11-27-2010 09:20 AM - edited 03-11-2019 12:15 PM
I have set up a ZBF on a Cisco 1801 with 4 zones:
- LAN: The internal network
- WAN: The ADSL dialup
- VPN: The DMVPN tunnel
- ILAN: A separate network for unrestricted internet access
The communication between the LAN and VPN is unrestricted and works fine. The restrictive LAN to WAN policy also works as planned but it's the ILAN to WAN connection that's blocking everything. I set this policy to allow all traffic to go out but the FW drops all the traffic. Removing the WAN and ILAN zones allows traffic to flow again. Initially I defined the following class map for this zone like this:
policy-map type inspect ilan2wan
class class-default
pass
This, for some reason unknown to me, doesn't work at all. I played around a bit (thinking the pass all didn't work) and ended up with the following config but still no go.
Any takers?
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
no service password-recovery
!
hostname
!
boot-start-marker
boot system flash:c180x-adventerprisek9-mz.124-24.T4.bin
boot-end-marker
!
dot11 syslog
no ip source-route
ip options drop
!
ip cef
no ip bootp server
ip name-server 213.x.x.x
ip name-server 213.x.x.x
no ipv6 cef
!
class-map type inspect match-any InternetVerkeer
match protocol icmp
match protocol http
match protocol https
class-map type inspect match-all NaarInternet
match class-map InternetVerkeer
match access-group name Webservices
class-map type inspect match-any OpenInternet
match access-group 101
class-map type inspect match-all NaarKPN
match protocol dns
match access-group name KPN-DNS
class-map type inspect match-all NaarAlarmcentrale
match protocol udp
match access-group name Alarmcentrale
!
policy-map type inspect lan2wan
class type inspect NaarInternet
inspect
class type inspect NaarKPN
inspect
class type inspect NaarAlarmcentrale
inspect
class class-default
drop log
policy-map type inspect lan2vpn
class class-default
pass
policy-map type inspect vpn2lan
class class-default
pass
policy-map type inspect ilan2wan
class type inspect OpenInternet
inspect
class class-default
drop log
!
zone security LAN
description Internal LAN
zone security WAN
description Internet
zone security VPN
description VPN Tunnel
zone security ILAN
description Internet-only LAN
zone-pair security lan2wan source LAN destination WAN
service-policy type inspect lan2wan
zone-pair security lan2vpn source LAN destination VPN
service-policy type inspect lan2vpn
zone-pair security vpn2lan source VPN destination LAN
service-policy type inspect vpn2lan
zone-pair security ilan2wan source ILAN destination WAN
service-policy type inspect ilan2wan
!
interface Tunnel0
bandwidth 1000
ip address 172.16.1.4 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip nhrp authentication
ip nhrp map multicast 217.x.x.x
ip nhrp map 172.16.1.13 217.115.195.99
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 172.16.1.13
zone-member security VPN
ip tcp adjust-mss 1360
delay 1000
tunnel source Dialer0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
load-interval 30
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 2/32
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
no ip address
duplex auto
speed auto
!
interface FastEthernet0.1
encapsulation dot1Q 4
ip address 192.168.4.100 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security LAN
ip tcp adjust-mss 1452
no cdp enable
!
interface FastEthernet0.2
encapsulation dot1Q 5
ip address 192.168.5.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security ILAN
ip tcp adjust-mss 1452
no cdp enable
!
interface Vlan1
no ip address
!
interface Dialer0
ip address 92.x.x.x 255.255.255.248
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security WAN
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username
!
router eigrp 113
network 172.16.1.0 0.0.0.255
network 192.168.4.0
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface Dialer0 overload
!
ip access-list extended Alarmcentrale
permit udp any host 87.x.x.x
ip access-list extended KPN-DNS
permit ip any host 213.x.x.x
permit ip any host 213.x.x.x
ip access-list extended Webservices
permit ip any host 217.x.x.x
permit ip any 66.x.x.x 0.0.255.255
!
access-list 1 remark NAT ACL 4 internet
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 101 permit ip any any
dialer-list 1 protocol ip permit
I know one solution is to put the FastEthernet 0.2 interface in the same zone as Dialer 0 but that would leave the devices unprotected.
Thanks in advance for your ideas.
S.