Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
745
Views
6
Helpful
9
Replies

First time ZBFW config - can’t access anything

DazOG
Level 1
Level 1

‎11-23-2023 12:37 PM - edited ‎11-23-2023 12:40 PM

Hi

I’m migrating from a CBAC based basic firewall configuration on a 800 series router to an ISR, and am trying to get ZBFW working.  I’m obviously doing something wrong because nothing works

What I’m basically trying to achieve is to allow everyone on the LAN to have broadly unrestricted access to the Internet, with inspection done to ensure the return path is allowed.  Incoming originating traffic allowed to certain statically NAT translated hosts/services (I’ve only got one in the ACL so far - incoming VPN).

With the interfaces in the respective INSIDE and OUTSIDE zones, nothing behind the router can ping or access anything.  I had a look at the NAT translations and it looked like maybe NTP and/or DNS translations were happening, but nothing that would indicate Internet connectivity.  With the LAN and WAN interfaces taken out of the zones - everything works - so obviously my ZBFW config is faulty. 

Here is the pertinent parts of the config:

class-map match-any CM-ALLOW-INBOUND
   match access-group name ACL-INBOUND
class-map type inspect match-any CM-MAIL-SERVICES
   match protocol smtp extended
   match protocol pop3
   match protocol pop3s
   match protocol imap
   match protocol imaps
class-map type inspect match-any CM-CORE-SERVICES
   description -- Basic services that are available to any connected host
   match protocol icmp
   match protocol dns
   match protocol http
   match protocol https
   match protocol ntp
class-map type inspect match-any CM-EXTRA-SERVICES
   description -- Additional services more trusted entities can access
   match class-map CM-MAIL-SERVICES
   match protocol ftp
   match protocol ftps
   match protocol ssh
class-map type inspect match-any CM-ALLOW-OUTBOUND
   match class-map CM-CORE-SERVICES
   match class-map CM-EXTRA-SERVICES
   match protocol tcp
   match protocol udp
!
policy-map type inspect PM-INSIDE-OUTSIDE
   class type inspect CM-ALLOW-OUTBOUND
      inspect
   class class-default
      drop
policy-map type inspect PM-OUTSIDE-INSIDE
   class CM-ALLOW-INBOUND
      pass
   class class-default
      drop log
!
!
zone security INSIDE
zone security OUTSIDE
zone-pair security ZP-INSIDE-OUTSIDE source INSIDE destination OUTSIDE
   service-policy type inspect PM-INSIDE-OUTSIDE
zone-pair security ZP-OUTSIDE-INSIDE source OUTSIDE destination INSIDE
   service-policy type inspect PM-OUTSIDE-INSIDE

ip access-list extended ACL-INBOUND
   10 remark -- Permitted inbound traffic to LAN
   10 permit ip object-group TRUSTED-NETWORKS any
   20 permit gre any host 1.1.1.142
   30 permit udp any host 1.1.1.142 eq isakmp
   40 permit udp any host 1.1.1.142 eq non500-isakmp
   50 deny ip any any

Any thoughts on where I’m going wrong?  Thanks in advance.

0 Helpful
9 Replies 9

MHM Cisco World
VIP
VIP

‎11-23-2023 12:47 PM - edited ‎11-23-2023 01:54 PM 

class-map match-all IN
   match access-group name ACL-InsideHosts
class-map type inspect match-any service
   match protocol xxxx
class-map type inspect match-all IN-service
Match class map IN
Match class map service 

Then use this class under policy map in zone pair source IN destiantion OUT
With inspect
0 Helpful

DazOG
Level 1
Level 1
In response to MHM Cisco World

‎11-23-2023 01:26 PM

Thanks, but I’m not sure I follow. Is this config in addition to my existing one, or a replacement for parts of it?

Also why would the ACL designed to accept incoming VPN connections be applied to a “source IN destination OUT” zone pair?

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to DazOG

‎11-23-2023 01:41 PM - edited ‎11-23-2023 01:57 PM

Is this config in addition to my existing one, or a replacement for parts of it? It replacements.

For IN host to connect for example http to OUT we need to match IN and protocol with inspect action' this make traffic allow to enter.

Note:- the acl of IN is optional if you have many subnet inside and only one you need to access internet use it if not only match protocol.

 

I edit name of acl in my above comment.

For vpn I need to know what you have ipsec gre or other.

DazOG
Level 1
Level 1
In response to MHM Cisco World

‎11-23-2023 05:43 PM - edited ‎11-23-2023 05:45 PM

I think I understand.

The problem is that I’m not sure you am following what I’m trying to do.

The ACL is meant for OUTSIDE hosts connecting to a PPTP VPN on an INSIDE host behind the router. I want everyone “INSIDE” to be able to access the internet (all TCP/UDP/ICMP).

In your example it looks like you’ve assumed I wanted to put an ACL on outbound traffic, to allow people to access a VPN, and have given a config that checks the ACL on an “INSIDE to OUTSIDE” flow but it is the opposite - I want to let people access an INSIDE VPN.

We have several subnets inside that need to access the Internet.

Hope that makes sense. Thanks for your help.

MHM Cisco World
VIP
VIP

‎11-24-2023 07:05 AM - edited ‎11-24-2023 07:12 AM

Solution is long so I will divide into parts

In-to-Out (below same for Out-to-In)

Some subnet IN access internet 

class-map match-all IN
   match access-group name ACL-InsideHosts
class-map type inspect match-any service
   match protocol xxxx
class-map type inspect match-all IN-service
Match class map IN
Match class map service

All subnet in IN access internet 

class-map type inspect match-any service
   match protocol xxxx
   Match protocol xyyy

The policy-map must be inspect 

Add zone pair IN-to-Out and Out-to-In

MHM Cisco World
VIP
VIP

‎11-24-2023 07:10 AM

Out-to-self

class-map match-all vpn
   match access-group name ACL-VPN
ACL-VPN must include 
udp 50
udp 500
udp 4500
esp
policy map type inspect out-to-self
class map vpn
pass
zone pair secuirty source out destiantion self 
policy out-to-self

Config virtual template with as zone member OUT

Note:- command may be not complete I depend on you to complete it

DazOG
Level 1
Level 1

‎11-24-2023 07:22 AM

Thanks, I will try that and report back

0 Helpful

DazOG
Level 1
Level 1

‎11-25-2023 09:17 AM

Ok, so the problem ended up being something completely unrelated.

The “zone-member” configuration had to be applied to my VLANs, rather than the physical interfaces (I have a NIM-ES-4 card installed).  When “zone-member” was applied to the VLANs, I started seeing logging from the class-defaults, and could see at that point that it was working.

One thing I did discover was that when I VPN into the router, I can’t access anything, but if I VPN past it (i.e. to the host mentioned in the ACL), then I can.  I ended up creating another zone and applying it to the Virtual-Template for the IPsec VPN, and doing the class-map, policy-map and zone-pair stuff for that, and then I could get to the “INSIDE” from the VPN on the router.

Thanks for your help!

MHM Cisco World
VIP
VIP
In response to DazOG

‎11-25-2023 09:21 AM - edited ‎11-25-2023 09:22 AM

You are welcome 

Note:-

Virtual-template must be in OUT zone 

And as I mention above you need Out-Self zone pair to make vpn work no need additional zone.

MHM

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card