regards

Julio Carvajal · ‎04-09-2013

Hello Mahmoud and Felipe,

You do not have any zone from self to Out

Create a zone-pair from self-to-out

Add that match the protocol ICMP and set the action as pass

That should do it

Regards,

Remember to rate all of the helpful posts

Julio Carvajal

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

lcambron · ‎04-09-2013

One clarification on this.

A zone-pair from self to out will be needed to ping from the router itself to the internet.

Seems like here the issue is ping from internal users to the internet(users can access the internet, but i have a problem that i can't ping...), in that case the commands I suggested will be needed.

Let us know if you have any question.

Regards,

Felipe.

Mahmoud Saad · ‎04-10-2013

Hello Felipe , i can't ping from router itself to internet not from inside zone , but there is another thing to mention that when i show access-lists i see. This is the ACL which added to self to outside zone pair , so i suspect the returning traffic

Extended IP access list ICMP-ECHO

10 permit icmp any any echo (65 matches)

another suggesstion ?

Julio Carvajal · ‎04-10-2013

Hello Mahmoud,

Exactly, that's what I understood.. From the router itself to the outside world.

Okey, add the following line

ip inspect log drop-pkt

Then try to ping and provide the logs, I want to see if there is any clue about this issue

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC