Solved: Re: ZBF - First attempt - No traffic flowing - Page 3

rhbmcse · ‎10-23-2018

Hi folks. My first attempt at configuring a ZBF on a 1117-4p ISR (I'm ccent studying for CCNA).

Prior to the ZBF commands being added to the running-config I was getting internet access (albeit with no security). Following this I get nothing - I can't PING, no web access, no DNS lookups which are the 3 types of traffic I'm initially allowing.

Not a massively complicated setup. I have no training on this but as I understand it, being stateful rules then return rules should not be required (should they) ?

In any case if anybody would be kind enough to look through my config and explain where I'm going wrong it would be massiv ely appreciated.

Script below. Cheers. Rob.

C1117ISR#sh run
Building configuration...

Current configuration : 5615 bytes
!
! Last configuration change at 09:15:14 GMT Tue Oct 23 2018 by rhbmcse
!
version 16.6
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname C1117ISR
!
boot-start-marker
boot-end-marker
!
!
enable secret 9 $9$jUR3aCOMA9OFgU$o3a79MhakpqV2vfDatrcHCxftZzba///XoF5BMiuU6Q
!
no aaa new-model
clock timezone GMT -1 0
!
ip name-server 8.8.8.8 8.8.4.4
ip domain name 21RTM.local
ip dhcp excluded-address 192.168.0.1 192.168.0.19
ip dhcp excluded-address 192.168.0.51 192.168.0.254
ip dhcp excluded-address 10.0.0.1
!
ip dhcp pool CLIENTS
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 192.168.0.1
domain-name 21RTM.local
!
ip dhcp pool MANAGEMENT
network 10.0.0.0 255.255.255.0
!
!
subscriber templating
!
!
multilink bundle-name authenticated
!

!
crypto pki trustpoint TP-self-signed-3510874038
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3510874038
revocation-check none
rsakeypair TP-self-signed-3510874038
!
!
crypto pki certificate chain TP-self-signed-3510874038
certificate self-signed 01

quit
!
!
license udi pid C1117-4P sn FGL2205927C
license boot level securityk9
!
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
username xxxxxxx privilege 15 password 7 xxxxxxx
!
redundancy
mode none
!
!
controller VDSL 0/2/0
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-any ALLOWED-PROTOCOLS
match protocol icmp
match protocol dns
match protocol http
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect ALLOWED-PROTOCOLS
inspect
!
zone security INTERNET
zone security INSIDE
zone-pair security ZP-INSIDE-TO-OUTSIDE source INSIDE destination INTERNET
!
!
interface GigabitEthernet0/0/0
no ip address
shutdown
no negotiation auto
!
interface GigabitEthernet0/1/0
description CLIENT LAN
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/1/1
shutdown
!
interface GigabitEthernet0/1/2
shutdown
!
interface GigabitEthernet0/1/3
description MANAGEMENT INTERFACE
switchport access vlan 100
switchport mode access
!
interface ATM0/2/0
no ip address
shutdown
no atm ilmi-keepalive
no atm enable-ilmi-trap
!
interface Ethernet0/2/0
mac-address xxxxxxxxx
no ip address
no negotiation auto
!
interface Ethernet0/2/0.101
description SUBINT TO INTERNET
encapsulation dot1Q 101
ip dhcp client request classless-static-route
ip dhcp client client-id hex xxxxxxxx
ip dhcp client hostname xxxxxxxx@skydsl|xxxxxxxx
ip address dhcp
no ip redirects
no ip proxy-arp
ip nat outside
zone-member security INTERNET
ip virtual-reassembly
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 192.168.0.1 255.255.252.0
ip nat inside
zone-member security INSIDE
!
interface Vlan100
ip address 10.0.0.1 255.255.255.0
!
ip nat inside source route-map OUTSIDE-POOL interface Ethernet0/2/0.101 overload
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip dns server
ip ssh version 2
!
!
ip access-list extended NAT-TO-OUTSIDE
permit ip 192.168.0.0 0.0.3.255 any
!
!
!
route-map OUTSIDE-POOL permit 10
match ip address NAT-TO-OUTSIDE
match interface Ethernet0/2/0.101
!
!
!
control-plane
!
!
line con 0
password 7 075912435E010C164E
login
transport input all
stopbits 1
line vty 0 4
login local
transport input ssh
!
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end

rhbmcse · ‎11-05-2018

Let me get home, make a mess of my config so that it fails again and then send a better example...

That one was written off the top of my head!...

Thanks Rob!

rhbmcse · ‎11-05-2018

OK here we go!
So when the config looks like this (which I assumed to be correct)...

C1117ISR#sh run | sect access-list
ip access-list extended NACL-CLIENT-TO-INTERNET
permit icmp 192.168.0.0 0.0.0.255 any
permit tcp 192.168.0.0 0.0.0.255 eq domain any
permit udp 192.168.0.0 0.0.0.255 eq domain any
permit tcp 192.168.0.0 0.0.0.255 eq www any
permit tcp 192.168.0.0 0.0.0.255 eq 443 any
permit udp 192.168.0.0 0.0.0.255 eq ntp any

I'd expect to be able to connect to the internet using http / https and resolving DNS but no - alas I get this :

Nov 5 19:58:26.235: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:000 00208329348636739 %FW-6-DROP_PKT: Dropping tcp pkt from Vlan10 192.168.0.25:5973 6 => 216.58.206.67:443(target:class)-(ZP-CLIENT-TO-INTERNET:class-default) due t o Policy drop:classify result with ip ident 20830 tcp flag 0x2, seq 1653527761, ack 0

and this...

Nov 5 19:59:27.026: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000208390138920516 %FW-6-DROP_PKT: Dropping tcp pkt from Vlan10 192.168.0.32:59790 => 2.17.144.219:80(target:class)-(ZP-CLIENT-TO-INTERNET:class-default) due to Policy drop:classify result with ip ident 4377 tcp flag 0x2, seq 812327553, ack 0

So blocking port 80 and 443 when I can clearly see that they're allowed in the NACL.
Incidentally I chose to switch from previous config of "match PROTOCOL" to matching an ACL just to keep things tidy and consistent with my config.
The minute I add "permit ip 192.168.0.0 0.0.0.255 any" unsurprisingly everything works so I'm just plain confused (dot com).

Where am I going wrong, Rob ??? please ???...looking at the log it looks like it's blocking as the source is appearing as port 59790 rather than 443 (destination). Which I can understand due to NAT but can't figure how I'm supposed to control or restrict the protocols if it's filtering based on a randomly assigned NATted port rather than the allocated well-known port? or am I completely wrong ??? (or possibly going mad after this first zbfw endeavour)! :)

Rob Ingram · ‎11-05-2018

Hi,
You need to tweak your ACL, as such....

ip access-list extended NACL-CLIENT-TO-INTERNET
permit icmp 192.168.0.0 0.0.0.255 any
permit tcp 192.168.0.0 0.0.0.255 any eq domain
permit udp 192.168.0.0 0.0.0.255 any eq domain
permit tcp 192.168.0.0 0.0.0.255 any eq www
permit tcp 192.168.0.0 0.0.0.255 any eq 443
permit udp 192.168.0.0 0.0.0.255 any eq ntp

This will allow any device on the source 192.168.0.0/24 network on any source port to access any ip address on the ports defined. You were previously allow traffic from only the source ports of 53, 80, 443, 123, which as you can see if your logs was dropped because the source tcp port is randomised e.g. - 192.168.0.32:59790

HTH

rhbmcse · ‎11-05-2018

Bleedin' obvious really isn't it!
Rob - I cannot thank you enough. Giving a few points to you on here hardly seems to cover it.
Can I buy you a beer ???

Rob Ingram · ‎11-05-2018

No problem, glad it's working. You'll probably have to buy me a virtual beer or two!!

rhbmcse · ‎11-09-2018

Hi Rob,

I hope you are well.

Another quick question regarding this config and inter-vlan routing.

I'm busy splitting my network out now into various VLANS. Typically when I've labbed anything like this in the past I've used sub-interfaces on the router but I'm curious with a ZBFW as to whether this is necessary.

Currently I have vlans defined on the router and switch with one trunk port between them.

If I need to route certain IPs and protocols between the vlans will I need to create sub-interfaces or is it sufficient to create the relevant zone-pairs and configure NACLS to identify the permitted / denied traffic ?

I could of course just try this but I'd rather take the advice before ruining my config!

Many thanks.

Rob.

Rob Ingram · ‎11-09-2018

Hi Rob,
Is your intention to firewall each VLAN off from each other? If not I'd leave the VLANs on the switch and create a routed interface between the router and switch, therefore inter-vlan routing traffic would not be sent to router only to be routed back to the switch? Traffic sent to the router would only be for outbound internet access.

HTH
Rob

rhbmcse · ‎11-09-2018

It was my intention to firewall between the vlans as I don't necessarily want each VLAN talking to each other - rather isolate them.

Unfortunately the switch I have is only a layer 2 device, as such I can't do the inter-vlan routing on it thus negating the need for the traffic to pass via the router.

I've done a quick trial allowing ICMP between 2 zones and it worked (could ping successfully) - therefore I believe I've answered my own question!

Thanks again!

Rob.