Solved: Have you tried to use an ACL

Matt Wilson · ‎11-15-2015

I am trying to set my Cisco 1841 up as a time server for my home network. I have zones set up to allow legitimate traffic pass and block the rest. I think that the firewall is blocking NTP requests form the self zone and cannot seem to be able to put an entry in the class map that deals with the self zone. I keep getting the following error, "%Protocol not supported for self-zone traffic-policy-map self-to-outside-pmap on zone-pair self-to-outside". I'm trying to add the line that is red. My setup is as follows (I know the access lists are a bit messy):

class-map type inspect match-any ping-cmap
match access-group name icmp-echo-acl
match protocol ntp
!
class-map type inspect match-any L7-cmap
match protocol telnet
match protocol smtp
match protocol pop3
match protocol imap
match protocol http
match protocol ftp
match protocol dns
match protocol tftp
match protocol https
match access-group 1
match access-group 2
!
class-map type inspect match-any L4-cmap
match protocol tcp
match protocol udp
match protocol icmp
match access-group 1
match access-group 2
!
policy-map type inspect inside-to-outside-pmap
class type inspect L4-cmap
inspect
class type inspect L7-cmap
inspect
class class-default
drop
policy-map type inspect outside-to-self-pmap
class class-default
drop log
policy-map type inspect self-to-outside-pmap
class type inspect ping-cmap
inspect
class class-default
drop
!
zone security inside
zone security outside
zone-pair security inside-to-outside source inside destination outside
service-policy type inspect inside-to-outside-pmap
zone-pair security outside-to-self source outside destination self
service-policy type inspect outside-to-self-pmap
zone-pair security self-to-outside source self destination outside
service-policy type inspect self-to-outside-pmap
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 2 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
!
ip access-list extended icmp-echo-acl
permit icmp any any echo
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 10.1.1.0 0.0.0.255
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 3 permit 10.1.1.0 0.0.0.255

Is this a bug in the IOS? It is using c1841-advipservicesk9-mz.151-4.M10.bin. If anyone could suggest a workaround or even a more secure setup I'd appreciate it very much.

Cheers,

Matt

Andre Neethling · ‎11-16-2015

Have you tried to use an ACL to match port 123?

Your "outside to self" service policy may be blocking the NTP traffic. Maybe you could try removing it. Once you have your "self to outside" policy working, then you won't need the "outside to self" policy.

View solution in original post

Andre Neethling · ‎11-16-2015

Have you tried to use an ACL to match port 123?

Your "outside to self" service policy may be blocking the NTP traffic. Maybe you could try removing it. Once you have your "self to outside" policy working, then you won't need the "outside to self" policy.

Matt Wilson · ‎11-17-2015

Thanks for the reply Andre. I added the following ACL as suggested. It is called from a self-to-outside cmap and its corresponding pmap and applied to the zone pair. I now have a fully sane NTP server on the 1841 and it can also resolve domain names.

ip access-list extended self-to-outside-acl
permit icmp any any echo
permit udp any eq ntp any
permit udp any host 103.26.62.218 eq domain
permit udp any host 8.8.8.8 eq domain

Cisco 1841 as an NTP Server