11-23-2023 12:37 PM - edited 11-23-2023 12:40 PM
Hi
I’m migrating from a CBAC based basic firewall configuration on a 800 series router to an ISR, and am trying to get ZBFW working. I’m obviously doing something wrong because nothing works
What I’m basically trying to achieve is to allow everyone on the LAN to have broadly unrestricted access to the Internet, with inspection done to ensure the return path is allowed. Incoming originating traffic allowed to certain statically NAT translated hosts/services (I’ve only got one in the ACL so far - incoming VPN).
With the interfaces in the respective INSIDE and OUTSIDE zones, nothing behind the router can ping or access anything. I had a look at the NAT translations and it looked like maybe NTP and/or DNS translations were happening, but nothing that would indicate Internet connectivity. With the LAN and WAN interfaces taken out of the zones - everything works - so obviously my ZBFW config is faulty.
Here is the pertinent parts of the config:
class-map match-any CM-ALLOW-INBOUND
match access-group name ACL-INBOUND
class-map type inspect match-any CM-MAIL-SERVICES
match protocol smtp extended
match protocol pop3
match protocol pop3s
match protocol imap
match protocol imaps
class-map type inspect match-any CM-CORE-SERVICES
description -- Basic services that are available to any connected host
match protocol icmp
match protocol dns
match protocol http
match protocol https
match protocol ntp
class-map type inspect match-any CM-EXTRA-SERVICES
description -- Additional services more trusted entities can access
match class-map CM-MAIL-SERVICES
match protocol ftp
match protocol ftps
match protocol ssh
class-map type inspect match-any CM-ALLOW-OUTBOUND
match class-map CM-CORE-SERVICES
match class-map CM-EXTRA-SERVICES
match protocol tcp
match protocol udp
!
policy-map type inspect PM-INSIDE-OUTSIDE
class type inspect CM-ALLOW-OUTBOUND
inspect
class class-default
drop
policy-map type inspect PM-OUTSIDE-INSIDE
class CM-ALLOW-INBOUND
pass
class class-default
drop log
!
!
zone security INSIDE
zone security OUTSIDE
zone-pair security ZP-INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect PM-INSIDE-OUTSIDE
zone-pair security ZP-OUTSIDE-INSIDE source OUTSIDE destination INSIDE
service-policy type inspect PM-OUTSIDE-INSIDE
ip access-list extended ACL-INBOUND
10 remark -- Permitted inbound traffic to LAN
10 permit ip object-group TRUSTED-NETWORKS any
20 permit gre any host 1.1.1.142
30 permit udp any host 1.1.1.142 eq isakmp
40 permit udp any host 1.1.1.142 eq non500-isakmp
50 deny ip any any
Any thoughts on where I’m going wrong? Thanks in advance.
11-23-2023 12:47 PM - edited 11-23-2023 01:54 PM
class-map match-all IN
match access-group name ACL-InsideHosts
class-map type inspect match-any service
match protocol xxxx
class-map type inspect match-all IN-service
Match class map IN
Match class map service
Then use this class under policy map in zone pair source IN destiantion OUT
With inspect
11-23-2023 01:26 PM
Thanks, but I’m not sure I follow. Is this config in addition to my existing one, or a replacement for parts of it?
Also why would the ACL designed to accept incoming VPN connections be applied to a “source IN destination OUT” zone pair?
11-23-2023 01:41 PM - edited 11-23-2023 01:57 PM
Is this config in addition to my existing one, or a replacement for parts of it? It replacements.
For IN host to connect for example http to OUT we need to match IN and protocol with inspect action' this make traffic allow to enter.
Note:- the acl of IN is optional if you have many subnet inside and only one you need to access internet use it if not only match protocol.
I edit name of acl in my above comment.
For vpn I need to know what you have ipsec gre or other.
11-23-2023 05:43 PM - edited 11-23-2023 05:45 PM
I think I understand.
The problem is that I’m not sure you am following what I’m trying to do.
The ACL is meant for OUTSIDE hosts connecting to a PPTP VPN on an INSIDE host behind the router. I want everyone “INSIDE” to be able to access the internet (all TCP/UDP/ICMP).
In your example it looks like you’ve assumed I wanted to put an ACL on outbound traffic, to allow people to access a VPN, and have given a config that checks the ACL on an “INSIDE to OUTSIDE” flow but it is the opposite - I want to let people access an INSIDE VPN.
We have several subnets inside that need to access the Internet.
Hope that makes sense. Thanks for your help.
11-24-2023 07:05 AM - edited 11-24-2023 07:12 AM
Solution is long so I will divide into parts
In-to-Out (below same for Out-to-In)
Some subnet IN access internet
class-map match-all IN
match access-group name ACL-InsideHosts
class-map type inspect match-any service
match protocol xxxx
class-map type inspect match-all IN-service
Match class map IN
Match class map service
All subnet in IN access internet
class-map type inspect match-any service
match protocol xxxx
Match protocol xyyy
The policy-map must be inspect
Add zone pair IN-to-Out and Out-to-In
11-24-2023 07:10 AM
Out-to-self
class-map match-all vpn
match access-group name ACL-VPN
ACL-VPN must include
udp 50
udp 500
udp 4500
esp
policy map type inspect out-to-self
class map vpn
pass
zone pair secuirty source out destiantion self
policy out-to-self
Config virtual template with as zone member OUT
Note:- command may be not complete I depend on you to complete it
11-24-2023 07:22 AM
Thanks, I will try that and report back
11-25-2023 09:17 AM
Ok, so the problem ended up being something completely unrelated.
The “zone-member” configuration had to be applied to my VLANs, rather than the physical interfaces (I have a NIM-ES-4 card installed). When “zone-member” was applied to the VLANs, I started seeing logging from the class-defaults, and could see at that point that it was working.
One thing I did discover was that when I VPN into the router, I can’t access anything, but if I VPN past it (i.e. to the host mentioned in the ACL), then I can. I ended up creating another zone and applying it to the Virtual-Template for the IPsec VPN, and doing the class-map, policy-map and zone-pair stuff for that, and then I could get to the “INSIDE” from the VPN on the router.
Thanks for your help!
11-25-2023 09:21 AM - edited 11-25-2023 09:22 AM
You are welcome
Note:-
Virtual-template must be in OUT zone
And as I mention above you need Out-Self zone pair to make vpn work no need additional zone.
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide