04-25-2013 06:16 AM - edited 03-11-2019 06:34 PM
Can someone give me a hand understanding zone base firewalls? I attempted to make the ip address 10.2.22.231 availible to the outside world using port 80 and 443 on external interterface(4) public IP address. I can see hits on the access list and nat entries but it's not getting through.
here is the config.
crypto pki trustpoint TP-self-signed
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-
revocation-check none
rsakeypair TP-self-signed-1
!
!
crypto pki certificate chain TP-self-signed-
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
!
!
ip port-map http port tcp 80 list 2
ip port-map https port tcp 444 list 1
!
parameter-map type inspect global
log dropped-packets enable
!
class-map match-any VOIP
match ip dscp cs3 ef
class-map type inspect match-all ccp-cls--1
match access-group name ANY1
class-map type inspect match-all ccp-cls--3
match access-group name ANY3
class-map type inspect match-all ccp-cls--2
match access-group name ANY2
class-map type inspect match-any http
match protocol http
class-map type inspect match-any DROP_OUTBOUND
match protocol smtp
class-map type inspect match-any http-https
match protocol http
match protocol https
class-map type inspect match-all ccp-cls--4
match class-map http-https
match access-group name Security_system
class-map type inspect match-all ccp-cls-ccp-policy-ccp-cls--1-1
match class-map http
match access-group name http_to_alarm
!
policy-map type inspect ccp-policy-ccp-cls--4
class type inspect ccp-cls--4
pass
class class-default
drop
policy-map type inspect ccp-policy-ccp-cls--1
class type inspect ccp-cls-ccp-policy-ccp-cls--1-1
pass
class type inspect DROP_OUTBOUND
drop log
class type inspect ccp-cls--1
inspect
class class-default
drop
policy-map type inspect ccp-policy-ccp-cls--2
class type inspect ccp-cls--2
inspect
class class-default
drop
policy-map type inspect ccp-policy-ccp-cls--3
class type inspect ccp-cls--3
inspect
class class-default
drop
policy-map OUTBOUND
class VOIP
priority
!
zone security INSIDE
zone security OUTSIDE
zone security VPN
zone-pair security sdm-zp-INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect ccp-policy-ccp-cls--1
zone-pair security sdm-zp-VPN-INSIDE source VPN destination INSIDE
service-policy type inspect ccp-policy-ccp-cls--3
zone-pair security sdm-zp-INSIDE-VPN source INSIDE destination VPN
service-policy type inspect ccp-policy-ccp-cls--2
zone-pair security sdm-zp-OUTSIDE-INSIDE source OUTSIDE destination INSIDE
service-policy type inspect ccp-policy-ccp-cls--4
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp
!
!
crypto ipsec transform-set STRONG esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile PROFILE01
set security-association lifetime seconds 900
set transform-set STRONG
!
interface Tunnel0
!
interface FastEthernet4
description $FW_OUTSIDE$
ip address dhcp
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
service-policy output OUTBOUND
!
interface Vlan1
description $FW_INSIDE$
ip address 10.2.22.253 255.255.255.0
no ip redirects
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
ip nat inside source list 10 interface FastEthernet4 overload
ip nat inside source static tcp 10.2.22.231 80 interface FastEthernet4 80
ip nat inside source static tcp 10.2.22.231 443 interface FastEthernet4 443
!
ip access-list standard SUBNETS_TO_EIGRP
permit 10.1.5.0 0.0.0.255
permit 10.2.22.0 0.0.0.255
permit 10.2.23.0 0.0.0.255
deny any
!
ip access-list extended ANY1
remark CCP_ACL Category=128
permit ip any any
ip access-list extended ANY2
remark CCP_ACL Category=128
permit ip any any
ip access-list extended ANY3
remark CCP_ACL Category=128
permit ip any any
ip access-list extended Security_system
remark CCP_ACL Category=128
permit ip any host 10.2.22.231
ip access-list extended security_system
remark CCP_ACL Category=2
permit ip any host 10.2.22.231
!
access-list 1 remark CCP_ACL Category=1
access-list 1 permit 10.2.22.231
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 10.2.22.231
access-list 10 permit 10.2.22.0 0.0.0.255
access-list 10 permit 10.2.23.0 0.0.0.255
access-list 12 permit 10.0.0.0 0.255.255.255
access-list 12 permit 192.168.0.0 0.0.255.255
access-list 12 permit 172.16.0.0 0.15.255.255
!
end
Solved! Go to Solution.
04-25-2013 09:26 PM
Hello,
Right to the point
ip access-list extended Security_system
remark CCP_ACL Category=128
permit tcp any host 10.2.22.231 eq 80
permit tcp any host 10.2.22.231 eq 443
class-map type inspect match-all ccp-cls--4
no match class-map http-https
match access-group name Security_system
policy-map type inspect ccp-policy-ccp-cls--4
class type inspect ccp-cls--4
no pass
Inspect
Do the changes and let me know
04-25-2013 06:44 AM
sh access-lists
Standard IP access list 1
10 permit 10.2.22.231
Standard IP access list 2
10 permit 10.2.22.231 (218 matches)
Standard IP access list 10
10 permit 10.2.22.0, wildcard bits 0.0.0.255 (6783 matches)
20 permit 10.2.23.0, wildcard bits 0.0.0.255
Standard IP access list 12
10 permit 10.0.0.0, wildcard bits 0.255.255.255 (22675 matches)
20 permit 192.168.0.0, wildcard bits 0.0.255.255
30 permit 172.16.0.0, wildcard bits 0.15.255.255
Standard IP access list SUBNETS_TO_EIGRP
10 permit 10.1.5.0, wildcard bits 0.0.0.255 (10 matches)
20 permit 10.2.22.0, wildcard bits 0.0.0.255 (15 matches)
30 permit 10.2.23.0, wildcard bits 0.0.0.255 (10 matches)
40 deny any (5533 matches)
Extended IP access list ANY1
10 permit ip any any (1 match)
Extended IP access list ANY2
10 permit ip any any
Extended IP access list ANY3
10 permit ip any any
Extended IP access list Security_system
10 permit ip any host 10.2.22.231 (208 matches)
Extended IP access list security_system
10 permit ip any host 10.2.22.231
Standard IP access list 1
10 permit 10.2.22.231
Standard IP access list 2
10 permit 10.2.22.231 (218 matches)
Standard IP access list 10
10 permit 10.2.22.0, wildcard bits 0.0.0.255 (6783 matches)
20 permit 10.2.23.0, wildcard bits 0.0.0.255
Standard IP access list 12
10 permit 10.0.0.0, wildcard bits 0.255.255.255 (22675 matches)
20 permit 192.168.0.0, wildcard bits 0.0.255.255
30 permit 172.16.0.0, wildcard bits 0.15.255.255
Standard IP access list SUBNETS_TO_EIGRP
10 permit 10.1.5.0, wildcard bits 0.0.0.255 (10 matches)
20 permit 10.2.22.0, wildcard bits 0.0.0.255 (15 matches)
30 permit 10.2.23.0, wildcard bits 0.0.0.255 (10 matches)
40 deny any (5533 matches)
Extended IP access list ANY1
10 permit ip any any (1 match)
Extended IP access list ANY2
10 permit ip any any
Extended IP access list ANY3
10 permit ip any any
Extended IP access list Security_system
10 permit ip any host 10.2.22.231 (208 matches)
Extended IP access list security_system
10 permit ip any host 10.2.22.231
04-25-2013 12:52 PM
any body confirm that this is right, or ma I way off?
04-25-2013 09:26 PM
Hello,
Right to the point
ip access-list extended Security_system
remark CCP_ACL Category=128
permit tcp any host 10.2.22.231 eq 80
permit tcp any host 10.2.22.231 eq 443
class-map type inspect match-all ccp-cls--4
no match class-map http-https
match access-group name Security_system
policy-map type inspect ccp-policy-ccp-cls--4
class type inspect ccp-cls--4
no pass
Inspect
Do the changes and let me know
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide