10-08-2012 12:49 AM - edited 03-11-2019 05:05 PM
Hello
I have ISR router with (C2800NM-ADVENTERPRISEK9-M), Version 15.1(4)M3. The router has normal internet connection settings with nat & all the users are accessing internet via this router, everything is working fine till this point.
I decided to configure zone based firewall on the router i have configured my router with basic config to check the results & everything stop working. No one can access internet neither other apps (outlook) after this config.
I am very much new to cisco security & I am looking help if someone checks my config is it correct or not & why these setting are nt working.
N-ROUTER#sh running-config | section class-map
class-map type inspect match-any CLASS_MAP_IN_TO_OUT
match protocol icmp
match protocol http
match protocol https
match protocol pop3
match protocol smtp
N-ROUTER#sh running-config | section policy-map
policy-map type inspect POLICY_MAP_IN_TO_OUT
class type inspect CLASS_MAP_IN_TO_OUT
pass (I used pass & inspect both)
class class-default
drop
N-ROUTER#s run | sec zone-pair
zone-pair security ZONE_PAIR_IN_TO_OUT source INSIDE destination OUTSIDE
service-policy type inspect POLICY_MAP_IN_TO_OUT
Solved! Go to Solution.
10-09-2012 03:25 AM
Hello
For SIP to work, you can modify the class map to accomodate
match protocol sip
regarding the proxy you can achive this with the following
access-list 100 permit ip host
access-list 100 deny ip any any
class-map type inspect match-all NEW_CLASS
match class-map CLASS_MAP_IN_TO_OUT
match access-group 100
policy-map type inspect POLICY_MAP_IN_TO_OUT
no class type inspect CLASS_MAP_IN_TO_OUT
class-map type inspect match-all NEW_CLASS
inspect
.. and you should be done
please rate all helpful post!
Harish.
10-08-2012 01:11 AM
Hi,
could you add in global config: ip inspect log drop-pkt and also add a log to your class-default
You must have an inspect for the traffic in class-map in-to-out otherwise you shall have to do another policy from out to in with a pass for the return traffic.
Could you also post the output of sh run interface to see which is inside and which is outside.
Regards.
Alain
Don't forget to rate helpful posts.
10-08-2012 01:17 AM
Hello Sarbjit,
If you have pass configured then you need to have another policy to permit the traffic from outside to inside as follows
access-list 100 permit ip any any
class-map type inspect match-all out_in
match access-group 100
policy-map type inspect out_in
class type inspect out_in
pass
zone-pair security out_in source outside destination inside
service-policy type inspect out_in
If you give inspect instead of pass, in your present policy ( please give no pass) and the incoming traffic should work wven without the outside to inside permission
Try it out and let me know
Harish.
10-08-2012 01:47 AM
Thank you to both of you...
As suggested I changed pass to inspect.
I believe it was a silly mistake made by me , i did not put match protocol dns now I insert it in class map & everything back on track.
Here is my config kindly check it & please tell me if anything else is wrong with it
Thanks again
=========================================
N-ROUTER#sh running-config | section class-map
class-map type inspect match-any CLASS_MAP_IN_TO_OUT
match protocol icmp
match protocol http
match protocol https
match protocol pop3
match protocol smtp
match protocol dns
N-ROUTER#sh running-config | section policy-map
policy-map type inspect POLICY_MAP_IN_TO_OUT
class type inspect CLASS_MAP_IN_TO_OUT
inspect
class class-default
drop log
N-ROUTER#s run | sec zone
zone security INSIDE
zone security OUTSIDE
zone-pair security ZONE_PAIR_IN_TO_OUT source INSIDE destination OUTSIDE
service-policy type inspect POLICY_MAP_IN_TO_OUT
zone-member security OUTSIDE
zone-member security INSIDE
interface FastEthernet0/0
ip address x.x.x.x 255.255.255.248
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
end
interface FastEthernet0/1
ip address x.x.x.x 255.255.255.0
ip access-group TRAFFIC_SHAPE in
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
duplex auto
speed auto
end
10-08-2012 02:20 AM
Hello Sarbjit,
Could you remove the ACL TRAFFIC_SHAPE from the interface f0/1 as zone based firewall and acl are not advisable to use together
regards
Harish.
10-09-2012 03:05 AM
Hello
I removed the acl & checked it is working fine but I have proxy server configure inside my network & I am using that access list to block uncontrolled users it is just one one allowed statement...
one more thing after configuring ios firewll i have notice that my sip link is not working. which is configured on PBX (panasonic). but if i am using same sip link from my mobile (connected to wireless) it is working... any idea?
Ip access-list ext TRAFFIC_SHAPE
permit tcp host x.x.x.x any eq www
Pls suggest will it ok to use or not?
10-09-2012 03:25 AM
Hello
For SIP to work, you can modify the class map to accomodate
match protocol sip
regarding the proxy you can achive this with the following
access-list 100 permit ip host
access-list 100 deny ip any any
class-map type inspect match-all NEW_CLASS
match class-map CLASS_MAP_IN_TO_OUT
match access-group 100
policy-map type inspect POLICY_MAP_IN_TO_OUT
no class type inspect CLASS_MAP_IN_TO_OUT
class-map type inspect match-all NEW_CLASS
inspect
.. and you should be done
please rate all helpful post!
Harish.
10-09-2012 04:22 AM
hello
Sorry I am troubling you
I think this is typo class-map type inspect match-all NEW_CLASS it should be class class type inspect NEW_CLASS
====
match protocol sip
i already configured, but as i mentioned it is working on cell phones but it is not working from PBX.....
====
as i understand, is it gouping the multiple class-maps under another class-map?
Thanks for you kind help
10-09-2012 04:56 AM
hello Sarbjit,
No problem at all...
no it is not a typo.. it should be like that only.. yes they are nested class maps and new class map with match all tag..
regarding SIP .. Not sure.. why it is broken.. i have faced the issue in ASA but after disabling the inspection it got worked.. what you can do here is to create another access list that matches SIP device IP and create another class map and call that as the first class map in policy map then 'pass' it instead of 'inspect'.. but then you need to have another policy map in outside- inside direction to allow the retun traffic to the SIP
hope this helps
Harish.
10-09-2012 07:07 AM
kindly chk my config.....& pls make the changes if requried
sh run | sec policy-map
policy-map type inspect POLICY_MAP_IN_TO_OUT
class type inspect CLASS_MAP_TORRENT
drop log
class type inspect PROXY_CLIENTS
inspect
class type inspect CLASS_MAP_IN_TO_OUT
inspect
class class-default
drop log
sh run | sec class-map
class-map type inspect match-any CLASS_MAP_IN_TO_OUT
match protocol icmp
match protocol http
match protocol https
match protocol pop3
match protocol smtp
match protocol dns
match protocol sip
match protocol stun
class-map type inspect match-any CLASS_MAP_TORRENT
match protocol bittorrent
match protocol kazaa2
match protocol edonkey
match protocol gnutella
match protocol winmx
match protocol rtsp
match protocol realmedia
match protocol streamworks
match protocol fasttrack
class-map type inspect match-all PROXY_CLIENTS
match class-map CLASS_MAP_IN_TO_OUT
match access-group 101
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide