Wrong with firewall configuration

Tommy Svensson · ‎03-09-2011

Hi.

I have done something wrong with my configuration, i cant ping anyone outside the network, like google or even my DNS server.

Host: 10.10.1.53
DNS: 192.168.98.2

Hoping someone could shine some light on this matter.

Regards Tommy Svensson

R1#show run
Building configuration...

Current configuration : 10689 bytes
!
! Last configuration change at 16:56:00 PCTime Wed Mar 9 2011 by
!
!
!
ip dhcp excluded-address 10.10.100.1 10.10.100.49
ip dhcp excluded-address 10.10.100.251 10.10.100.254
ip dhcp excluded-address 10.10.10.1 10.10.10.49
ip dhcp excluded-address 10.10.10.251 10.10.10.254
ip dhcp excluded-address 10.10.20.1 10.10.20.49
ip dhcp excluded-address 10.10.20.251 10.10.20.254
ip dhcp excluded-address 10.10.1.1 10.10.1.49
ip dhcp excluded-address 10.10.1.251 10.10.1.254
ip dhcp excluded-address 10.10.2.1 10.10.2.49
ip dhcp excluded-address 10.10.2.251 10.10.2.254
ip dhcp excluded-address 10.10.3.1 10.10.3.49
ip dhcp excluded-address 10.10.3.251 10.10.3.254
ip dhcp excluded-address 10.10.30.1 10.10.30.49
ip dhcp excluded-address 10.10.30.251 10.10.30.254
!
ip dhcp pool Management
import all
network 10.10.100.0 255.255.255.0
domain-name Tedact.local
dns-server 192.168.98.2
default-router 10.10.100.1
!
ip dhcp pool Company10
import all
network 10.10.10.0 255.255.255.0
domain-name tedact.local
dns-server 192.168.98.2
default-router 10.10.10.1
!
ip dhcp pool Company20
import all
network 10.10.20.0 255.255.255.0
domain-name tedact.local
dns-server 192.168.98.2
default-router 10.10.20.1
!
ip dhcp pool VLAN_1_DHCP
import all
network 10.10.1.0 255.255.255.0
domain-name tedact.local
dns-server 192.168.98.2
default-router 10.10.1.1
!
ip dhcp pool Company2
import all
network 10.10.2.0 255.255.255.0
domain-name tedact.local
dns-server 192.168.98.2
default-router 10.10.2.1
!
ip dhcp pool Company3
import all
network 10.10.3.0 255.255.255.0
domain-name tedact.local
dns-server 192.168.98.2
default-router 10.10.3.1
!
ip dhcp pool Company30
import all
network 10.10.30.0 255.255.255.0
domain-name tedact.local
dns-server 192.168.98.2
default-router 10.10.30.1
!
!
no ip bootp server
ip domain name
ip name-server 192.168.98.2
!
!
!
redundancy
!
!
ip tcp synwait-time 10
ip ssh authentication-retries 5
!
class-map match-any QoS-Viktig_trafik
match protocol ssh
match protocol http
match protocol secure-http
match protocol secure-ftp
match protocol secure-ldap
match protocol secure-nntp
match protocol secure-imap
match protocol secure-pop3
match protocol secure-irc
match protocol secure-telnet
match protocol imap
match protocol pop3
match protocol smtp
match protocol irc
match protocol telnet
match protocol xwindows
match protocol rtp audio
match protocol rtp video
match protocol tftp
match protocol dns
class-map type inspect match-any VLAN_TO_WAN_CLASS
match protocol icmp
match protocol echo
match protocol http
match protocol pop3
match protocol pop3s
match protocol smtp
match protocol imap
match protocol imaps
match protocol imap3
match protocol ftp
match protocol ssh
match protocol dns
match protocol h323
match protocol tftp
match protocol ntp
match protocol irc
match protocol ircs
match protocol telnet
match protocol ldap
match protocol snmp
match protocol https
match protocol appleqtc
match protocol cifs
match protocol exec
match protocol h323-annexe
match protocol h323-nxg
match protocol icabrowser
match protocol icq
match protocol gtpv0
match protocol gtpv1
match protocol l2tp
match protocol ldap-admin
match protocol login
match protocol lotusnote
match protocol lotusmtap
match protocol ms-sql
match protocol ms-sql-m
match protocol msexch-routing
match protocol nfs
match protocol nntp
match protocol radius
match protocol pptp
match protocol realmedia
match protocol rsvp_tunnel
match protocol rtelnet
match protocol shell
match protocol sip-tls
match protocol sip
match protocol telnets
match protocol time
!
!
policy-map type inspect VLAN_TO_WAN_POLICY
class type inspect VLAN_TO_WAN_CLASS
inspect
policy-map QoS-Viktig_trafik-POLICY
class QoS-Viktig_trafik
priority percent 25
!
zone security VLAN10_ZONE
zone security VLAN20_ZONE
zone security VLAN30_ZONE
zone security VLAN100_ZONE
zone security WAN_ZONE
zone security VLAN1_ZONE
zone security VLAN2_ZONE
zone security VLAN3_ZONE
zone-pair security VLAN_10_TO_WAN source VLAN10_ZONE destination WAN_ZONE
service-policy type inspect VLAN_TO_WAN_POLICY
zone-pair security VLAN_20_TO_WAN source VLAN20_ZONE destination WAN_ZONE
service-policy type inspect VLAN_TO_WAN_POLICY
zone-pair security VLAN_30_TO_WAN source VLAN30_ZONE destination WAN_ZONE
service-policy type inspect VLAN_TO_WAN_POLICY
zone-pair security VLAN_100_TO_WAN source VLAN100_ZONE destination WAN_ZONE
service-policy type inspect VLAN_TO_WAN_POLICY
zone-pair security VLAN_1_TO_WAN source VLAN1_ZONE destination WAN_ZONE
service-policy type inspect VLAN_TO_WAN_POLICY
zone-pair security VLAN_2_TO_WAN source VLAN2_ZONE destination WAN_ZONE
service-policy type inspect VLAN_TO_WAN_POLICY
zone-pair security VLAN_3_TO_WAN source VLAN3_ZONE destination WAN_ZONE
service-policy type inspect VLAN_TO_WAN_POLICY
!
!
!
!
interface GigabitEthernet0/0
description NOT USED
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
!
interface GigabitEthernet0/0.1
description VLAN_1_Native
encapsulation dot1Q 1 native
ip address 10.10.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security VLAN1_ZONE
no cdp enable
!
interface GigabitEthernet0/0.2
description VLAN_2_Company2
encapsulation dot1Q 2
ip address 10.10.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security VLAN2_ZONE
no cdp enable
!
interface GigabitEthernet0/0.3
description VLAN_3_Company3
encapsulation dot1Q 3
ip address 10.10.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security VLAN3_ZONE
no cdp enable
!
interface GigabitEthernet0/0.10
description VLAN_10_Company10
encapsulation dot1Q 10
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security VLAN10_ZONE
no cdp enable
!
interface GigabitEthernet0/0.20
description VLAN_20_Company20
encapsulation dot1Q 20
ip address 10.10.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security VLAN20_ZONE
no cdp enable
!
interface GigabitEthernet0/0.30
description VLAN_30_Company30
encapsulation dot1Q 30
ip address 10.10.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security VLAN30_ZONE
no cdp enable
!
interface GigabitEthernet0/0.100
description VLAN 100 Management
encapsulation dot1Q 100
ip address 10.10.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security VLAN100_ZONE
no cdp enable
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
no mop enabled
!
!
interface GigabitEthernet0/2
description WAN_INTERFACE
bandwidth 10000
bandwidth receive 10000
ip address 192.168.98.205 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security WAN_ZONE
duplex auto
speed auto
no mop enabled
!
!
ip forward-protocol nd
!
ip nat pool with_overload 192.168.98.205 192.168.98.205 prefix-length 24
ip nat inside source list 7 pool with_overload overload
ip route 0.0.0.0 0.0.0.0 192.168.98.254
!
logging trap debugging
access-list 7 permit 10.10.10.0 0.0.0.255
access-list 7 permit 10.10.20.0 0.0.0.255
access-list 7 permit 10.10.100.0 0.0.0.255
access-list 7 permit 10.10.30.0 0.0.0.255
access-list 7 permit 10.10.1.0 0.0.0.255
access-list 7 permit 10.10.2.0 0.0.0.255
access-list 7 permit 10.10.3.0 0.0.0.255

Federico Coto Fajardo · ‎03-09-2011

Hi,

I see there's a private IP on the WAN interface on the router.

Can you PING the internet from the router itself?

Federico.

Tommy Svensson · ‎03-09-2011

Yes and yes, so im wondering whats wrong.

Federico Coto Fajardo · ‎03-09-2011

Let's see..

You're coming from:
Host: 10.10.1.53
DNS: 192.168.98.2

Coming from interface GigabitEthernet0/0.1 (VLAN 1)
and exiting GigabitEthernet0/2

When you cross the router, the packet goes out to with a source IP of 192.168.98.205 (NAT pool)
When you PING from the router itself the packet goes out with the same IP.

So, to check what's going on do the following:
The easiest way to find out if the packet is going through the router correctly is from the host:
ping 192.168.98.254

If the above PING succeeds, we know traffic is flowing through the router.

Federico.

Tommy Svensson · ‎03-09-2011

It dit not work, pinging from 10.10.1.53 to 192.168.98.254

Federico Coto Fajardo · ‎03-09-2011

We can do two things:

Enable the following command " ip inspect log drop-pkt" this would display the log which explains if there is a packet drop due to zbf

Also, check that NAT is working for this traffic with the command ''sh ip nat trans''

Federico.

Tommy Svensson · ‎03-10-2011

Hi.

I did what you asked from me and this is the output:

So it has something to do with the policys for sure, but where is the error? I used debug firewall of some sort and got the input at the bottom. Hoping someone could solve this problem.

Regards Tommy Svensson

R1#sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
icmp 192.168.98.205:512 10.10.1.54:512    192.168.98.2:512   192.168.98.2:512
udp 192.168.98.205:1025 10.10.1.54:1025   192.168.98.2:53    192.168.98.2:53
udp 192.168.98.205:1053 10.10.1.54:1053   192.168.98.2:53    192.168.98.2:53

R1#show logging

000074: *Mar 11 08:23:21.755 PCTime: %FW-6-DROP_PKT: Dropping icmp session 192.168.98.2:0 10.10.1.54:0 due to policy match failure with ip ident 0

000751: *Mar 11 08:57:35.271 PCTime: FIREWALL: ret_val 0 is not PASS_PAK
000752: *Mar 11 08:57:35.271 PCTime: FIREWALL: ret_val NO_ACTION, but not valid router traffic .Dropping pak

Tommy Svensson · ‎03-14-2011

Anyone who knows what the problem might be with my configuration? I cant seem to get it to work.

Regards Tommy Svensson

Tommy Svensson · ‎03-14-2011

This is my config as it is looking right now.

class-map type inspect match-any VLAN_TO_WAN_CLASS
match protocol icmp
match protocol echo
match protocol http
match protocol pop3
match protocol pop3s
match protocol smtp
match protocol imap
match protocol imaps
match protocol imap3
match protocol ftp
match protocol ssh
match protocol dns
match protocol h323
match protocol tftp
match protocol ntp
match protocol irc
match protocol ircs
match protocol telnet
match protocol ldap
match protocol snmp
match protocol https
match protocol appleqtc
match protocol cifs
match protocol exec
match protocol h323-annexe
match protocol h323-nxg
match protocol icabrowser
match protocol icq
match protocol gtpv0
match protocol gtpv1
match protocol l2tp
match protocol ldap-admin
match protocol login
match protocol lotusnote
match protocol lotusmtap
match protocol ms-sql
match protocol ms-sql-m
match protocol msexch-routing
match protocol nfs
match protocol nntp
match protocol radius
match protocol pptp
match protocol realmedia
match protocol rsvp_tunnel
match protocol rtelnet
match protocol shell
match protocol sip-tls
match protocol sip
match protocol telnets
match protocol time
!
!
policy-map type inspect VLAN_TO_WAN_POLICY
class type inspect VLAN_TO_WAN_CLASS
inspect
!
zone security VLAN10_ZONE
zone security VLAN20_ZONE
zone security VLAN30_ZONE
zone security VLAN100_ZONE
zone security WAN_ZONE
zone security VLAN1_ZONE
zone security VLAN2_ZONE
zone security VLAN3_ZONE
zone-pair security VLAN_10_TO_WAN source VLAN10_ZONE destination WAN_ZONE
service-policy type inspect VLAN_TO_WAN_POLICY
zone-pair security VLAN_20_TO_WAN source VLAN20_ZONE destination WAN_ZONE
service-policy type inspect VLAN_TO_WAN_POLICY
zone-pair security VLAN_30_TO_WAN source VLAN30_ZONE destination WAN_ZONE
service-policy type inspect VLAN_TO_WAN_POLICY
zone-pair security VLAN_100_TO_WAN source VLAN100_ZONE destination WAN_ZONE
service-policy type inspect VLAN_TO_WAN_POLICY
zone-pair security VLAN_1_TO_WAN source VLAN1_ZONE destination WAN_ZONE
service-policy type inspect VLAN_TO_WAN_POLICY
zone-pair security VLAN_2_TO_WAN source VLAN2_ZONE destination WAN_ZONE
service-policy type inspect VLAN_TO_WAN_POLICY
zone-pair security VLAN_3_TO_WAN source VLAN3_ZONE destination WAN_ZONE
service-policy type inspect VLAN_TO_WAN_POLICY
!
!
interface GigabitEthernet0/0
description NOT USED
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
!
interface GigabitEthernet0/0.1
description VLAN_1_Native
encapsulation dot1Q 1 native
ip address 10.10.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security VLAN1_ZONE
no cdp enable
!
interface GigabitEthernet0/0.2
description VLAN_2_Company2
encapsulation dot1Q 2
ip address 10.10.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security VLAN2_ZONE
no cdp enable
!
interface GigabitEthernet0/0.3
description VLAN_3_Company3
encapsulation dot1Q 3
ip address 10.10.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security VLAN3_ZONE
no cdp enable
!
interface GigabitEthernet0/0.10
description VLAN_10_Company10
encapsulation dot1Q 10
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security VLAN10_ZONE
no cdp enable
!
interface GigabitEthernet0/0.20
description VLAN_20_Company20
encapsulation dot1Q 20
ip address 10.10.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security VLAN20_ZONE
no cdp enable
!
interface GigabitEthernet0/0.30
description VLAN_30_Company30
encapsulation dot1Q 30
ip address 10.10.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security VLAN30_ZONE
no cdp enable
!
interface GigabitEthernet0/0.100
description VLAN 100 Management
encapsulation dot1Q 100
ip address 10.10.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security VLAN100_ZONE
no cdp enable
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
no mop enabled
!
!
interface GigabitEthernet0/2
description WAN_INTERFACE
ip address 192.168.98.205 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security WAN_ZONE
duplex auto
speed auto
no mop enabled
!
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool with_overload 192.168.98.205 192.168.98.205 prefix-length 24
ip nat inside source list 7 pool with_overload overload
ip route 0.0.0.0 0.0.0.0 192.168.98.254
!
logging trap debugging
access-list 7 permit 10.10.10.0 0.0.0.255
access-list 7 permit 10.10.20.0 0.0.0.255
access-list 7 permit 10.10.100.0 0.0.0.255
access-list 7 permit 10.10.30.0 0.0.0.255
access-list 7 permit 10.10.1.0 0.0.0.255
access-list 7 permit 10.10.2.0 0.0.0.255
access-list 7 permit 10.10.3.0 0.0.0.255
!
no cdp run