Hi Rob,

You would need to secure the "self" zone. The Self zone is the only exception to the default “deny all” policy, all traffic to any router interface is allowed until explicitly denied.

HTH
Rob

Also a best practice to put an access-class on your vty lines

line vty 0 4
access-class in

Hi Rob - thanks for that - it pointed me off to research the SELF zone - of which I was not aware.

I tried subsequently creating an IP ANY ANY deny ACL and applied it between the self and Internet zones as this is what I needed to achieve but I got no Packets going out of the router at all then weirdly.  Everything was blocked.  From what I've read you have to use the self zone - no getting around it.

 

Given my existing config would I be correct in assuming that one must configure rules to allow ALL traffic TO and FROM the self zone.  Which takes care of INSIDE.

 

Then configure a further rule from SELF to INTERNET matching the protocols I choose to allow.  This would then presumably place an implicit DENY rule on any inbound traffic from the Internet ? i.e. no match from the stateful inspection therefore DROP?

 

Finally - what about my existing Zones (inside-to-outside) - are these then deletable because the SELF rules have replaced them?

 

The way I see it (or imagine it) Simply:

       

CLIENTS----->INSIDE LAN I/F----->SELF ZONE----->OUTSIDE WAN I/F----->Internet

                     (Allow all Traffic) ----->SELF ZONE----->(Allow Filtered Traffic OUT)----->Internet

                                                          SELF ZONE<--/-x (Block all Filtered traffic IN)<-----Internet

 

Which replaces my existing config of INSIDE/OUTSIDE - it effectively puts another zone smack bang in the middle of my existing config.  Correct ? 

 

Many thanks for your help.  Invaluable for those of us learning new Cisco technologies.

Hi Rob,
The self zone is used for traffic TO/FROM the router itself (any interface on the router itself), not traffic going through the router. So you'd need zone pairs for to-self-zone and from-self-zone to permit/deny access to/from the router. You'd also need zone pairs from outside-to-inside and inside-to-outside and any other zone for traffic going through the router. Hope that makes sense?

Upload your configuration if you need further assistance.

HTH
Rob

I'll get there...
Literally all I need to do is block any traffic from the internet which I thought I'd done but due to the SELF zone I was able to access all sorts of nastiness from the internet within my router.

As far as management goes I just need ssh into the router from the client VLAN internally.

When I created zone pair between SELF and INTERNET with a deny rule everything stopped between outside and inside too which is what confused me. I don't really want somebody to do it for me as that's not really how I learn. Just trying to understand why a deny ANY ANY IP between Internet and Self would cause Internet and Inside to fail.

I'll re-write the config and post. Maybe something glaringly obvious will jump out?

OK - I need further assistance!
As soon as I apply the ZBF Self config to the outside/self interface I lose all connectivity with the exception of the ssh connection which Im on to configure the router (all internet traffic dies it would seem).
I'd love to understand where I'm going wrong so here in all its glory is the current config (unfinished).
Thank you so much for your assistance.


C1117ISR#sh run
Building configuration...


Current configuration : 6626 bytes
!
! Last configuration change at 18:23:01 GMT Wed Oct 24 2018 by rhbmcse
!
version 16.6
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname C1117ISR
!
boot-start-marker
boot-end-marker
!
!
enable secret 9 $9$jURxxxxxzba///XoF5BMiuU6Q
!
no aaa new-model
clock timezone GMT -1 0
!
ip name-server 8.8.8.8 8.8.4.4
no ip domain lookup
ip domain name 21RTM.local
ip dhcp excluded-address 192.168.0.1 192.168.0.19
ip dhcp excluded-address 192.168.0.51 192.168.0.254
ip dhcp excluded-address 10.0.0.1
!
ip dhcp pool CLIENTS
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 192.168.0.1
domain-name 21RTM.local
!
ip dhcp pool MANAGEMENT
network 10.0.0.0 255.255.255.0
!

!
subscriber templating
!

!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-3510874038
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3510874038
revocation-check none
rsakeypair TP-self-signed-3510874038
!
!
crypto pki certificate chain TP-self-signed-3510874038
certificate self-signed 01
30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

quit
!
!
license udi pid C1117-4P sn FGx
license boot level securityk9
!
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
username x privilege 15 password 7 0xxB5D550A7A75
!
redundancy
mode none
!
!
!
!
controller VDSL 0/2/0
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-any ALLOWED-PROTOCOLS
match protocol icmp
match protocol dns
match protocol http
match protocol https
class-map type inspect match-all CMAP-OUTSIDE-SELF
match access-group name NACL-BLOCK-INTERNET-TRAFFIC
class-map type inspect match-all INSIDE_SELF
match access-group name SELF_AND_INSIDE
!
policy-map type inspect INSIDE_SELF
class type inspect INSIDE_SELF
inspect
class class-default
policy-map type inspect SELF_INSIDE
class type inspect INSIDE_SELF
inspect
class class-default
policy-map type inspect PM-OUTSIDE-SELF
class type inspect CMAP-OUTSIDE-SELF
drop
class class-default
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect ALLOWED-PROTOCOLS
inspect
class class-default
!
zone security INTERNET
zone security INSIDE
zone-pair security Inside_to_Self source INSIDE destination self
service-policy type inspect INSIDE_SELF
zone-pair security Self-to-Inside source self destination INSIDE
service-policy type inspect SELF_INSIDE
zone-pair security ZP-INSIDE-TO-OUTSIDE source INSIDE destination INTERNET
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security ZP-INTERNET-TO-SELF source INTERNET destination self
service-policy type inspect PM-OUTSIDE-SELF
!
!

!
interface GigabitEthernet0/0/0
no ip address
shutdown
no negotiation auto
!
interface GigabitEthernet0/1/0
description CLIENT LAN
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/1/1
shutdown
!
interface GigabitEthernet0/1/2
shutdown
!
interface GigabitEthernet0/1/3
description MANAGEMENT INTERFACE
switchport access vlan 100
switchport mode access
!
interface ATM0/2/0
no ip address
shutdown
no atm ilmi-keepalive
no atm enable-ilmi-trap
!
interface Ethernet0/2/0
mac-address c03e.0f9c.268e
no ip address
no negotiation auto
!
interface Ethernet0/2/0.101
description SUBINT TO INTERNET
encapsulation dot1Q 101
ip dhcp client request classless-static-route
ip dhcp client client-id hex 6330336530663963323638
ip dhcp client hostname cx@skydsl|addx
ip address dhcp
no ip redirects
no ip proxy-arp
ip nat outside
zone-member security INTERNET
ip virtual-reassembly
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 192.168.0.1 255.255.252.0
ip nat inside
zone-member security INSIDE
!
interface Vlan100
ip address 10.0.0.1 255.255.255.0
!
ip nat inside source route-map OUTSIDE-POOL interface Ethernet0/2/0.101 overload
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip dns server
ip ssh version 2
!
!
ip access-list extended NACL-BLOCK-INTERNET-TRAFFIC
deny ip any any
ip access-list extended NAT-TO-OUTSIDE
permit ip 192.168.0.0 0.0.3.255 any
ip access-list extended SELF_AND_INSIDE
permit ip any any
!
!
!
route-map OUTSIDE-POOL permit 10
match ip address NAT-TO-OUTSIDE
match interface Ethernet0/2/0.101
!
!
!
control-plane
!
!
line con 0
transport input all
stopbits 1
line vty 0 4
login local
!
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end

Ok, I labbed your configuration, I used your exact ZPFW configuration, I was able to communicate through the router from inside zone to internet zone. The only difference was a static ip address on the outside interface and no sub-interface.

What is the output of "show policy-map type inspect zone-pair ZP-INSIDE-TO-OUTSIDE" - I assume there will be drops. Perhaps add "log" after the drop and observe the output of the logs.

Hey Rob, and Morning!
So I tried "show policy-map type inspect zone-pair ZP-INSIDE-TO-OUTSIDE" - NO DROPS
Following this I added the LOG statement to the end of the policy-map PM-OUTSIDE-SELF and I can see 30-40 packets dropped and these did not increase when I attempted a PING outbound to google's DNS servers
I also tried changing the associated external NACL from DENY any any to PERMIT any any and still - no traffic.
Interestingly as soon as the zone-pairing is made between INTERNET and SELF the interface cannot even obtain an IP from the ISP and this is not due it would seem to the Access-list as we have seen - even with PERMIT there is still zero traffic.
I also attempted adding the main WAN interface (eth 0/2/0) to the INTERNET zone which also did not resolve the issue. Obviously the WAN connection runs on a sub-int on VLAN .101. Just a thought but it didn't help.
All I can deduce so far is that whenever ANY zone pairing is made from INTERNET to SELF, all traffic ceases. INTERNET zone is already used by ZP-INSIDE-TO-OUTSIDE. We don't need to create additional zones to separate INSIDE-INTERNET (used inside > outside for pass-through traffic) and INTERNET-SELF do we. Just wondering whether the two zone-pairings are causing issues with one another ?

Hi Rob,
Ok, create a class map to "pass" all traffic (for now, can amend later), reference in a policy-map and then create a zone pair from self to internet. Let's get dhcp working first and then see what's left.

Rob

OK - working on that now.
So
create a NACL permit IP any any
create a CM self-to-intenet referencing the NACL
create a PM self-to-internet - should this be PASS or INSPECT ?

I'd imagine it would need to be inspect to allow the return traffic to the self zone rather than pass ?

Then create the zone pair...SELF-TO-INTERNET

What about the existing zone pair (currently removed) INTERNET-TO-SELF with the DENY rule ?

Sorry for so many questions!

You cannot use "inspect" in self zone rules, only pass....this means the traffic is only permitted in one direction, so you'd need to permit that return traffic.

 

Reference here, search for "self" under the important points section for the informed I just provided above.

 

HTH

OK - that's weird then because in my config I definitely have a PM-SELF-INSIDE (and conversely INSIDE-SELF) with an INSPECT statement rather than PASS and it seems to not throw an error ?

 

Do these need changing to PASS also ?

Righto - an update.
I have amended the config so that both Self - Internet and Internet - self both share a PASS IP Any any situation which causes it to spring back in to life.
This still doesn't explain why I'm not able to just block "ip any any" from Internet to Self as by implementing bi-directional "pass" I've just blown the router wide open to the outside world again!
Latest config below and you will note that the two class-maps now both refer to the PERMIT-ALL NACL

class-map type inspect match-any CMAP-SELF-TO-INTERNET
match access-group name NACL-PERMIT-ALL-TRAFFIC

class-map type inspect match-all CMAP-OUTSIDE-SELF
match access-group name NACL-PERMIT-ALL-TRAFFIC
*******************************************************
Full config below - seriously stumped at this point. Why would blocking IP ANY ANY from INTERNET to SELF also halt the traffic from Inside to Internet ?

C1117ISR#sh run
Building configuration...


Current configuration : 7257 bytes
!
! Last configuration change at 15:38:28 GMT Thu Oct 25 2018 by rhbmcse
! NVRAM config last updated at 15:22:06 GMT Thu Oct 25 2018 by rhbmcse
!
version 16.6
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname C1117ISR
!
boot-start-marker
boot-end-marker
!
!
enable secret 9 $9$jUR3aCOMA9OFxakpqV2vfDatrcHCxftZzba///Xoxx
!
no aaa new-model
clock timezone GMT 1 0
!
ip name-server 8.8.8.8 8.8.4.4
no ip domain lookup
ip domain name 21RTM.local
ip dhcp excluded-address 192.168.0.1 192.168.0.19
ip dhcp excluded-address 192.168.0.51 192.168.0.254
ip dhcp excluded-address 10.0.0.1
!
ip dhcp pool CLIENTS
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 192.168.0.1
domain-name 21RTM.local
!
ip dhcp pool MANAGEMENT
network 10.0.0.0 255.255.255.0
!

!
subscriber templating
!

!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-3510874038
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3510874038
revocation-check none
rsakeypair TP-self-signed-3510874038
!
!
crypto pki certificate chain TP-self-signed-3510874038
certificate self-signed 01
30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33
6F305E61 B99D9BF5 D243DAE9 37848E38 992E006F 92B35E7B B8AC9995 1EDEC0C0
B25CE082 26AAFB31 E6F6B6B6 98E2BF42 94DD4F00 B2C3665E 1DC9C4C8 6E35C5B7
7984AFAF 1460956D 0A6516E8 2301EE0B 13252DB1 2DE096E8 A75FA9AA 1A344AA4
DBCC162F 1BA0BA74 CE0032E4 C892DE80 C08EA475
quit
!
!
license udi pid C1117-4P sn FGL2205927C
license boot level securityk9
!
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
username rhbmcse privilege 15 password 7 06240B2x32B5D550A7A75
!
redundancy
mode none
!
!
!
!
controller VDSL 0/2/0
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-any CMAP-SELF-TO-INTERNET
match access-group name NACL-PERMIT-ALL-TRAFFIC
class-map type inspect match-any ALLOWED-PROTOCOLS
match protocol icmp
match protocol dns
match protocol http
match protocol https
class-map type inspect match-all CMAP-OUTSIDE-SELF
match access-group name NACL-PERMIT-ALL-TRAFFIC
class-map type inspect match-all INSIDE_SELF
match access-group name SELF_AND_INSIDE
!
policy-map type inspect PM-SELF-TO-INTERNET
class type inspect CMAP-SELF-TO-INTERNET
pass
class class-default
policy-map type inspect INSIDE_SELF
class type inspect INSIDE_SELF
pass
class class-default
policy-map type inspect SELF_INSIDE
class type inspect INSIDE_SELF
pass
class class-default
policy-map type inspect PM-OUTSIDE-SELF
class type inspect CMAP-OUTSIDE-SELF
pass
class class-default
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect ALLOWED-PROTOCOLS
inspect
class class-default
!
zone security INTERNET
zone security INSIDE
zone-pair security Inside_to_Self source INSIDE destination self
service-policy type inspect INSIDE_SELF
zone-pair security Self-to-Inside source self destination INSIDE
service-policy type inspect SELF_INSIDE
zone-pair security ZP-INSIDE-TO-OUTSIDE source INSIDE destination INTERNET
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security ZP-INTERNET-TO-SELF source INTERNET destination self
service-policy type inspect PM-OUTSIDE-SELF
zone-pair security ZP-SELF-TO-INTERNET source self destination INTERNET
service-policy type inspect PM-SELF-TO-INTERNET
!
!
interface GigabitEthernet0/0/0
no ip address
shutdown
no negotiation auto
!
interface GigabitEthernet0/1/0
description CLIENT LAN
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet0/1/1
shutdown
!
interface GigabitEthernet0/1/2
shutdown
!
interface GigabitEthernet0/1/3
description MANAGEMENT INTERFACE
switchport access vlan 100
switchport mode access
!
interface ATM0/2/0
no ip address
shutdown
no atm ilmi-keepalive
no atm enable-ilmi-trap
!
interface Ethernet0/2/0
mac-address c03e.0f9c.268e
no ip address
no negotiation auto
!
interface Ethernet0/2/0.101
description SUBINT TO INTERNET
encapsulation dot1Q 101
ip dhcp client request classless-static-route
ip dhcp client client-id hex 6330336530663963323638
ip dhcp client hostname c0x68c@skydsl|addx
ip address dhcp
no ip redirects
no ip proxy-arp
ip nat outside
zone-member security INTERNET
ip virtual-reassembly
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 192.168.0.1 255.255.252.0
ip nat inside
zone-member security INSIDE
!
interface Vlan100
ip address 10.0.0.1 255.255.255.0
!
ip nat inside source route-map OUTSIDE-POOL interface Ethernet0/2/0.101 overload
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip dns server
ip ssh version 2
!
!
ip access-list extended NACL-BLOCK-INTERNET-TRAFFIC
deny ip any any
ip access-list extended NACL-PERMIT-ALL-TRAFFIC
permit ip any any
ip access-list extended NAT-TO-OUTSIDE
permit ip 192.168.0.0 0.0.3.255 any
ip access-list extended SELF_AND_INSIDE
permit ip any any
!
!
!
route-map OUTSIDE-POOL permit 10
match ip address NAT-TO-OUTSIDE
match interface Ethernet0/2/0.101
!
!
!
control-plane
!
!
line con 0
password 7 091A7D06090D020152
login
transport input all
stopbits 1
line vty 0 4
login local
!
ntp master
ntp server 0.uk.pool.ntp.org
ntp server 1.uk.pool.ntp.org
ntp server 3.uk.pool.ntp.org
ntp server 2.uk.pool.ntp.org
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end