07-01-2014 11:53 AM - edited 03-11-2019 09:24 PM
First off I want to apologize for not knowing everything, but this is why I am doing this, to learn.
Just recently passed my CCNA Sec and purchased a router so I can work on setting up Zone based Firewalls to help fully understand and grasp what there is to know about them.
Just so I can see all the moving pieces I was using CCP to build the firewall and then pasting the config to notepad and manipulate the class maps and policy maps based on what traffic I really cared about inspecting. Everything else was permitted and inspected in the policy map
When applying everything either via me manually doing it or CCP doing it I have noticed that I immediately lose internet connectivity. I cannot tell if its breaking NAT or DNS. I have to remove the interface from the zones in order for traffic to restore.
I have even taken a simple approach and just created a class map matching on tcp and udp and the policy map inspecting it. Once I assigned the policy map to the zone pairs and assigned the interfaces to their zones traffic stopped working.
Not sure where to go from here if simple tcp udp inspect breaks traffic flow.
Any help would be appreciated.
Solved! Go to Solution.
07-01-2014 12:33 PM
Below is a sample of a working configuration I built using a combination of CCP and cli.
I pulled out a lot of other complexity not relevant to this discussion (there's a LOT else going on on this little 2921 ISR G2). My example is using subinterfaces on the inside. I only showed one of them here - you may not need that depending on your setup. My NAT basically exempts anything to another private network (there are connections to a DMVPN hub and MPLS WAN elsewhere in the config).
Compare it to yours and perhaps you can work out where your departures are causing problems.
It was indeed tricky at first to get my head around ZBFW and the syntax for inspections, class-maps etc.
class-map type inspect match-any ccp-cls-insp-traffic match protocol dns match protocol ftp match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol netshow match protocol shell match protocol realmedia match protocol rtsp match protocol smtp match protocol sql-net match protocol streamworks match protocol tftp match protocol vdolive match protocol tcp match protocol udp
class-map type inspect match-all ccp-invalid-src match access-group 101 class-map type inspect match-all ccp-protocol-http match protocol http class-map type inspect match-all ccp-insp-traffic match class-map ccp-cls-insp-traffic class-map type inspect match-any ccp-sip-inspect match protocol sip class-map type inspect match-any ccp-h323-inspect match protocol h323 class-map type inspect match-any ccp-h323annexe-inspect match protocol h323-annexe class-map type inspect match-any ccp-h225ras-inspect match protocol h225ras class-map type inspect match-any ccp-h323nxg-inspect match protocol h323-nxg class-map type inspect match-any ccp-skinny-inspect match protocol skinny policy-map type inspect ccp-inspect class type inspect ccp-invalid-src drop log class type inspect ccp-protocol-http inspect class type inspect ccp-insp-traffic inspect class type inspect ccp-sip-inspect inspect class type inspect ccp-h323-inspect inspect class type inspect ccp-h323annexe-inspect inspect class type inspect ccp-h225ras-inspect inspect class type inspect ccp-h323nxg-inspect inspect class type inspect ccp-skinny-inspect inspect class class-default drop zone security in-zone zone security out-zone zone-pair security ccp-zp-in-out source in-zone destination out-zone service-policy type inspect ccp-inspect interface GigabitEthernet0/0 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$ bandwidth 1000000 no ip address no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress ip nat inside ip virtual-reassembly in zone-member security in-zone no ip route-cache cef duplex auto speed auto no mop enabled ! interface GigabitEthernet0/0.1 description $FW_INSIDE$ encapsulation dot1Q 1 native ip address 192.168.3.1 255.255.255.128 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress ip nat inside ip virtual-reassembly in zone-member security in-zone interface GigabitEthernet0/1 description Connected to Comcast$FW_OUTSIDE$ bandwidth 50000 ip address x.x.x.x 255.255.255.248 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress ip nat outside ip virtual-reassembly in ip verify unicast reverse-path zone-member security out-zone duplex auto speed auto no cdp enable no mop enabled ip nat inside source list NAT interface GigabitEthernet0/1 overload access-list 101 remark CCP_ACL Category=128 access-list 101 permit ip host 255.255.255.255 any access-list 101 permit ip 127.0.0.0 0.255.255.255 any access-list 101 permit ip 173.10.5.0 0.0.0.255 any ip access-list extended NAT deny ip 192.168.3.0 0.0.0.255 10.0.0.0 0.255.255.255 deny ip 192.168.3.0 0.0.0.255 172.16.0.0 0.15.255.255 deny ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.255.255 permit ip 192.168.3.0 0.0.0.255 any
07-01-2014 12:33 PM
Below is a sample of a working configuration I built using a combination of CCP and cli.
I pulled out a lot of other complexity not relevant to this discussion (there's a LOT else going on on this little 2921 ISR G2). My example is using subinterfaces on the inside. I only showed one of them here - you may not need that depending on your setup. My NAT basically exempts anything to another private network (there are connections to a DMVPN hub and MPLS WAN elsewhere in the config).
Compare it to yours and perhaps you can work out where your departures are causing problems.
It was indeed tricky at first to get my head around ZBFW and the syntax for inspections, class-maps etc.
class-map type inspect match-any ccp-cls-insp-traffic match protocol dns match protocol ftp match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol netshow match protocol shell match protocol realmedia match protocol rtsp match protocol smtp match protocol sql-net match protocol streamworks match protocol tftp match protocol vdolive match protocol tcp match protocol udp
class-map type inspect match-all ccp-invalid-src match access-group 101 class-map type inspect match-all ccp-protocol-http match protocol http class-map type inspect match-all ccp-insp-traffic match class-map ccp-cls-insp-traffic class-map type inspect match-any ccp-sip-inspect match protocol sip class-map type inspect match-any ccp-h323-inspect match protocol h323 class-map type inspect match-any ccp-h323annexe-inspect match protocol h323-annexe class-map type inspect match-any ccp-h225ras-inspect match protocol h225ras class-map type inspect match-any ccp-h323nxg-inspect match protocol h323-nxg class-map type inspect match-any ccp-skinny-inspect match protocol skinny policy-map type inspect ccp-inspect class type inspect ccp-invalid-src drop log class type inspect ccp-protocol-http inspect class type inspect ccp-insp-traffic inspect class type inspect ccp-sip-inspect inspect class type inspect ccp-h323-inspect inspect class type inspect ccp-h323annexe-inspect inspect class type inspect ccp-h225ras-inspect inspect class type inspect ccp-h323nxg-inspect inspect class type inspect ccp-skinny-inspect inspect class class-default drop zone security in-zone zone security out-zone zone-pair security ccp-zp-in-out source in-zone destination out-zone service-policy type inspect ccp-inspect interface GigabitEthernet0/0 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$ bandwidth 1000000 no ip address no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress ip nat inside ip virtual-reassembly in zone-member security in-zone no ip route-cache cef duplex auto speed auto no mop enabled ! interface GigabitEthernet0/0.1 description $FW_INSIDE$ encapsulation dot1Q 1 native ip address 192.168.3.1 255.255.255.128 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress ip nat inside ip virtual-reassembly in zone-member security in-zone interface GigabitEthernet0/1 description Connected to Comcast$FW_OUTSIDE$ bandwidth 50000 ip address x.x.x.x 255.255.255.248 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress ip nat outside ip virtual-reassembly in ip verify unicast reverse-path zone-member security out-zone duplex auto speed auto no cdp enable no mop enabled ip nat inside source list NAT interface GigabitEthernet0/1 overload access-list 101 remark CCP_ACL Category=128 access-list 101 permit ip host 255.255.255.255 any access-list 101 permit ip 127.0.0.0 0.255.255.255 any access-list 101 permit ip 173.10.5.0 0.0.0.255 any ip access-list extended NAT deny ip 192.168.3.0 0.0.0.255 10.0.0.0 0.255.255.255 deny ip 192.168.3.0 0.0.0.255 172.16.0.0 0.15.255.255 deny ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.255.255 permit ip 192.168.3.0 0.0.0.255 any
07-01-2014 12:48 PM
Well, I will say I like your NAT setup, that would definitely allow me to get rid of my ACL to block NetBIOs traffic going to their broadcast addresses using NAT. I am not seeing anything jumping out that isn't too different than the config I am using, with the exception of you having gi0/0 added to the zones. I too am running multiple sub-interfaces, but I only added them to the zones and not the main interface.
I think I see why my simple tcp/udp policies were not working, I didn't match on an access-group first. (so I am not sure if knew what traffic to match on.)
Also, is it just a mis-conception on my part thinking that CCP would configure a working config? I guess I just assumed basic HTTP/HTTPS traffic would have worked from the gate.
Thanks for your reply.
07-01-2014 12:59 PM
You're welcome.
CCP usually does result in a working configuration. In fact it saved me on this setup as I added the DMVPN plus IPsec VPN plus QoS plus SRE running WLC etc. all on this single router config (which was replicated over 7 sites). I would have never got it all on my own (well at least not without a lot of swearing and cursing MQC syntax along the way).
Having used CCP a good bit on this setup also helped me pass my CCNA Security, FWIW.
07-01-2014 01:12 PM
Hmm...makes me wonder what is wrong with my config that CCP didn't work right out of the gate. You mind taking a looking and seeing if you see something that would be a red flag that ZBFW would make internet traffic stop working? My hopes are if I get this working, then next step is to turn on IOS IPS, I want to see how much this 2821 can handle.
Please be mindful this was thrown together as the wife was in my ear about the internet not working. My plan is to go back through and button up these ACL's to be more specific to their task.
version 15.1
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
!
ip cef
!
ip dhcp excluded-address 10.0.1.1
ip dhcp excluded-address 10.0.2.1
ip dhcp excluded-address 10.0.1.2
!
ip dhcp pool SIP_POOL
network 10.0.2.0 255.255.255.248
default-router 10.0.2.1
dns-server 64.233.219.99 64.233.206.99
lease 2
!
ip dhcp pool LAN_POOL
network 10.0.1.0 255.255.255.0
default-router 10.0.1.1
dns-server 64.233.219.99 64.233.206.99
lease 2
!
!
no ip bootp server
ip domain name yourdomain.com
no ipv6 cef
ip tcp synwait-time 10
!
interface Null0
no ip unreachables
!
interface GigabitEthernet0/0
description $FW_OUTSIDE$
ip address dhcp
ip access-group BLOCK_NETBIOS out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat enable
ip virtual-reassembly in
ip verify unicast reverse-path
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1.100
description $FW_INSIDE$
encapsulation dot1Q 100
ip address 10.0.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat enable
ip virtual-reassembly in
!
interface GigabitEthernet0/1.200
description $FW_INSIDE$
encapsulation dot1Q 200
ip address 10.0.2.1 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat enable
ip virtual-reassembly in
!
ip nat source list 3 interface GigabitEthernet0/0 overload
!
ip access-list extended BLOCK_NETBIOS
deny ip any host x.x.x.x log
deny ip any host 10.0.1.255 log
deny ip any host 10.0.2.7 log
permit ip any any
!
no logging trap
access-list 1 remark NTP_ACCESS
access-list 1 permit 216.171.120.36
access-list 1 permit 216.229.0.179
access-list 2 remark SSH_ACCESS
access-list 2 permit x.x.x.x
access-list 2 permit 10.0.2.0 0.0.0.7
access-list 2 permit 10.0.1.0 0.0.0.255
access-list 3 remark NAT_TO_INTERNET
access-list 3 permit 10.0.1.0 0.0.0.255
access-list 3 permit 10.0.2.0 0.0.0.7
no cdp run
!
control-plane
!
mgcp profile default
!
line con 0
logging synchronous
line aux 0
line vty 0 4
session-timeout 10
access-class 2 in
logging synchronous
transport input ssh
line vty 5 15
session-timeout 10
access-class 2 in
logging synchronous
transport input ssh
!
scheduler allocate 20000 1000
ntp logging
ntp access-group peer 1
ntp server nist1-chi.ustiming.org prefer
ntp server nist1-lnk.binary.net
end
07-02-2014 07:59 AM
Did you mean to post the version with the ZBFW bits included? The above config doesn't have any of the class-maps, policy-maps, zone-pair definitions etc.
07-02-2014 08:25 AM
I was just asking for the sake of why CCP always stopped traffic applying the ZBFW configuration. I will say this time around I manually configured my ZBF and it works perfectly. I just have basic HTTP, HTTPS, SIP, DNS, Invalid sources being inspected, everything is passed.
I was going to post my config, but it seems ZBF works so well I will need to build me an ACL for SSH access from work. haha.
Thanks for your guidance on this!
07-02-2014 09:42 AM
OK, glad it's working now.
You're welcome.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide