02-13-2014 07:18 AM - edited 03-11-2019 08:45 PM
I am attempting to migrate from CBAC to ZBFW. I'm having some difficulties. I was hoping to get answers to the following questions.
1) Based on my confing, is udp port 5060 allowed to go into the Self zone and the INSIDE zone?
2) Whenever I try to allow icmp AND dns from the self zone to outside, I get the error below. How do I fix this?
%Protocol configured in class-map SELF-OUT cannot be configured for the self zone with inspect action. Please remove the protocol and retry
3) I had some PCs that were able to browse the internet but I never saw connections when I ran "sh ip nat translation". Why??
4) Is IPSec allowed to come in correctly?
class-map type inspect match-all VoIP
match access-group name VoIP
match access-group name VoIP-OUT-TO-IN
class-map type inspect match-any IN-TO-OUT-ALLOW-ALL-CLASS
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-any OUTSIDE-TO-IN-CLASS
match access-group name VoIP-OUT-TO-IN
class-map type inspect match-all SSH
match protocol ssh
match access-group name SSH
class-map type inspect match-all IPSEC
match access-group name IPSEC
class-map type inspect match-any SELF-OUT
match protocol icmp
match protocol dns --> currently removed
!
policy-map type inspect SELF-OUTSIDE-POLICY
class type inspect SELF-OUT
inspect
class class-default
pass
policy-map type inspect OUT-TO-IN-POLICY
class type inspect OUTSIDE-TO-IN-CLASS
pass
class class-default
drop log
policy-map type inspect IN-TO-OUT-POLICY
class type inspect IN-TO-OUT-ALLOW-ALL-CLASS
inspect
class class-default
drop log
policy-map type inspect OUTSIDE-SELF
class type inspect IPSEC
pass
class type inspect SSH
pass
class type inspect VoIP
pass
class class-default
drop log
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect IN-TO-OUT-POLICY
zone-pair security OUTSIDE-SELF source OUTSIDE destination self
service-policy type inspect OUTSIDE-SELF
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUT-TO-IN-POLICY
zone-pair security SELF-TO-OUT source self destination OUTSIDE
service-policy type inspect SELF-OUTSIDE-POLICY
!
ip nat inside source list noNAT interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 10.1.0.0 255.255.0.0 Tunnel32
ip route 192.168.1.0 255.255.255.0 Tunnel31
ip route 192.168.2.0 255.255.255.0 Tunnel32
ip route 192.168.10.0 255.255.255.0 Tunnel31
!
ip access-list extended IPSEC
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
ip access-list extended SSH
permit tcp any any eq 22
ip access-list extended VoIP
permit udp any host 49.x.x.x eq 5060
ip access-list extended VoIP-OUT-TO-IN
permit udp any any eq 5060
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 131 permit gre host x.x.x.x host 64.x.x.x.x
access-list 175 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 175 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 175 deny ip 192.168.3.0 0.0.0.255 192.168.41.0 0.0.0.255
access-list 175 permit ip 192.168.3.0 0.0.0.255 any
!
route-map noNAT permit 41
match ip address 175
!
02-16-2014 02:06 AM
Hi,
1) Based on my confing, is udp port 5060 allowed to go into the Self zone and the INSIDE zone?
Yes, according to your below config UDP port 5060 is allowed from OUTSIDE to INSIDE Zone.
ip access-list extended VoIP-OUT-TO-IN
permit udp any any eq 5060
class-map type inspect match-any OUTSIDE-TO-IN-CLASS
match access-group name VoIP-OUT-TO-IN
policy-map type inspect OUT-TO-IN-POLICY
class type inspect OUTSIDE-TO-IN-CLASS
pass
and even allowed from OUTSIDE to Self Zone.
ip access-list extended VoIP
permit udp any host 49.x.x.x eq 5060
class-map type inspect match-all VoIP
match access-group name VoIP
policy-map type inspect OUTSIDE-SELF
class type inspect VoIP
pass
2) Whenever I try to allow icmp AND dns from the self zone to outside, I get the error below. How do I fix this?
%Protocol configured in class-map SELF-OUT cannot be configured for the self zone with inspect action. Please remove the protocol and retry
Change the policy action to 'Pass' and let me know if that resolves the issue.
class-map type inspect match-any SELF-OUT
match protocol icmp
match protocol dns
policy-map type inspect SELF-OUTSIDE-POLICY
class type inspect SELF-OUT
Pass
3) I had some PCs that were able to browse the internet but I never saw connections when I ran "sh ip nat translation". Why??
a.) Is this issue happens with only few computers (which is in 192.168.3.x network) or with all the computers behind ZBFW?
b.) Please post the output of 'sh nat trans' command.
4) Is IPSec allowed to come in correctly?
Yes, IPSec is allowed from OUTSIDE to Self Zone. For more info you can visit http://yadhutony.blogspot.in/2013/08/zone-based-firewall-advanced_4036.html or http://www.cisco.com/c/en/us/support/docs/routers/3800-series-integrated-services-routers/112051-zbf-vpn-access-config.html
Let me know if you require any further clarification.
Best Regards,
Tony
http://yadhutony.blogspot.com
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide