Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2378
Views
0
Helpful
15
Replies

Self Zone Blocking Internet Traffic

cisco_architect
Level 1
Level 1

‎11-29-2013 01:18 AM - edited ‎03-11-2019 08:10 PM

Hello all,

I have a C887 router with IOS c880data-universalk9-mz.151-4.M4.bin.  I have configured inside and outside ZBFW config, however on attempting to secure the router self zone it is blocking internet traffic from wifi users on the site.  The plan is to block all incoming access to the infrastructure addresses from the Outside zone except ICMP replies and TTL expiries, to allow us to do pings and traceroutes from the router. For GRE, I’m not 100% sure, but it’s likely the ZFW is able to inspect it and allow the incoming GRE in response to the outgoing.

Here is the Inside & Outside zone config:

class-map type inspect match-any Inside-2-Outside

match access-group name Inside-2-Outside

class-map type inspect match-any Outside-2-Inside

match access-group name Outside-2-Inside

!

policy-map type inspect Outside-2-Inside

class type inspect Outside-2-Inside

  inspect

class class-default

  drop

policy-map type inspect Inside-2-Outside

class type inspect Inside-2-Outside

  inspect

class class-default

  drop

!

zone security Inside

description WIFI-Network

zone security Outside

description ADSL-Internet

zone-pair security Inside-2-Outside source Inside destination Outside

service-policy type inspect Inside-2-Outside

zone-pair security Outside-2-Inside source Outside destination Inside

service-policy type inspect Outside-2-Inside

!

ip access-list extended Inside-2-Outside

permit tcp any any

permit icmp any any

permit udp any any

permit gre any any

ip access-list extended Outside-2-Inside

permit icmp any any echo-reply

permit icmp any any source-quench

permit icmp any any unreachable

permit icmp any any time-exceeded

permit gre any any

permit tcp any any eq pop3

permit tcp any any eq 995

permit tcp any any eq 143

permit tcp any any eq 993

permit tcp any any eq smtp

permit tcp any any eq 2525

permit tcp any any eq 465

permit tcp any any eq 587

deny   ip any any

hostname#sh zone security inside

zone Inside

  Description: WIFI-Network

  Member Interfaces:

    Vlan25

hostname#sh zone security outside

zone Outside

  Description: ADSL-Internet

  Member Interfaces:

    ATM0.1

    Dialer1

    Tunnel0

    Tunnel1

When the above is applied the Wifi users can connect to the internet.  The internet traffic is redirected over GRE tunnels for Content Filtering - all works fine.

Once the Self Zone config below is applied the internet traffic is blocked:

class-map type inspect match-all CM_from-self-inspect

  match access-group name ACL_from-self-inspect

!

class-map type inspect match-all CM_from-self-passthru

  match access-group name ACL_from-self-passthru

!

class-map type inspect match-all CM_to-self-passthru

  match access-group name ACL_to-self-passthru

!

policy-map type inspect PM_from-self

  class type inspect CM_from-self-inspect

    inspect

  class type inspect CM_from-self-passthru

    pass

!

policy-map type inspect PM_to-self

  class type inspect CM_to-self-passthru

    pass

!

zone-pair security ZP_inside-to-self source inside destination self 

  service-policy type inspect PM_to-self

!

zone-pair security ZP_outside-to-self source outside destination self 

  service-policy type inspect PM_to-self

!

zone-pair security ZP_self-to-inside source self destination inside

  service-policy type inspect PM_from-self

!

zone-pair security ZP_self-to-outside source self destination outside

  service-policy type inspect PM_from-self

!

ip access-list extended ACL_from-self-inspect !  ZP_self-to-inside & ZP_self-to-outside

  permit tcp any any

  permit udp any any

  permit icmp any any

!

ip access-list extended ACL_from-self-passthru !  ZP_self-to-inside & ZP_self-to-outside

  permit gre any any

   permit udp any eq bootps any

   permit udp any any eq bootpc

   permit udp any any eq bootps

   permit udp any eq bootpc any

!

ip access-list extended ACL_to-self-passthru ! ZP_inside-to-self & outside to self

  permit gre host <Content Filtering ISP-public-address1> host <dialer-public-address>

  permit gre host <Content Filtering ISP-public-address1> host <dialer-public-address>

  permit icmp any host <dialer-public-address> echo-reply

  permit icmp any host <dialer-public-address> ttl-exceeded 

  permit icmp any host <dialer-public-address> time-exceeded

  permit icmp any host <dialer-public-address> port-unreachable

   permit udp any eq bootps any

   permit udp any any eq bootpc

   permit udp any any eq bootps

   permit udp any eq bootpc any

Any help would be much appreciated!

Thanks

Labels:
0 Helpful
15 Replies 15

cisco_architect
Level 1
Level 1
In response to cisco_architect

‎02-27-2014 07:12 AM

Hello all,

Finally an update on this.  Opened a TAC case with Cisco in the end.  The issue with the Zone Based Firewall blocking internet traffic was due to an  IOS bug in version 151(4) M2 which blocks GRE traffic with ‘Self’ zones  configured. This was resolved by upgrading the IOS to 152(4) M4.  Details of the  bug can be found here

https://tools.cisco.com/bugsearch/bug/CSCtw45480.

Thanks all for your help on this case.

Regards,

Raj

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card