cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4277
Views
0
Helpful
8
Replies

IOS Zone Based Firewall and class-default pass doesn't work

pointless_l
Level 1
Level 1

I have set up a ZBF on a Cisco 1801 with 4 zones:

- LAN: The internal network

- WAN: The ADSL dialup

- VPN: The DMVPN tunnel

- ILAN: A separate network for unrestricted internet access

The communication between the LAN and VPN is unrestricted and works fine. The restrictive LAN to WAN policy also works as planned but it's the ILAN to WAN connection that's blocking everything. I set this policy to allow all traffic to go out but the FW drops all the traffic. Removing the WAN and ILAN zones allows traffic to flow again. Initially I defined the following class map for this zone like this:

policy-map type inspect ilan2wan

class class-default

  pass

This, for some reason unknown to me, doesn't work at all. I played around a bit (thinking the pass all didn't work) and ended up with the following config but still no go.

Any takers?

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

service sequence-numbers

no service password-recovery

!

hostname

!

boot-start-marker

boot system flash:c180x-adventerprisek9-mz.124-24.T4.bin

boot-end-marker

!

dot11 syslog

no ip source-route

ip options drop

!

ip cef

no ip bootp server

ip name-server 213.x.x.x

ip name-server 213.x.x.x

no ipv6 cef

!

class-map type inspect match-any InternetVerkeer

match protocol icmp

match protocol http

match protocol https

class-map type inspect match-all NaarInternet

match class-map InternetVerkeer

match access-group name Webservices

class-map type inspect match-any OpenInternet

match access-group 101

class-map type inspect match-all NaarKPN

match protocol dns

match access-group name KPN-DNS

class-map type inspect match-all NaarAlarmcentrale

match protocol udp

match access-group name Alarmcentrale

!

policy-map type inspect lan2wan

class type inspect NaarInternet

  inspect

class type inspect NaarKPN

  inspect

class type inspect NaarAlarmcentrale

  inspect

class class-default

  drop log

policy-map type inspect lan2vpn

class class-default

  pass

policy-map type inspect vpn2lan

class class-default

  pass

policy-map type inspect ilan2wan

class type inspect OpenInternet

  inspect

class class-default

  drop log

!

zone security LAN

description Internal LAN

zone security WAN

description Internet

zone security VPN

description VPN Tunnel

zone security ILAN

description Internet-only LAN

zone-pair security lan2wan source LAN destination WAN

service-policy type inspect lan2wan

zone-pair security lan2vpn source LAN destination VPN

service-policy type inspect lan2vpn

zone-pair security vpn2lan source VPN destination LAN

service-policy type inspect vpn2lan

zone-pair security ilan2wan source ILAN destination WAN

service-policy type inspect ilan2wan

!

interface Tunnel0

bandwidth 1000

ip address 172.16.1.4 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1400

ip nhrp authentication

ip nhrp map multicast 217.x.x.x

ip nhrp map 172.16.1.13 217.115.195.99

ip nhrp network-id 100000

ip nhrp holdtime 360

ip nhrp nhs 172.16.1.13

zone-member security VPN

ip tcp adjust-mss 1360

delay 1000

tunnel source Dialer0

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile

!

interface Null0

no ip unreachables

!

interface ATM0

no ip address

load-interval 30

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

pvc 2/32

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!       

!

interface FastEthernet0

no ip address

duplex auto

speed auto

!

interface FastEthernet0.1

encapsulation dot1Q 4

ip address 192.168.4.100 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

zone-member security LAN

ip tcp adjust-mss 1452

no cdp enable

!        

interface FastEthernet0.2

encapsulation dot1Q 5

ip address 192.168.5.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

zone-member security ILAN

ip tcp adjust-mss 1452

no cdp enable

!

interface Vlan1

no ip address

!

interface Dialer0

ip address 92.x.x.x 255.255.255.248

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

zone-member security WAN

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication pap callin

ppp pap sent-username

!

router eigrp 113

network 172.16.1.0 0.0.0.255

network 192.168.4.0

no auto-summary

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

no ip http server

no ip http secure-server

!

ip nat inside source list 1 interface Dialer0 overload

!

ip access-list extended Alarmcentrale

permit udp any host 87.x.x.x

ip access-list extended KPN-DNS

permit ip any host 213.x.x.x

permit ip any host 213.x.x.x

ip access-list extended Webservices

permit ip any host 217.x.x.x

permit ip any 66.x.x.x 0.0.255.255

!        

access-list 1 remark NAT ACL 4 internet

access-list 1 permit 192.168.4.0 0.0.0.255

access-list 1 permit 192.168.5.0 0.0.0.255

access-list 101 permit ip any any

dialer-list 1 protocol ip permit

I know one solution is to put the FastEthernet 0.2 interface in the same zone as Dialer 0 but that would leave the devices unprotected.

Thanks in advance for your ideas.

S.

8 Replies 8

Maykol Rojas
Cisco Employee
Cisco Employee