11-27-2010 09:20 AM - edited 03-11-2019 12:15 PM
I have set up a ZBF on a Cisco 1801 with 4 zones:
- LAN: The internal network
- WAN: The ADSL dialup
- VPN: The DMVPN tunnel
- ILAN: A separate network for unrestricted internet access
The communication between the LAN and VPN is unrestricted and works fine. The restrictive LAN to WAN policy also works as planned but it's the ILAN to WAN connection that's blocking everything. I set this policy to allow all traffic to go out but the FW drops all the traffic. Removing the WAN and ILAN zones allows traffic to flow again. Initially I defined the following class map for this zone like this:
policy-map type inspect ilan2wan
class class-default
pass
This, for some reason unknown to me, doesn't work at all. I played around a bit (thinking the pass all didn't work) and ended up with the following config but still no go.
Any takers?
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
no service password-recovery
!
hostname
!
boot-start-marker
boot system flash:c180x-adventerprisek9-mz.124-24.T4.bin
boot-end-marker
!
dot11 syslog
no ip source-route
ip options drop
!
ip cef
no ip bootp server
ip name-server 213.x.x.x
ip name-server 213.x.x.x
no ipv6 cef
!
class-map type inspect match-any InternetVerkeer
match protocol icmp
match protocol http
match protocol https
class-map type inspect match-all NaarInternet
match class-map InternetVerkeer
match access-group name Webservices
class-map type inspect match-any OpenInternet
match access-group 101
class-map type inspect match-all NaarKPN
match protocol dns
match access-group name KPN-DNS
class-map type inspect match-all NaarAlarmcentrale
match protocol udp
match access-group name Alarmcentrale
!
policy-map type inspect lan2wan
class type inspect NaarInternet
inspect
class type inspect NaarKPN
inspect
class type inspect NaarAlarmcentrale
inspect
class class-default
drop log
policy-map type inspect lan2vpn
class class-default
pass
policy-map type inspect vpn2lan
class class-default
pass
policy-map type inspect ilan2wan
class type inspect OpenInternet
inspect
class class-default
drop log
!
zone security LAN
description Internal LAN
zone security WAN
description Internet
zone security VPN
description VPN Tunnel
zone security ILAN
description Internet-only LAN
zone-pair security lan2wan source LAN destination WAN
service-policy type inspect lan2wan
zone-pair security lan2vpn source LAN destination VPN
service-policy type inspect lan2vpn
zone-pair security vpn2lan source VPN destination LAN
service-policy type inspect vpn2lan
zone-pair security ilan2wan source ILAN destination WAN
service-policy type inspect ilan2wan
!
interface Tunnel0
bandwidth 1000
ip address 172.16.1.4 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip nhrp authentication
ip nhrp map multicast 217.x.x.x
ip nhrp map 172.16.1.13 217.115.195.99
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 172.16.1.13
zone-member security VPN
ip tcp adjust-mss 1360
delay 1000
tunnel source Dialer0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
load-interval 30
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 2/32
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
no ip address
duplex auto
speed auto
!
interface FastEthernet0.1
encapsulation dot1Q 4
ip address 192.168.4.100 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security LAN
ip tcp adjust-mss 1452
no cdp enable
!
interface FastEthernet0.2
encapsulation dot1Q 5
ip address 192.168.5.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security ILAN
ip tcp adjust-mss 1452
no cdp enable
!
interface Vlan1
no ip address
!
interface Dialer0
ip address 92.x.x.x 255.255.255.248
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security WAN
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username
!
router eigrp 113
network 172.16.1.0 0.0.0.255
network 192.168.4.0
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface Dialer0 overload
!
ip access-list extended Alarmcentrale
permit udp any host 87.x.x.x
ip access-list extended KPN-DNS
permit ip any host 213.x.x.x
permit ip any host 213.x.x.x
ip access-list extended Webservices
permit ip any host 217.x.x.x
permit ip any 66.x.x.x 0.0.255.255
!
access-list 1 remark NAT ACL 4 internet
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 101 permit ip any any
dialer-list 1 protocol ip permit
I know one solution is to put the FastEthernet 0.2 interface in the same zone as Dialer 0 but that would leave the devices unprotected.
Thanks in advance for your ideas.
S.
11-27-2010 11:32 AM
Hello Sander,
I hope you are doing great. That is an expected behavior. The problem is that if you put the class default as pass, the return traffic will be dropped. In order for this to work, you can follow any of these two suggestions:
You will need to put the class default as inspect
You can create a new zone-pair from Out-zone to ILAN and have the same action (pass)
That will make this work.
If you have any doubts please let me know.
Thanks !
Mike
11-29-2010 03:32 AM
Thank you for your reply Maykol, really appreciate it.
Your answer sounds logical but it does make me wonder. I didn't have to define a WAN to LAN zone to allow traffic to flow back and still keep my internal network protected. How can I achieve the same for the ILAN zone? I assume defining a WAN to LAN zone-pair with pass will still expose open ports to the outside world while this now isn't the case for my LAN to WAN zone.
Can you clarify this?
Thanks in advance,
S.
11-29-2010 05:14 AM
Hi Sander,
Forgot to mention that. On the LAN portion, the actions for http and regular tcp traffic is inspect, which means that the zone based firewall will generate an stateful session for each connection made out, permitting the return traffic to come in, this does not happen when you have the pass action configured. The only thing that you need to do is to put the class default as inspect and that will do the trick.
Cheers
Mike
11-29-2010 05:29 AM
In that case I'm even more confused as I had this:
class type inspect OpenInternet
inspect
class class-default
drop log
!
zone-pair security ilan2wan source ILAN destination WAN
service-policy type inspect ilan2wan
Why doesn't this work then?
11-29-2010 05:43 AM
In your config add this command: ip inspect log drop-pkt
Then try communication from ILAN to WAN and post the log if you see that is is denied( dropped) then it is matching class-default so in this case remove your policy and reenter it like this:
policy-map type inspect ILAN2WAN
class class-default
no drop
inspect
Regards
11-29-2010 07:27 AM
Thank you both for your feedback. I already had to take this router into production so I'll setup a new router somewhere this week and try out your suggestion.
To be continued...
12-22-2010 01:12 PM
Ok I fixed it. For some reason the class-default inspect action doesn't work when there's nothing to inspect. I created a class-map that inspects everything:
class-map type inspect match-any UnrestrictedInternet
match protocol tcp
match protocol udp
match protocol icmp
11-29-2010 06:22 AM
Hello,
It should, Please add the command that the other guy suggested, "ip inspect log drop-pkt" then turn on the terminal monitor, try to send traffic to the Wan and paste us the logs. If you are not able to see anything, take out the service-policy and put it back again.
Cheers
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide