Re: Miss configured ZBFW?

kubn2 · ‎02-28-2020

Hi All,

I have a problem with ZBFW (on router). I tried to set it up like (I think) should it be, so Inside can initiate connection to the outside and to router itself but outside cannot initiate connection to inside and to router it self. Based on below configuration can you tell me why it's not working like it should? (I skipped interface configuration in this output but they have properly assigned commands "zone-member security INSIDE" and "zone-member security OUTSIDE"):

Rob Ingram · ‎02-28-2020

Hi,
What exactly is and is not working in this configuration?
Provide the output of "show policy-map type inspect zone-pair <your zone pairs>"
You'd be better off providing the full configuration, as this might provide other clues as to where the issue lies.

HTH

kubn2 · ‎02-28-2020

What is not working:

I have config PC1->Router1 (PPOE client) -> Router2 (PPPOE server) -> PC2

PC1 can ping Router1 inside interface as well as Dialer interface but cannot ping Router2 so cannot initiate connection outside network. Meanwhile Router1 can ping Router2 loopback as well as internal router2 interface facing PC2. Both router have default gateways as each other.

Here is an output that you asked for and below that there is rest of the configuration that could do anything I skipped things like dhcp or hashes and etc:

Rob Ingram · ‎02-28-2020

Nothing has matched INSIDE-TO-OUTSIDE-POLICY.
And you don't appear to have defined zone-member OUTSIDE on the dialer interface.

kubn2 · ‎02-28-2020

Ok I'm dumb :D You are right Dialer should be outside zone for security as well as for NAT. I fixed that, now PC1 can ping router1 and Rotuer2 both external and internal interfaces BUT he cannot ping PC2. PC2 have firewall off and allow ICMPs.

Also Im getting periodic message like this:

100.64.100.219 is the local router so he is the source however he dropping this packet (DNS server 193.X.X.X) based on rule outside-to-self even if this is self-to-outside(I don't have this configured maybe thats the problem?)

Rob Ingram · ‎02-28-2020

Good :)

Turn on debug on both routers R1 and R2 "debug ip icmp", then ping PC2, observe the output - I don't know the configuration of R2, but are you pinging the real IP address of PC2 but the return traffic is being natted? Turn on nat debug as well and provide the output of "show ip nat translation"

I imagine that DNS request is NOT related to this issue, but if you wish you could take a packet capture and observe the output to determine what hostname is attempting to be resolved.

kubn2 · ‎02-29-2020

Ok so first things first, I added class and policy for SELF-TO-INSIDE which fixed my DHCP on Router1 and PC1 can obtain addresses now.

To sort it out:
Right now I'm allowing traffic:
-inside to outside
-inside to self
-self to inside
Right now I'm denying traffic:
-outside to inside
-outside to self
-self to outside

Because I want to deny possibility that someone from outside can establish connection to my network I think current setup should work, BUT I have doubt. Router1 have NAT so if I'm not mistaken router sees that he is the source (self) of connection and he initiating connection to outsie. Am I right? If yes then should I create policy and class allowing selft-to-outside?

Rob Ingram · ‎03-02-2020

Traffic going through the router would match INSIDE-TO-OUTSIDE-POLICY when being natted on the router, so you do not need a policy for self to outside for this scenario.

Cristian Matei · ‎02-29-2020

Hi,

Do a continuous ping from PC1 towards both PC2 and router2, and look on router1 in the connection table (show policy-firewall session); if you see both sessions in there, based on the provided config, there is something wrong on PC2. To ensure that there is nothing wrong with your ZBFW, remove the "zone member security" commands, so like disable ZBFW, and see if you can ping from PC1 to PC2.

Also, you've probably wanted to do NAT, but forgot to enable "ip nat outside" on your Dialer interface.

Regards,

Cristian Matei.