Solved: Problem with Zone_based Firewall

Sabby0115 · ‎10-08-2012

Hello

I have ISR router with (C2800NM-ADVENTERPRISEK9-M), Version 15.1(4)M3. The router has normal internet connection settings with nat & all the users are accessing internet via this router, everything is working fine till this point.

I decided to configure zone based firewall on the router i have configured my router with basic config to check the results & everything stop working. No one can access internet neither other apps (outlook) after this config.

I am very much new to cisco security & I am looking help if someone checks my config is it correct or not & why these setting are nt working.

N-ROUTER#sh running-config | section class-map

class-map type inspect match-any CLASS_MAP_IN_TO_OUT

match protocol icmp

match protocol http

match protocol https

match protocol pop3

match protocol smtp

N-ROUTER#sh running-config | section policy-map

policy-map type inspect POLICY_MAP_IN_TO_OUT

class type inspect CLASS_MAP_IN_TO_OUT

pass (I used pass & inspect both)

class class-default

drop

N-ROUTER#s run | sec zone-pair

zone-pair security ZONE_PAIR_IN_TO_OUT source INSIDE destination OUTSIDE

service-policy type inspect POLICY_MAP_IN_TO_OUT

Harish Balakrishnan · ‎10-09-2012

Hello

For SIP to work, you can modify the class map to accomodate

match protocol sip

regarding the proxy you can achive this with the following

access-list 100 permit ip host any

access-list 100 deny ip any any

class-map type inspect match-all NEW_CLASS

match class-map CLASS_MAP_IN_TO_OUT

match access-group 100

policy-map type inspect POLICY_MAP_IN_TO_OUT

no class type inspect CLASS_MAP_IN_TO_OUT

class-map type inspect match-all NEW_CLASS

inspect

.. and you should be done

please rate all helpful post!

Harish.

View solution in original post

cadet alain · ‎10-08-2012

Hi,

could you add in global config: ip inspect log drop-pkt and also add a log to your class-default

You must have an inspect for the traffic in class-map in-to-out otherwise you shall have to do another policy from out to in with a pass for the return traffic.

Could you also post the output of sh run interface to see which is inside and which is outside.

Regards.

Alain

Don't forget to rate helpful posts.

Harish Balakrishnan · ‎10-08-2012

Hello Sarbjit,

If you have pass configured then you need to have another policy to permit the traffic from outside to inside as follows

access-list 100 permit ip any any

class-map type inspect match-all out_in

match access-group 100

policy-map type inspect out_in

class type inspect out_in

pass

zone-pair security out_in source outside destination inside

service-policy type inspect out_in

If you give inspect instead of pass, in your present policy ( please give no pass) and the incoming traffic should work wven without the outside to inside permission

Try it out and let me know

Harish.

Sabby0115 · ‎10-08-2012

cadet alain

& Harish Balakrishnan

Thank you to both of you...

As suggested I changed pass to inspect.

I believe it was a silly mistake made by me , i did not put match protocol dns now I insert it in class map & everything back on track.

Here is my config kindly check it & please tell me if anything else is wrong with it

Thanks again

=========================================

N-ROUTER#sh running-config | section class-map

class-map type inspect match-any CLASS_MAP_IN_TO_OUT

match protocol icmp

match protocol http

match protocol https

match protocol pop3

match protocol smtp

match protocol dns

N-ROUTER#sh running-config | section policy-map

policy-map type inspect POLICY_MAP_IN_TO_OUT

class type inspect CLASS_MAP_IN_TO_OUT

inspect

class class-default

drop log

N-ROUTER#s run | sec zone

zone security INSIDE

zone security OUTSIDE

zone-pair security ZONE_PAIR_IN_TO_OUT source INSIDE destination OUTSIDE

service-policy type inspect POLICY_MAP_IN_TO_OUT

zone-member security OUTSIDE

zone-member security INSIDE

interface FastEthernet0/0

ip address x.x.x.x 255.255.255.248

ip nat outside

ip virtual-reassembly in

zone-member security OUTSIDE

duplex auto

speed auto

end

interface FastEthernet0/1

ip address x.x.x.x 255.255.255.0

ip access-group TRAFFIC_SHAPE in

ip nbar protocol-discovery

ip nat inside

ip virtual-reassembly in

zone-member security INSIDE

duplex auto

speed auto

end

Harish Balakrishnan · ‎10-08-2012

Hello Sarbjit,

Could you remove the ACL TRAFFIC_SHAPE from the interface f0/1 as zone based firewall and acl are not advisable to use together

regards

Harish.

Sabby0115 · ‎10-09-2012

Hello

I removed the acl & checked it is working fine but I have proxy server configure inside my network & I am using that access list to block uncontrolled users it is just one one allowed statement...

one more thing after configuring ios firewll i have notice that my sip link is not working. which is configured on PBX (panasonic). but if i am using same sip link from my mobile (connected to wireless) it is working... any idea?

Ip access-list ext TRAFFIC_SHAPE

permit tcp host x.x.x.x any eq www

Pls suggest will it ok to use or not?

Harish Balakrishnan · ‎10-09-2012

Hello

For SIP to work, you can modify the class map to accomodate

match protocol sip

regarding the proxy you can achive this with the following

access-list 100 permit ip host any

access-list 100 deny ip any any

class-map type inspect match-all NEW_CLASS

match class-map CLASS_MAP_IN_TO_OUT

match access-group 100

policy-map type inspect POLICY_MAP_IN_TO_OUT

no class type inspect CLASS_MAP_IN_TO_OUT

class-map type inspect match-all NEW_CLASS

inspect

.. and you should be done

please rate all helpful post!

Harish.

Sabby0115 · ‎10-09-2012

hello

Sorry I am troubling you

I think this is typo class-map type inspect match-all NEW_CLASS it should be class class type inspect NEW_CLASS

====

match protocol sip

i already configured, but as i mentioned it is working on cell phones but it is not working from PBX.....

====

as i understand, is it gouping the multiple class-maps under another class-map?

Thanks for you kind help

Harish Balakrishnan · ‎10-09-2012

hello Sarbjit,

No problem at all...

no it is not a typo.. it should be like that only.. yes they are nested class maps and new class map with match all tag..

regarding SIP .. Not sure.. why it is broken.. i have faced the issue in ASA but after disabling the inspection it got worked.. what you can do here is to create another access list that matches SIP device IP and create another class map and call that as the first class map in policy map then 'pass' it instead of 'inspect'.. but then you need to have another policy map in outside- inside direction to allow the retun traffic to the SIP

hope this helps

Harish.

Sabby0115 · ‎10-09-2012

kindly chk my config.....& pls make the changes if requried

sh run | sec policy-map

policy-map type inspect POLICY_MAP_IN_TO_OUT

class type inspect CLASS_MAP_TORRENT

drop log

class type inspect PROXY_CLIENTS

inspect

class type inspect CLASS_MAP_IN_TO_OUT

inspect

class class-default

drop log

sh run | sec class-map

class-map type inspect match-any CLASS_MAP_IN_TO_OUT

match protocol icmp

match protocol http

match protocol https

match protocol pop3

match protocol smtp

match protocol dns

match protocol sip

match protocol stun

class-map type inspect match-any CLASS_MAP_TORRENT

match protocol bittorrent

match protocol kazaa2

match protocol edonkey

match protocol gnutella

match protocol winmx

match protocol rtsp

match protocol realmedia

match protocol streamworks

match protocol fasttrack

class-map type inspect match-all PROXY_CLIENTS

match class-map CLASS_MAP_IN_TO_OUT

match access-group 101

Thanks