02-19-2012 04:53 AM - edited 03-11-2019 03:32 PM
Hello, i am working with 871w and i am trying to switch form ip inspect to zone-based firewall. Below are the class-maps, policy-map, zone-pairs, zones, and ACLs. The issues i am having is that onces i depoly the ZBF, i can not get ip via DHCP. Please review and suggest any impovements or fixes needed?
class-map type inspect match-any Egress-Filter
match access-group name egress-filterclass-map type inspect match-any Guest_Protocols
match protocol httpmatch protocol https
match protocol dnsclass-map type inspect match-any Ingress-Filter
match access-group name ingress-filterclass-map type inspect match-any All_Protocols
match protocol tcpmatch protocol udp
match protocol icmpclass-map type inspect match-all DHCP-Allow
match access-group name dhcp-allow
policy-map type inspect Self_to_Internet
class type inspect Egress-Filter
inspect
class class-default
drop logpolicy-map type inspect Internet_to_Self
class type inspect Ingress-Filter
inspect
class class-default
drop logpolicy-map type inspect Trusted_To_Self
class type inspect All_Protocols
inspect
class type inspect DHCP-Allow
pass
class class-default
drop logpolicy-map type inspect Guest_to_Internet
class type inspect Guest_Protocols
inspect
class class-default
drop logpolicy-map type inspect Internet_to_Guest
class type inspect Ingress-Filter
inspect
class class-default
drop logpolicy-map type inspect Trusted_to_Self
class type inspect All_Protocols
inspect
class type inspect DHCP-Allow
pass
class class-default
drop logpolicy-map type inspect Self_to_Trusted
class type inspect All_Protocols
inspect
class type inspect DHCP-Allow
pass
class class-default
drop logpolicy-map type inspect Trusted_to_Internet
class type inspect All_Protocols
inspect
class class-default
drop logpolicy-map type inspect Internet_to_Trusted
class type inspect Ingress-Filter
inspect
class class-default
drop logpolicy-map type inspect Guest_to_Self
class type inspect All_Protocols
inspectclass type inspect DHCP-Allow
pass
class class-default
drop logpolicy-map type inspect Self_to_Guest
class type inspect All_Protocols
inspect
class type inspect DHCP-Allow
pass
class class-default
drop log
zone-pair security Trusted->Internet source Trusted destination Internet
service-policy type inspect Trusted_to_Internetzone-pair security Guest->Internet source Guest destination Internet
service-policy type inspect Guest_to_Internetzone-pair security Internet->Trusted source Internet destination Trusted
service-policy type inspect Internet_to_Trustedzone-pair security Internet->Guest source Internet destination Guest
service-policy type inspect Internet_to_Guestzone-pair security Self->Internet source self destination Internet
service-policy type inspect Self_to_Internetzone-pair security Internet->Self source Internet destination self
service-policy type inspect Internet_to_Selfzone-pair security Self->Trusted source self destination Trusted
service-policy type inspect Self_to_Trustedzone-pair security Trusted->Self source Trusted destination self
service-policy type inspect Trusted_to_Selfzone-pair security Self->Guest source self destination Guest
service-policy type inspect Self_to_Guestzone-pair security Guest->Self source Guest destination self
service-policy type inspect Guest_to_Self
zone security Trusted
zone security Guest
zone security Internet
ip access-list extended NAT
deny ip 192.168.16.0 0.0.0.63 192.168.16.64 0.0.0.15
permit ip any anyip access-list extended dhcp-allow
permit udp any eq bootps any
permit udp any any eq bootpc
permit udp any any eq bootps
permit udp any eq bootpc anyip access-list extended egress-filter
permit ip <REMOVED> 0.0.0.2 any
remark ----- Junk Traffic -----
deny ip any host <REMOVED>
deny ip any host <REMOVED>
deny ip host <REMOVED> any
deny ip host <REMOVED> any
remark ----- Bogons Filter -----
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.0.0.0 0.0.0.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 198.18.0.0 0.1.255.255 any
deny ip 198.51.100.0 0.0.0.255 any
deny ip 203.0.113.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip any anyip access-list extended ingress-filter
remark ----- Allow access from work
permit ip <REMOVED> 0.0.0.127 any
permit ip <REMOVED 0.0.0.31 any
permit ip <REMOVED> 0.0.0.255 any
permit esp any host <REMOVED>
permit gre any host <REMOVED> permit udp any host <REMOVED> eq isakmp
remark ----- To get IP form COX -----permit udp any eq bootps any eq bootpc
deny icmp any any
deny udp any any eq echo
deny udp any eq echo any
deny tcp any any fragments
deny udp any any fragments
deny ip any any fragments
deny ip any any option any-options
deny ip any any ttl lt 4
deny ip any host <REMOVED> deny ip any host <REMOVED>
deny udp any any range 33400 34400
remark ----- Bogons Filter -----
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.0.0.0 0.0.0.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 198.18.0.0 0.1.255.255 any
deny ip 198.51.100.0 0.0.0.255 any
deny ip 203.0.113.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
remark ----- Internal networks -----
deny ip <REMOVED> 0.0.0.3 any
deny ip any any
Solved! Go to Solution.
02-21-2012 11:33 AM
Hi,
Can you ping outside addresses?
Can you ping by name?
Look at this doc for troubleshooting ZBF commands:https://supportforums.cisco.com/docs/DOC-15803
Regards.
Alain.
02-19-2012 12:17 PM
Hi,
post your entire running config and also you can't get dhcp to work for your lan clients?
Regards.
Alain
02-20-2012 12:31 AM
Hello Alain,
I though i had a update copy of the config at work but i do not. So i have a post with the config when i get home today.
Yes, it is for my LAN clients, i am able to get DHCP for the internet connection with no issues.
Thanks,
Jeremy
02-20-2012 04:20 AM
Running Config
!
! Last configuration change at 05:24:59 AZT Sun Feb 19 2012 by asucrews
! NVRAM config last updated at 05:25:57 AZT Sun Feb 19 2012 by asucrews
!
version 12.4
configuration mode exclusive auto expire 600
parser cache
no service log backtrace
no service config
no service exec-callback
service nagle
service slave-log
no service slave-coredump
no service pad to-xot
no service pad from-xot
no service pad cmns
no service pad
no service telnet-zeroidle
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
no service exec-wait
service linenumber
no service internal
no service scripting
no service compress-config
service prompt config
no service old-slip-prompts
service pt-vty-logging
no service disable-ip-fast-frag
service sequence-numbers
!
hostname rtwan
!
boot-start-marker
boot-end-marker
!
logging exception 4096
logging count
no logging message-counter log
no logging message-counter debug
logging message-counter syslog
no logging snmp-authfail
no logging userinfo
logging buginf
logging queue-limit 100
logging queue-limit esm 0
logging queue-limit trap 100
logging buffered 65536
no logging persistent
logging rate-limit 512 except critical
logging console guaranteed
logging console critical
logging monitor debugging
logging on
enable secret 5
enable password 7
!
aaa new-model
!
!
aaa group server radius rad_eap
server
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authorization exec default local
aaa accounting network acct_methods
action-type start-stop
group rad_acct
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone AZT -7
clock save interval 8
errdisable detect cause all
errdisable recovery interval 300
!
!
dot11 syslog
dot11 activity-timeout unknown default 60
dot11 activity-timeout client default 60
dot11 activity-timeout repeater default 60
dot11 activity-timeout workgroup-bridge default 60
dot11 activity-timeout bridge default 60
!
dot11 ssid guestonpg
vlan 2
authentication open
authentication key-management wpa optional
guest-mode
wpa-psk ascii 7
!
dot11 ssid playground
vlan 1
authentication open
authentication key-management wpa optional
wpa-psk ascii 7
!
dot11 aaa csid default
no ip source-route
no ip gratuitous-arps
ip icmp redirect subnet
ip spd queue threshold minimum 73 maximum 74
ip options drop
ip dhcp bootp ignore
ip dhcp excluded-address 192.168.16.33 192.168.16.40
ip dhcp excluded-address 192.168.16.1 192.168.16.7
!
ip dhcp pool vlan1pool
import all
network 192.168.16.0 255.255.255.224
default-router 192.168.16.1
domain-name jeremycrews.home
lease 4
!
ip dhcp pool vlan2pool
import all
network 192.168.16.32 255.255.255.224
default-router 192.168.16.33
domain-name guest.jeremycrews.home
lease 0 6
!
!
ip cef
ip inspect name firewall tcp router-traffic
ip inspect name firewall udp router-traffic
ip inspect name firewall icmp router-traffic
no ip bootp server
no ip domain lookup
ip domain name jeremycrews.home
ip host rtwan.jeremycrews.home 192.168.16.1 192.168.16.33
ip host ap1.jeremycrews.home 192.168.16.2 192.168.16.34
ip host ap2.jeremycrews.home 192.168.16.3 192.168.16.35
ip host ap3.jeremycrews.home 192.168.16.4 192.168.16.36
ip host ooma.jeremycrews.home 192.168.16.5
ip host xbox.jeremycrews.home 192.168.16.6
ip host wii.jeremycrews.home 192.168.16.7
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip accounting-threshold 100
ip accounting-list 192.168.16.0 0.0.0.31
ip accounting-list 192.168.16.32 0.0.0.31
ip accounting-transits 25
ip igmp snooping vlan 1
ip igmp snooping vlan 1 mrouter learn pim-dvmrp
ip igmp snooping vlan 2
ip igmp snooping vlan 2 mrouter learn pim-dvmrp
ip igmp snooping
login block-for 120 attempts 5 within 60
login delay 5
login on-failure log
!
!
!
parameter-map type inspect log
audit-trail on
dot1x system-auth-control
!
!
memory free low-watermark processor 65536
memory free low-watermark IO 16384
file prompt alert
emm clear 1b5b324a1b5b303b30480d
vtp file flash:vlan.dat
vtp mode server
vtp version 1
username
username
!
no crypto isakmp diagnose error
!
!
archive
log config
no record rc
logging enable
no logging persistent reload
no logging persistent
logging size 255
notify syslog contenttype plaintext
no notify syslog contenttype xml
hidekeys
path tftp://192.168.16.12/rtwan-config
maximum 10
no rollback filter adaptive
rollback retry timeout 0
write-memory
time-period 10080
scripting tcl low-memory 28965007
scripting tcl trustpoint untrusted terminate
no scripting tcl secure-mode
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh break-string ~break
ip ssh logging events
ip ssh version 2
ip ssh dh min size 1024
!
class-map type inspect match-any Egress-Filter
match access-group name egress-filter
class-map type inspect match-any Guest_Protocols
match protocol http
match protocol https
match protocol dns
match protocol bootpc
match protocol bootps
class-map type inspect match-any Ingress-Filter
match access-group name ingress-filter
class-map type inspect match-any All_Protocols
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-all DHCP-Allow
match access-group name dhcp-allow
!
!
policy-map type inspect Self_to_Internet
class type inspect Egress-Filter
inspect
class class-default
drop log
policy-map type inspect Internet_to_Self
class type inspect Ingress-Filter
inspect
class class-default
drop log
policy-map type inspect Self_To_Self
class class-default
drop log
policy-map type inspect Trusted_To_Self
class type inspect All_Protocols
inspect
class type inspect DHCP-Allow
pass
class class-default
drop log
policy-map type inspect Guest_to_Internet
class type inspect Guest_Protocols
inspect
class class-default
drop log
policy-map type inspect Internet_to_Guest
class type inspect Ingress-Filter
inspect
class class-default
drop log
policy-map type inspect Trusted_to_Self
class type inspect All_Protocols
inspect
class type inspect DHCP-Allow
pass
class class-default
drop log
policy-map type inspect Self_to_Trusted
class type inspect All_Protocols
inspect
class type inspect DHCP-Allow
pass
class class-default
drop log
policy-map type inspect Trusted_to_Internet
class type inspect All_Protocols
inspect
class class-default
drop log
policy-map type inspect Internet_to_Trusted
class type inspect Ingress-Filter
inspect
class class-default
drop log
policy-map type inspect Guest_to_Self
class type inspect All_Protocols
inspect
class class-default
drop log
policy-map type inspect Self_to_Guest
class type inspect All_Protocols
inspect
class class-default
drop log
!
zone security Trusted
zone security Guest
zone security Internet
zone-pair security Trusted->Internet source Trusted destination Internet
service-policy type inspect Trusted_to_Internet
zone-pair security Guest->Internet source Guest destination Internet
service-policy type inspect Guest_to_Internet
zone-pair security Internet->Trusted source Internet destination Trusted
service-policy type inspect Internet_to_Trusted
zone-pair security Internet->Guest source Internet destination Guest
service-policy type inspect Internet_to_Guest
zone-pair security Self->Internet source self destination Internet
service-policy type inspect Self_to_Internet
zone-pair security Internet->Self source Internet destination self
service-policy type inspect Internet_to_Self
zone-pair security Self->Trusted source self destination Trusted
service-policy type inspect Self_to_Trusted
zone-pair security Trusted->Self source Trusted destination self
service-policy type inspect Trusted_to_Self
zone-pair security Self->Guest source self destination Guest
service-policy type inspect Self_to_Guest
zone-pair security Guest->Self source Guest destination self
service-policy type inspect Guest_to_Self
!
bridge irb
!
!
interface Loopback0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
snmp trap link-status
!
interface Null0
no ip unreachables
!
interface FastEthernet0
description To switch
switchport access vlan 1
switchport trunk encapsulation dot1q
switchport trunk native vlan 1
switchport trunk allowed vlan 1-4094
switchport mode trunk
switchport voice vlan none
switchport priority extend none
switchport priority default 0
snmp trap link-status
ip igmp snooping tcn flood
!
interface FastEthernet1
switchport access vlan 1
switchport trunk encapsulation dot1q
switchport trunk native vlan 1
switchport trunk allowed vlan 1-4094
switchport mode trunk
switchport voice vlan none
switchport priority extend none
switchport priority default 0
shutdown
snmp trap link-status
spanning-tree portfast
ip igmp snooping tcn flood
!
interface FastEthernet2
switchport access vlan 1
switchport trunk encapsulation dot1q
switchport trunk native vlan 1
switchport trunk allowed vlan 1-4094
switchport mode access
switchport voice vlan none
switchport priority extend none
switchport priority default 0
shutdown
snmp trap link-status
spanning-tree portfast
ip igmp snooping tcn flood
!
interface FastEthernet3
description Ooma Hub 192.168.16.5
switchport access vlan 1
switchport trunk encapsulation dot1q
switchport trunk native vlan 1
switchport trunk allowed vlan 1-4094
switchport mode access
switchport voice vlan none
switchport priority extend none
switchport priority default 0
shutdown
snmp trap link-status
spanning-tree portfast
ip igmp snooping tcn flood
!
interface FastEthernet4
description Cox Internet Connection
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip flow ingress
ip flow egress
ip nat outside
no ip virtual-reassembly
duplex auto
speed auto
snmp trap link-status
no cdp enable
zone-member security Internet
!
interface Dot11Radio0
description Radio b/g
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
beacon period 100
beacon dtim-period 2
dot11 extension aironet
!
encryption vlan 1 mode ciphers aes-ccm tkip wep128
!
encryption vlan 2 mode ciphers aes-ccm tkip wep128
!
broadcast-key vlan 1 change 3600 membership-termination
!
broadcast-key vlan 2 change 3600 membership-termination
!
!
ssid guestonpg
!
ssid playground
!
countermeasure tkip hold-time 60
short-slot-time
speed ofdm join
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
packet retries 64
preamble-short
channel least-congested
fragment-threshold 2346
station-role root
rts threshold 2312
rts retries 64
antenna receive diversity
antenna transmit diversity
payload-encapsulation rfc1042
snmp trap link-status
!
interface Dot11Radio0.1
description Home WLAN
encapsulation dot1Q 1 native
no ip redirects
no ip unreachables
no ip proxy-arp
no snmp trap link-status
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.2
description Guest WLAN
encapsulation dot1Q 2
no ip redirects
no ip unreachables
no ip proxy-arp
no snmp trap link-status
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
!
interface Vlan1
description Home LAN
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no ip virtual-reassembly
autostate
snmp trap link-status
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Vlan2
description Guest LAN
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no ip virtual-reassembly
autostate
snmp trap link-status
bridge-group 2
bridge-group 2 spanning-disabled
!
interface BVI1
description Home Bridge LAN to WLAN
ip address 192.168.16.1 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no ip virtual-reassembly
snmp trap link-status
zone-member security Trusted
!
interface BVI2
description Guest Bridge LAN to WLAN
ip address 192.168.16.33 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no ip virtual-reassembly
snmp trap link-status
zone-member security Guest
!
ip classless
ip forward-protocol nd
no ip http server
ip http port 80
ip http authentication enable
no ip http secure-server
ip http secure-port 443
ip http secure-active-session-modules all
ip http max-connections 5
ip http timeout-policy idle 180 life 180 requests 1
ip http active-session-modules all
ip http digest algorithm md5
ip http client cache memory pool 100
ip http client cache memory file 2
ip http client cache ager interval 5
ip http client connection timeout 10
ip http client connection retry 1
ip http client connection idle timeout 30
ip http client response timeout 30
ip http path
ip flow-top-talkers
top 10
sort-by bytes
!
ip nat inside source static tcp 192.168.16.6 53 interface FastEthernet4 53
ip nat inside source static tcp 192.168.16.6 3074 interface FastEthernet4 3074
ip nat inside source static udp 192.168.16.6 3074 interface FastEthernet4 3074
ip nat inside source static tcp 192.168.16.6 80 interface FastEthernet4 80
ip nat inside source static udp 192.168.16.6 88 interface FastEthernet4 88
ip nat inside source static udp 192.168.16.6 53 interface FastEthernet4 53
ip nat inside source list NAT interface FastEthernet4 overload
!
ip access-list extended NAT
deny ip 192.168.16.0 0.0.0.63 192.168.16.64 0.0.0.15
permit ip any any
ip access-list extended dhcp-allow
permit udp any eq bootps any
permit udp any any eq bootpc
permit udp any any eq bootps
permit udp any eq bootpc any
ip access-list extended egress-filter
permit ip
remark ----- Junk Traffic -----
deny ip any host
deny ip any host
deny ip host
deny ip host
remark ----- Bogons Filter -----
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.0.0.0 0.0.0.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 198.18.0.0 0.1.255.255 any
deny ip 198.51.100.0 0.0.0.255 any
deny ip 203.0.113.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip any any
ip access-list extended ingress-filter
remark ----- Allow access from work
permit ip
permit ip
permit ip
permit esp any host
permit gre any host
permit udp any host
remark ----- To get IP form COX -----
permit udp any eq bootps any eq bootpc
deny icmp any any
deny udp any any eq echo
deny udp any eq echo any
deny tcp any any fragments
deny udp any any fragments
deny ip any any fragments
deny ip any any option any-options
deny ip any any ttl lt 4
deny ip any host
deny ip any host
deny udp any any range 33400 34400
remark ----- Bogons Filter -----
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.0.0.0 0.0.0.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 198.18.0.0 0.1.255.255 any
deny ip 198.51.100.0 0.0.0.255 any
deny ip 203.0.113.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
remark ----- Internal networks -----
deny ip
deny ip any any
!
no ip sla logging traps
ip sla 1
icmp-echo 8.8.4.4 source-interface FastEthernet4
frequency 120
history hours-of-statistics-kept 1
history filter failures
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 8.8.8.8 source-interface FastEthernet4
frequency 30
history hours-of-statistics-kept 1
history filter failures
ip sla reaction-configuration 1 react connectionLoss threshold-type consecutive 5 action-type trapAndTrigger
ip sla reaction-trigger 1 2
logging history size 1
logging history warnings
logging trap informational
logging delimiter tcp
logging facility local7
no logging source-interface
access-list 1 permit 192.168.16.0 0.0.0.63
access-list 20 permit 127.127.1.1
access-list 20 permit 192.43.244.18
access-list 20 permit 204.235.61.9
access-list 20 permit 173.201.38.85
access-list 20 permit 216.229.4.69
access-list 20 permit 152.2.21.1
access-list 20 permit 130.126.24.24
access-list 21 permit 192.168.16.0 0.0.0.63
access-list 22 permit 192.168.16.0 0.0.0.63
mac-address-table aging-time 300
cdp run
!
!
!
snmp-server engineID local
snmp-server view *ilmi system included
snmp-server view *ilmi atmForumUni included
snmp-server view v1default iso included
snmp-server view v1default internet.6.3.15 excluded
snmp-server view v1default internet.6.3.16 excluded
snmp-server view v1default internet.6.3.18 excluded
snmp-server view v1default ciscoMgmt.394 excluded
snmp-server view v1default ciscoMgmt.395 excluded
snmp-server view v1default ciscoMgmt.399 excluded
snmp-server view v1default ciscoMgmt.400 excluded
snmp-server view *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF7F ieee802dot11 included
snmp-server view *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF7F internet included
snmp-server community 1682CrewsSNMP v1default RW 22
snmp-server priority normal
no snmp-server trap link ietf
snmp-server trap authentication vrf
snmp-server trap authentication acl-failure
snmp-server trap authentication unknown-content
snmp-server packetsize 1500
snmp-server queue-limit notification-host 10
snmp-server chassis-id FHK111016LX
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps tty
snmp-server enable traps pw vc
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps wlan-wep
snmp-server enable traps adslline
snmp-server enable traps flash insertion removal
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps entity
snmp-server enable traps fru-ctrl
snmp-server enable traps resource-policy
snmp-server enable traps event-manager
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps cpu threshold
snmp-server enable traps syslog
snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps vtp
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps firewall serverstatus
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps ipsla
snmp-server host 192.168.16.10 traps version 1
snmp-server inform retries 3 timeout 15 pending 25
snmp mib nhrp
snmp mib notification-log globalsize 500
snmp mib notification-log globalageout 15
snmp mib community-map ILMI engineid
snmp mib community-map
radius-server local
no authentication mac
eapfast authority id
eapfast authority info
eapfast server-key primary 7
eapfast server-key secondary 7
nas
group users
vlan 1
ssid playground
block count 5 time 60
reauthentication time 3600
!
group guest
vlan 2
ssid guestonpg
block count 3 time 60
reauthentication time 3600
!
user
user
!
radius-server attribute 32 include-in-access-req format %h
radius-server host
radius-server vsa send accounting
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
bridge 3 protocol ieee
bridge 3 route ip
alias exec h help
alias exec lo logout
alias exec p ping
alias exec r resume
alias exec s show
alias exec u undebug
alias exec un undebug
alias exec w where
default-value exec-character-bits 7
default-value special-character-bits 7
default-value data-character-bits 8
!
line con 0
password 7
logging synchronous
no modem enable
transport output ssh
line aux 0
password 7
logging synchronous
transport output ssh
line vty 0 4
password 7
logging synchronous
transport preferred ssh
transport input all
transport output ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
process cpu threshold type total rising 80 interval 10 falling 40 interval 10
ntp authentication-key 1 md5
ntp authenticate
ntp trusted-key 1
ntp source FastEthernet4
ntp access-group peer 20
ntp access-group serve-only 21
ntp master 1
ntp server 152.2.21.1 maxpoll 4
ntp server 204.235.61.9 maxpoll 4
ntp server 130.126.24.24
ntp server 216.229.4.69 maxpoll 4
ntp server 173.201.38.85 maxpoll 4
cns id hostname
cns id hostname event
cns id hostname image
cns image retry 60
netconf max-sessions 4
netconf lock-time 10
netconf max-message 0
event manager scheduler script thread class default number 1
event manager scheduler applet thread class default number 32
event manager history size events 10
event manager history size traps 10
end
02-20-2012 01:42 PM
Hi,
I've never used ZBF in transparent mode before but I've done some research and I found this:
http://myccienotes.wikispaces.com/ZFW-Based+IOS+Transparent+Firewall
So it appears the BVI is part of self zone but you made them members of other zones, can you try putting these zones on the VLAN interfaces.
Regards.
Alain
02-21-2012 12:31 AM
Hello,
That link help me figure out my dhcp issue, however after i fixed that issues, the Trusted Zone or the Guest Zone are not able to get out to the internet? Any ideas?
02-21-2012 02:15 AM
hi,
can you post your latest config.
Regards.
Alain
02-21-2012 03:10 AM
updated config
!
! Last configuration change at 01:10:06 AZT Tue Feb 21 2012 by asucrews
! NVRAM config last updated at 05:25:57 AZT Sun Feb 19 2012 by asucrews
!
version 12.4
configuration mode exclusive auto
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service linenumber
service pt-vty-logging
service sequence-numbers
!
hostname rtwan
!
boot-start-marker
boot-end-marker
!
logging count
logging message-counter syslog
logging buffered 65536
logging rate-limit 512 except critical
logging console critical
enable secret 5
enable password 7
!
aaa new-model
!
!
aaa group server radius rad_eap
server 192.168.16.1 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authorization exec default local
aaa accounting network acct_methods
action-type start-stop
group rad_acct
!
!
!
aaa session-id common
clock timezone AZT -7
clock save interval 8
!
!
dot11 syslog
!
dot11 ssid guestonpg
vlan 2
authentication open
authentication key-management wpa optional
guest-mode
wpa-psk ascii 7
!
dot11 ssid playground
vlan 1
authentication open
authentication key-management wpa optional
wpa-psk ascii 7
!
no ip source-route
no ip gratuitous-arps
ip options drop
ip dhcp bootp ignore
ip dhcp excluded-address 192.168.16.33 192.168.16.40
ip dhcp excluded-address 192.168.16.1 192.168.16.7
!
ip dhcp pool vlan1pool
import all
network 192.168.16.0 255.255.255.224
default-router 192.168.16.1
domain-name jeremycrews.home
lease 4
!
ip dhcp pool vlan2pool
import all
network 192.168.16.32 255.255.255.224
default-router 192.168.16.33
domain-name guest.jeremycrews.home
lease 0 6
!
!
ip cef
ip inspect name firewall tcp router-traffic
ip inspect name firewall udp router-traffic
ip inspect name firewall icmp router-traffic
no ip bootp server
no ip domain lookup
ip domain name jeremycrews.home
ip host rtwan.jeremycrews.home 192.168.16.1 192.168.16.33
ip host ap1.jeremycrews.home 192.168.16.2 192.168.16.34
ip host ap2.jeremycrews.home 192.168.16.3 192.168.16.35
ip host ap3.jeremycrews.home 192.168.16.4 192.168.16.36
ip host ooma.jeremycrews.home 192.168.16.5
ip host xbox.jeremycrews.home 192.168.16.6
ip host wii.jeremycrews.home 192.168.16.7
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip accounting-threshold 100
ip accounting-list 192.168.16.0 0.0.0.31
ip accounting-list 192.168.16.32 0.0.0.31
ip accounting-transits 25
login block-for 120 attempts 5 within 60
login delay 5
login on-failure log
!
!
parameter-map type inspect log
audit-trail on
dot1x system-auth-control
!
!
memory free low-watermark processor 65536
memory free low-watermark IO 16384
username
username
!
!
!
archive
log config
logging enable
logging size 255
notify syslog contenttype plaintext
hidekeys
path tftp://192.168.16.12/rtwan-config
write-memory
time-period 10080
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh logging events
ip ssh version 2
!
class-map type inspect match-any Egress-Filter
match access-group name egress-filter
class-map type inspect match-any Guest_Protocols
match protocol http
match protocol https
match protocol dns
match protocol bootpc
match protocol bootps
class-map type inspect match-any Ingress-Filter
match access-group name ingress-filter
class-map type inspect match-any All_Protocols
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-all DHCP-Allow
match access-group name dhcp-allow
!
!
policy-map type inspect Self_to_Internet
class type inspect Egress-Filter
inspect
class class-default
drop log
policy-map type inspect Internet_to_Self
class type inspect Ingress-Filter
inspect
class class-default
drop log
policy-map type inspect Trusted_To_Self
class type inspect DHCP-Allow
pass
class type inspect All_Protocols
inspect
class class-default
drop log
policy-map type inspect Guest_to_Internet
class type inspect All_Protocols
inspect
class class-default
drop log
policy-map type inspect Internet_to_Guest
class type inspect Ingress-Filter
inspect
class class-default
drop log
policy-map type inspect Self_to_Trusted
class type inspect DHCP-Allow
pass
class type inspect All_Protocols
inspect
class class-default
drop log
policy-map type inspect Trusted_to_Internet
class type inspect All_Protocols
inspect
class class-default
drop log
policy-map type inspect Internet_to_Trusted
class type inspect Ingress-Filter
inspect
class class-default
drop log
policy-map type inspect Guest_to_Self
class type inspect DHCP-Allow
pass
class type inspect All_Protocols
inspect
class class-default
drop log
policy-map type inspect Self_to_Guest
class type inspect DHCP-Allow
pass
class type inspect All_Protocols
inspect
class class-default
drop log
!
zone security Trusted
zone security Guest
zone security Internet
zone-pair security Trusted->Internet source Trusted destination Internet
service-policy type inspect Trusted_to_Internet
zone-pair security Guest->Internet source Guest destination Internet
service-policy type inspect Guest_to_Internet
zone-pair security Internet->Trusted source Internet destination Trusted
service-policy type inspect Internet_to_Trusted
zone-pair security Internet->Guest source Internet destination Guest
service-policy type inspect Internet_to_Guest
zone-pair security Self->Internet source self destination Internet
service-policy type inspect Self_to_Internet
zone-pair security Internet->Self source Internet destination self
service-policy type inspect Internet_to_Self
zone-pair security Self->Trusted source self destination Trusted
service-policy type inspect Self_to_Trusted
zone-pair security Trusted->Self source Trusted destination self
service-policy type inspect Trusted_to_Self
zone-pair security Self->Guest source self destination Guest
service-policy type inspect Self_to_Guest
zone-pair security Guest->Self source Guest destination self
service-policy type inspect Guest_to_Self
!
bridge irb
!
!
interface Loopback0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
!
interface Null0
no ip unreachables
!
interface FastEthernet0
description To switch
switchport mode trunk
!
interface FastEthernet1
switchport mode trunk
shutdown
spanning-tree portfast
!
interface FastEthernet2
shutdown
spanning-tree portfast
!
interface FastEthernet3
description Ooma Hub 192.168.16.5
shutdown
spanning-tree portfast
!
interface FastEthernet4
description Cox Internet Connection
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip flow ingress
ip flow egress
ip nat outside
no ip virtual-reassembly
zone-member security Internet
duplex auto
speed auto
no cdp enable
!
interface Dot11Radio0
description Radio b/g
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
!
encryption vlan 1 mode ciphers aes-ccm tkip wep128
!
encryption vlan 2 mode ciphers aes-ccm tkip wep128
!
broadcast-key vlan 1 change 3600 membership-termination
!
broadcast-key vlan 2 change 3600 membership-termination
!
!
ssid guestonpg
!
ssid playground
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
rts threshold 2312
!
interface Dot11Radio0.1
description Home WLAN
encapsulation dot1Q 1 native
no ip redirects
no ip unreachables
no ip proxy-arp
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.2
description Guest WLAN
encapsulation dot1Q 2
no ip redirects
no ip unreachables
no ip proxy-arp
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
!
interface Vlan1
description Home LAN
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no ip virtual-reassembly
zone-member security Trusted
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Vlan2
description Guest LAN
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no ip virtual-reassembly
zone-member security Guest
bridge-group 2
bridge-group 2 spanning-disabled
!
interface BVI1
description Home Bridge LAN to WLAN
ip address 192.168.16.1 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no ip virtual-reassembly
!
interface BVI2
description Guest Bridge LAN to WLAN
ip address 192.168.16.33 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no ip virtual-reassembly
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip flow-top-talkers
top 10
sort-by bytes
!
ip nat inside source static tcp 192.168.16.6 53 interface FastEthernet4 53
ip nat inside source static tcp 192.168.16.6 3074 interface FastEthernet4 3074
ip nat inside source static udp 192.168.16.6 3074 interface FastEthernet4 3074
ip nat inside source static tcp 192.168.16.6 80 interface FastEthernet4 80
ip nat inside source static udp 192.168.16.6 88 interface FastEthernet4 88
ip nat inside source static udp 192.168.16.6 53 interface FastEthernet4 53
ip nat inside source list NAT interface FastEthernet4 overload
!
ip access-list extended NAT
deny ip 192.168.16.0 0.0.0.63 192.168.16.64 0.0.0.15
permit ip any any
ip access-list extended dhcp-allow
permit udp any eq bootps any
permit udp any any eq bootpc
permit udp any any eq bootps
permit udp any eq bootpc any
ip access-list extended egress-filter
permit ip
remark ----- Junk Traffic -----
deny ip any host
deny ip any host
deny ip host
deny ip host
remark ----- Bogons Filter -----
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.0.0.0 0.0.0.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 198.18.0.0 0.1.255.255 any
deny ip 198.51.100.0 0.0.0.255 any
deny ip 203.0.113.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip any any
ip access-list extended ingress-filter
remark ----- Allow access from work
permit ip
permit ip
permit ip
permit esp any host
permit gre any host
permit udp any host
remark ----- To get IP form COX -----
permit udp any eq bootps any eq bootpc
deny icmp any any
deny udp any any eq echo
deny udp any eq echo any
deny tcp any any fragments
deny udp any any fragments
deny ip any any fragments
deny ip any any option any-options
deny ip any any ttl lt 4
deny ip any host
deny ip any host
deny udp any any range 33400 34400
remark ----- Bogons Filter -----
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.0.0.0 0.0.0.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 198.18.0.0 0.1.255.255 any
deny ip 198.51.100.0 0.0.0.255 any
deny ip 203.0.113.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
remark ----- Internal networks -----
deny ip
deny ip any any
!
ip sla 1
icmp-echo 8.8.4.4 source-interface FastEthernet4
frequency 120
history hours-of-statistics-kept 1
history filter failures
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 8.8.8.8 source-interface FastEthernet4
frequency 30
history hours-of-statistics-kept 1
history filter failures
ip sla reaction-configuration 1 react connectionLoss threshold-type consecutive action-type trapAndTrigger
ip sla reaction-trigger 1 2
access-list 1 permit 192.168.16.0 0.0.0.63
access-list 20 permit 127.127.1.1
access-list 20 permit 192.43.244.18
access-list 20 permit 204.235.61.9
access-list 20 permit 173.201.38.85
access-list 20 permit 216.229.4.69
access-list 20 permit 152.2.21.1
access-list 20 permit 130.126.24.24
access-list 21 permit 192.168.16.0 0.0.0.63
access-list 22 permit 192.168.16.0 0.0.0.63
!
!
!
snmp-server community
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps tty
snmp-server enable traps pw vc
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps wlan-wep
snmp-server enable traps adslline
snmp-server enable traps flash insertion removal
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps entity
snmp-server enable traps fru-ctrl
snmp-server enable traps resource-policy
snmp-server enable traps event-manager
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps cpu threshold
snmp-server enable traps syslog
snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps vtp
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps firewall serverstatus
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps ipsla
snmp-server host 192.168.16.10
radius-server local
no authentication mac
eapfast authority id
eapfast authority info
eapfast server-key primary 7
eapfast server-key secondary 7
nas 192.168.16.1 key 7
group users
vlan 1
ssid playground
block count 5 time 60
reauthentication time 3600
!
group guest
vlan 2
ssid guestonpg
block count 3 time 60
reauthentication time 3600
!
user
user
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.16.1 auth-port 1645 acct-port 1646 key 7
radius-server vsa send accounting
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
bridge 3 protocol ieee
bridge 3 route ip
!
line con 0
password 7
logging synchronous
no modem enable
transport output ssh
line aux 0
password 7
logging synchronous
transport output ssh
line vty 0 4
password 7
logging synchronous
transport preferred ssh
transport input all
transport output ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
process cpu threshold type total rising 80 interval 10 falling 40 interval 10
ntp authentication-key 1 md5
ntp authenticate
ntp trusted-key 1
ntp source FastEthernet4
ntp access-group peer 20
ntp access-group serve-only 21
ntp master 1
ntp server 152.2.21.1 maxpoll 4
ntp server 204.235.61.9 maxpoll 4
ntp server 130.126.24.24
ntp server 216.229.4.69 maxpoll 4
ntp server 173.201.38.85 maxpoll 4
end
02-21-2012 11:33 AM
Hi,
Can you ping outside addresses?
Can you ping by name?
Look at this doc for troubleshooting ZBF commands:https://supportforums.cisco.com/docs/DOC-15803
Regards.
Alain.
02-23-2012 11:54 PM
Hi,
From the router can ping a ip or domain name. from LAN clinets, i can not ping a ip or host name.
Form the below debug commands i ran off the doc you linked, i think it not allowing dns to pass but i not sure.
I have post the debug here in a few minutes still sorting out what it all means
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide