cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1115
Views
0
Helpful
1
Replies

ZBFW - need help with configuration

jacob6000
Level 1
Level 1

I am attempting to migrate from CBAC to ZBFW. I'm having some difficulties. I was hoping to get answers to the following questions.

1) Based on my confing, is udp port 5060 allowed to go into the Self zone and the INSIDE zone?

2) Whenever I try to allow icmp AND dns from the self zone to outside, I get the error below. How do I fix this?

%Protocol configured in class-map SELF-OUT cannot be configured for the self zone with inspect action. Please remove the protocol and retry

3) I had some PCs that were able to browse the internet but I never saw connections when I ran "sh ip nat translation". Why??

4) Is IPSec allowed to come in correctly?

class-map type inspect match-all VoIP

match access-group name VoIP

match access-group name VoIP-OUT-TO-IN

class-map type inspect match-any IN-TO-OUT-ALLOW-ALL-CLASS

match protocol tcp

match protocol udp

match protocol icmp

class-map type inspect match-any OUTSIDE-TO-IN-CLASS

match access-group name VoIP-OUT-TO-IN

class-map type inspect match-all SSH

match protocol ssh

match access-group name SSH

class-map type inspect match-all IPSEC

match access-group name IPSEC

class-map type inspect match-any SELF-OUT

match protocol icmp

match protocol dns --> currently removed

!

policy-map type inspect SELF-OUTSIDE-POLICY

class type inspect SELF-OUT

  inspect

class class-default

  pass

policy-map type inspect OUT-TO-IN-POLICY

class type inspect OUTSIDE-TO-IN-CLASS

  pass

class class-default

  drop log

policy-map type inspect IN-TO-OUT-POLICY

class type inspect IN-TO-OUT-ALLOW-ALL-CLASS

  inspect

class class-default

  drop log

policy-map type inspect OUTSIDE-SELF

class type inspect IPSEC

  pass

class type inspect SSH

  pass

class type inspect VoIP

  pass

class class-default

  drop log

!

zone security INSIDE

zone security OUTSIDE

zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE

service-policy type inspect IN-TO-OUT-POLICY

zone-pair security OUTSIDE-SELF source OUTSIDE destination self

service-policy type inspect OUTSIDE-SELF

zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE

service-policy type inspect OUT-TO-IN-POLICY

zone-pair security SELF-TO-OUT source self destination OUTSIDE

service-policy type inspect SELF-OUTSIDE-POLICY

!

ip nat inside source list noNAT interface GigabitEthernet0/1 overload

ip route 0.0.0.0 0.0.0.0 x.x.x.x

ip route 10.1.0.0 255.255.0.0 Tunnel32

ip route 192.168.1.0 255.255.255.0 Tunnel31

ip route 192.168.2.0 255.255.255.0 Tunnel32

ip route 192.168.10.0 255.255.255.0 Tunnel31

!

ip access-list extended IPSEC

permit esp any any

permit udp any any eq isakmp

permit udp any any eq non500-isakmp

ip access-list extended SSH

permit tcp any any eq 22

ip access-list extended VoIP

permit udp any host 49.x.x.x eq 5060

ip access-list extended VoIP-OUT-TO-IN

permit udp any any eq 5060

!

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 131 permit gre host x.x.x.x host 64.x.x.x.x

access-list 175 deny   ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 175 deny   ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 175 deny   ip 192.168.3.0 0.0.0.255 192.168.41.0 0.0.0.255

access-list 175 permit ip 192.168.3.0 0.0.0.255 any

!

route-map noNAT permit 41

match ip address 175

!

1 Reply 1

Yadhu Tony
Level 1
Level 1

Hi,

1) Based on my confing, is udp port 5060 allowed to go into the Self zone and the INSIDE zone?

Yes, according to your below config UDP port 5060 is allowed from OUTSIDE to INSIDE Zone.

ip access-list extended VoIP-OUT-TO-IN

permit udp any any eq 5060

class-map type inspect match-any OUTSIDE-TO-IN-CLASS

match access-group name VoIP-OUT-TO-IN

policy-map type inspect OUT-TO-IN-POLICY

class type inspect OUTSIDE-TO-IN-CLASS

  pass

and even allowed from OUTSIDE to Self Zone.

ip access-list extended VoIP

permit udp any host 49.x.x.x eq 5060

class-map type inspect match-all VoIP

match access-group name VoIP

policy-map type inspect OUTSIDE-SELF

class type inspect VoIP

  pass

2) Whenever I try to allow icmp AND dns from the self zone to outside, I get the error below. How do I fix this?

%Protocol configured in class-map SELF-OUT cannot be configured for the self zone with inspect action. Please remove the protocol and retry

Change the policy action to 'Pass' and let me know if that resolves the issue.


class-map type inspect match-any SELF-OUT

match protocol icmp

match protocol dns

policy-map type inspect SELF-OUTSIDE-POLICY

class type inspect SELF-OUT

Pass

3) I had some PCs that were able to browse the internet but I never saw connections when I ran "sh ip nat translation". Why??

a.) Is this issue happens with only few computers (which is in 192.168.3.x network) or with all the computers behind ZBFW?


b.) Please post the output of 'sh nat trans' command.

4) Is IPSec allowed to come in correctly?

Yes, IPSec is allowed from OUTSIDE to Self Zone. For more info you can visit http://yadhutony.blogspot.in/2013/08/zone-based-firewall-advanced_4036.html or http://www.cisco.com/c/en/us/support/docs/routers/3800-series-integrated-services-routers/112051-zbf-vpn-access-config.html

Let me know if you require any further clarification.

Best Regards,
Tony
http://yadhutony.blogspot.com

Regards,
Tony

http://yadhutony.blogspot.com
Review Cisco Networking for a $25 gift card