Self Zone Blocking Internet Traffic

cisco_architect · ‎11-29-2013

Hello all,

I have a C887 router with IOS c880data-universalk9-mz.151-4.M4.bin. I have configured inside and outside ZBFW config, however on attempting to secure the router self zone it is blocking internet traffic from wifi users on the site. The plan is to block all incoming access to the infrastructure addresses from the Outside zone except ICMP replies and TTL expiries, to allow us to do pings and traceroutes from the router. For GRE, I’m not 100% sure, but it’s likely the ZFW is able to inspect it and allow the incoming GRE in response to the outgoing.

Here is the Inside & Outside zone config:

class-map type inspect match-any Inside-2-Outside

match access-group name Inside-2-Outside

class-map type inspect match-any Outside-2-Inside

match access-group name Outside-2-Inside

!

policy-map type inspect Outside-2-Inside

class type inspect Outside-2-Inside

inspect

class class-default

drop

policy-map type inspect Inside-2-Outside

class type inspect Inside-2-Outside

inspect

class class-default

drop

!

zone security Inside

description WIFI-Network

zone security Outside

description ADSL-Internet

zone-pair security Inside-2-Outside source Inside destination Outside

service-policy type inspect Inside-2-Outside

zone-pair security Outside-2-Inside source Outside destination Inside

service-policy type inspect Outside-2-Inside

!

ip access-list extended Inside-2-Outside

permit tcp any any

permit icmp any any

permit udp any any

permit gre any any

ip access-list extended Outside-2-Inside

permit icmp any any echo-reply

permit icmp any any source-quench

permit icmp any any unreachable

permit icmp any any time-exceeded

permit gre any any

permit tcp any any eq pop3

permit tcp any any eq 995

permit tcp any any eq 143

permit tcp any any eq 993

permit tcp any any eq smtp

permit tcp any any eq 2525

permit tcp any any eq 465

permit tcp any any eq 587

deny ip any any

hostname#sh zone security inside

zone Inside

Description: WIFI-Network

Member Interfaces:

Vlan25

hostname#sh zone security outside

zone Outside

Description: ADSL-Internet

Member Interfaces:

ATM0.1

Dialer1

Tunnel0

Tunnel1

When the above is applied the Wifi users can connect to the internet. The internet traffic is redirected over GRE tunnels for Content Filtering - all works fine.

Once the Self Zone config below is applied the internet traffic is blocked:

class-map type inspect match-all CM_from-self-inspect

match access-group name ACL_from-self-inspect

!

class-map type inspect match-all CM_from-self-passthru

match access-group name ACL_from-self-passthru

!

class-map type inspect match-all CM_to-self-passthru

match access-group name ACL_to-self-passthru

!

policy-map type inspect PM_from-self

class type inspect CM_from-self-inspect

inspect

class type inspect CM_from-self-passthru

pass

!

policy-map type inspect PM_to-self

class type inspect CM_to-self-passthru

pass

!

zone-pair security ZP_inside-to-self source inside destination self

service-policy type inspect PM_to-self

!

zone-pair security ZP_outside-to-self source outside destination self

service-policy type inspect PM_to-self

!

zone-pair security ZP_self-to-inside source self destination inside

service-policy type inspect PM_from-self

!

zone-pair security ZP_self-to-outside source self destination outside

service-policy type inspect PM_from-self

!

ip access-list extended ACL_from-self-inspect ! ZP_self-to-inside & ZP_self-to-outside

permit tcp any any

permit udp any any

permit icmp any any

!

ip access-list extended ACL_from-self-passthru ! ZP_self-to-inside & ZP_self-to-outside

permit gre any any

permit udp any eq bootps any

permit udp any any eq bootpc

permit udp any any eq bootps

permit udp any eq bootpc any

!

ip access-list extended ACL_to-self-passthru ! ZP_inside-to-self & outside to self

permit gre host <Content Filtering ISP-public-address1> host <dialer-public-address>

permit icmp any host <dialer-public-address> echo-reply

permit icmp any host <dialer-public-address> ttl-exceeded

permit icmp any host <dialer-public-address> time-exceeded

permit icmp any host <dialer-public-address> port-unreachable

permit udp any eq bootps any

permit udp any any eq bootpc

permit udp any any eq bootps

permit udp any eq bootpc any

Any help would be much appreciated!

Thanks

jumora · ‎11-29-2013

Remove the self to restore services

Value our effort and rate the assistance!

jumora · ‎11-29-2013

well the out to self and self to out

Value our effort and rate the assistance!

Marius Gunnerud · ‎11-30-2013

The reason your Internet traffic is dropped is because the router's control plane is routing between the security zones since you are sending all traffic to "self". You need to setup 2 more zone-pairs between the outside and inside, inside and outside to permit internet traffic. Or you can do what jumora suggested.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Julio Carvajal · ‎11-30-2013

Hello Raj,

I would not recommend to remove the Self-Zone. I mean this is a FW right?? You want it to be as restrictive as possible

So you have a GRE tunnel use for redirection of traffic for content-filtering! That interface belongs to the outside zone.

I can see that we already have the policies from In to Out so the zone-policies are ok

This my be a copy paste error but check it anyway:

p access-list extended ACL_to-self-passthru ! ZP_inside-to-self & outside to self

permit gre host host

Are you sure you have the right IP address for the Tunnel source?/

Also I would add the following

ip access-list extended GRE_Inspect

permit tcp host host eq 1723

class-map type inspect GRE_Inspect

match access-group name GRE_Inspect

policy-map type inspect PM_to-self

class GRE_Inspect

inspect

class type inspect CM_to-self-passthru

pass

Additional Info:

Is the GRE tunnel even being build??

If it's still not working then provide us the drop log: for that:

ip inspect log drop-pkt

and make sure you have logging enabled so next time something does not work you can provide us a

show logging | include x.x.x.x (IP address of host not working)

With that we will see what's is getting dropped and why.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

cisco_architect · ‎12-01-2013

Thanks you for all your responses! The self to out and out to self configuration is probably causing the issue, however I agree that removing it altogether is not recommended since the intention is to protect the router infrastructure from the internet.

Julio, yes the GRE tunnel interface belongs to the outside zone and the tunnel interfaces are up:

Interface Tunnel0

Ip address x.x.x.x 255.255.255.252

Ip tcp adjust-mss 1436

Ip nat outside

Zone-member security Outside

Ip virtual-reassemble

Keepalive 5 3

Tunnel source Dialer1

Tunnel destination x.x.x.x

I think I’ve made an error in the ACL below as I’ve specified as the tunnel destination address. The tunnel source address is dialer1, therefore should the be the tunnel interface IP address with the /30 mask above?

ip access-list extended ACL_to-self-passthru ! ZP_inside-to-self & outside to self

permit gre host host

Thanks again!

Marius Gunnerud · ‎12-01-2013

Please add zone-pairs between the inside and outdide security zones that allow the desired traffic.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Julio Carvajal · ‎12-01-2013

Hello Raj,

Yes, you should point to the tunnel source.

Now can you provide us the drop log?

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

cisco_architect · ‎12-01-2013

Okay I'll re-configure the ACL below to permit the tunnel interface addresses (source) instead of the destination tunnel IP's to the dialer public address and try again. I have another test window on Tuesday so will post up the results.

ip access-list extended ACL_to-self-passthru ! ZP_inside-to-self & outside to self

permit gre host host

Since the tunnels were up I assumed that the ACL was not blocking the internet traffic.

Thanks all for the help!

Julio Carvajal · ‎12-01-2013

Exactly,

Remember the logs right, that is what will let us move forward

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

cisco_architect · ‎12-05-2013

Okay these are the logs when the Self Zone config is applied:

Dec 5 13:43:38.855 GMT: %FW-6-DROP_PKT: Dropping tcp session [Dialer IP]:65065 x.x.x.x:80 due to RST inside current window with ip ident 0

Dec 5 13:44:17.311 GMT: %FW-6-DROP_PKT: Dropping tcp session [Dialer IP]:65111 x.x.x.x:80 due to RST inside current window with ip ident 0

Dec 5 13:47:54.627 GMT: %FW-6-DROP_PKT: Dropping udp session [WIFI DEF GATEWAY IP]:67 255.255.255.255:68 on zone-pair ZP_self-to-inside class CM_from-self-inspect with ip ident 0

Dec 5 13:50:59.643 GMT: %FW-6-DROP_PKT: Dropping udp session [WIFI DEF GATEWAY IP]:67 255.255.255.255:68 on zone-pair ZP_self-to-inside class CM_from-self-inspect with ip ident 0

I tried opening up the ACL's permitting everything but the Wifi internet was still blocked, ie:

ip access-list extended ACL_from-self-inspect ! ZP_self-to-inside & ZP_self-to-outside

permit tcp any any

permit udp any any

permit icmp any any

!

ip access-list extended ACL_from-self-passthru ! ZP_self-to-inside & ZP_self-to-outside

permit gre any any

permit tcp any any

permit udp any any

permit icmp any any

!

ip access-list extended ACL_to-self-passthru ! ZP_inside-to-self & outside to self

permit gre any any

permit tcp any any

permit udp any any

permit icmp any any

Opening up the ACL's did not resolve the issue, any thoughts please?

Many thanks

Julio Carvajal · ‎12-05-2013

Hello,

Based from the logs it looks like the traffic getting denied (most important) is the DHCP offers.

Is the device working as a DHCP client even getting an IP address?

I do not think so but here is what you need to do:

Create a class-map matching UDP 68, 67

Configure the policy Self-Inside with that class-map previously defined on top of it using the PASS action.

Traffic is being inspected at the moment and for DHCP this cannot happen.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

cisco_architect · ‎12-05-2013

Hello Julio,

Like this?

ip access-list extended DHCP_Passthru

permit udp any eq bootps any

permit udp any any eq bootpc

permit udp any any eq bootps

permit udp any eq bootpc any

!

class-map type inspect DHCP_Passthru

match access-group name DHCP_Passthru

!

policy-map type inspect PM_from-self

class type inspect DHCP_Passthru

pass

Many thanks

Julio Carvajal · ‎12-05-2013

Hello Raj,

Yes, then add the other lines you had there (inspection and other pass ones)

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

cisco_architect · ‎12-05-2013

Okay will apply the following:

ip access-list extended DHCP_Passthru

permit udp any eq bootps any

permit udp any any eq bootpc

permit udp any any eq bootps

permit udp any eq bootpc any

!

class-map type inspect DHCP_Passthru

match access-group name DHCP_Passthru

!

policy-map type inspect PM_from-self

class type inspect CM_from-self-inspect

inspect

class type inspect CM_from-self-passthru

pass

class type inspect DHCP_Passthru

pass

Unfortunately have to wait until next week now till I can test again but thanks for all your help, much appreciated. Will report back following the next test.

Regards,

Raj