11-03-2012 11:45 AM - edited 03-11-2019 05:18 PM
Hello,
I found an interesting manual at this forum for blocking websites whits local content filtering. After I've modified the variables to get more details, I stopped at on question. My current Problem is "zone-pair.
zone security Z-SECRUTIY-SOURCE
zone security Z-SECRUTIY-DESTINATION
zone-pair security ZP-SECURITY source Z-SECRUTIY-SOURCE destination Z-SECRUTIY-DESTINATION
service-policy type inspect CM-INSPECT-TRAFFIC
interface vlan 1
zone-member security Z-SECRUTIY-SOURCE
interface dialer 0
zone-member security Z-SECRUTIY-DESTINATION
But after setting up this configuration, no Internet access is allowed anymore. Do I've a construction failure below or is my zone-pair incorecct?
I've attached the router configuration, but don't wonder, the configuration includes VPN access for iPhone.
The configuration which I've found here:
! Comment:
! This section specifies content filtering to be "local" on the IOS.
!
parameter-map type urlfpolicy local PM-URLF-POLICY-BLOCK-PAGE-MESSAGE
alert off
block-page message "This webpage is blocked by the Network Admin."
! Comment:
! This section specifies content filtering pattern to match the desired site, like, facebook.
!
parameter-map type urlf-glob PM-URLF-GLOB-BLOCKED
pattern *.facebook.*
pattern *.twitter.*
! Comment:
! This section specifies content filtering pattern to match all the other sites, so that we can
! permit them later.
!
parameter-map type urlf-glob PM-URLF-GLOB-ALLOWED
pattern *
! Comment:
! This section specifies content filtering filter class to match the pattern that we created earlier.
!
class-map type urlfilter match-any CM-URLFILTER-BLOCKED
match server-domain urlf-glob PM-URLF-GLOB-BLOCKED
class-map type urlfilter match-any CM-URLFILTER-ALLOWED
match server-domain urlf-glob PM-URLF-GLOB-ALLOWED
! Comment:
! This section specifies the traffic that the Cisco IOS will inspect or match.
!
class-map type inspect match-any CM-DNS
match protocol dns
class-map type inspect match-any CM-HTTP
match protocol http
class-map match-all CM-SECURE-HTTPS
match protocol secure-http
class-map type inspect match-all CM-HTTPS
match protocol https
! Comment:
! This section specifies a policy map that will tie the filter classes and the action to be taken.
!
policy-map type inspect urlfilter PM-INSPECT-URLFILTER-BLOCKED
parameter type urlfpolicy local PM-URLF-POLICY-BLOCK-PAGE-MESSAGE
class type urlfilter CM-URLFILTER-BLOCKED
log
reset
class type urlfilter CM-URLFILTER-ALLOWED
allow
! Comment:
! This section specifies the traffic class and its inspection.
!
policy-map type inspect CM-INSPECT-TRAFFIC
class type inspect CM-HTTP
inspect
service-policy urlfilter PM-INSPECT-URLFILTER-BLOCKED
class type inspect CM-DNS
inspect
class type inspect CM-HTTPS
inspect
class class-default
drop
! Comment:
! Zone creation
!
zone security Z-SECRUTIY-SOURCE
zone security Z-SECRUTIY-DESTINATION
! Comment:
! This section ties the inspection service policy to the zone-pair.
!
zone-pair security ZP-SECURITY source Z-SECRUTIY-SOURCE destination Z-SECRUTIY-DESTINATION
service-policy type inspect CM-INSPECT-TRAFFIC
! Comment:
! assigning zone to VLAN 1, which provides the local Network
!
interface vlan 1
zone-member security Z-SECRUTIY-SOURCE
! Comment:
! assigning zone to dialer 0 which provides the WAN dialup
!
interface dialer 0
zone-member security Z-SECRUTIY-DESTINATION
11-03-2012 12:32 PM
Hello Kai,
the ZBFW configuration example is good, I will need to check the configuration with the ZBFW setup to check what is wron on your deployment,
Also is the problem related just to connectivity problems from inside to the internet or from the VPN clients to inside?
Regards,
11-03-2012 12:46 PM
Hello,
currently the problem exists from inside to the internet. I can't check the VPN because my iPhone is getting fixed.
And I think the zone-pair is the problem, I hope I've no other problem
Regards
11-03-2012 01:28 PM
Hello Kai,
zone-pair security ZP-SECURITY Z-SECRUTIY-SOURCE destination Z-SECRUTIY-DESTINATION
service-policy type inspect CM-INSPECT-TRAFFIC
You are missing the keyword source in here ( I would say is a typo from your side)
interface vlan 1
zone-member security Z-SECRUTIY-SOURCE
interface vlan 1
zone-member security Z-SECRUTIY-DESTINATION
Why did you tried to assigned the same vlan to 2 different zones.
Can you share the configuration ( with the ZBFW setup) I think you write it wrong man
Regards
11-03-2012 04:02 PM
Hello,
I'm sorry, this was a copy and paste failure at this discussion. I had just created the configuration at my notepad for this post. I've corrected the intertface for destination to dialer 0 and added the forgotten source world.
So, the problem still exists
Regards
11-03-2012 04:34 PM
Hello Kai,
Okay got it,
Please share the entire configuration with the ZBFW on,
Add the following command:
ip inspect log drop-pck
Then try to connect to the internet and post:
-show logging
Then check if there are any firewall drops from the connection you are attempting:
11-04-2012 12:43 AM
Hello,
I don't know why it is working now. (grrrrrr) I used the configuration 1 to 1 as I've posted above.
1. But, if I activate the ZBFW I'm not able to use icmp echo to the internet. Which I figured out with your ip inspec log drop-pck hint.
.Nov 4 07:18:24.297: %FW-6-DROP_PKT: Dropping icmp session 10.0.0.207:0 173.194.69.94:0 on zone-pair ZP-SECURITY class class-default due to DROP action found in policy-map with ip ident 0
.Nov 4 07:18:59.353: %FW-6-LOG_SUMMARY: 12 packets were dropped from 10.0.0.207:8 => 173.194.69.94:0 (target:class)-(ZP-SECURITY:class-default)
Will this solve the problem?
class-map match-all CM-ICMP
match protocol ICMP
2. Can I exclude IP-Address from getting checked by ZBFW?
3. Another problem I found is the access-list 101. When I set
interface dialer 0
ip access-group 101 in
Only ICMP is allowed and anything else is denied
11-04-2012 10:28 AM
Hello Kai,
lol Interesting Glad it's working now
1) Yes, that will solve it. All you are missing is the stateful inspection for the ICMP protocol
2) Yes, but you will need to match that traffic with an ACL and then configure it on the top of the policy-map and instead of inspect it just pass it. ( You will need to do the same thing with the returning traffic as pass is not biderectional
3)The whole purpose of ZBFW is to be stateful, you do not need ACL's anymore, why would you use them??
Regards,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: