Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
548
Views
0
Helpful
3
Replies

Zone Base firewall Nat issue Cisco 881

Go to solution
bob bob
Level 1
Level 1

‎04-25-2013 06:16 AM - edited ‎03-11-2019 06:34 PM

                   Can someone give me a hand understanding zone base firewalls? I attempted to make the ip address 10.2.22.231 availible to the outside world using port 80 and 443 on external interterface(4) public IP address. I can see hits on the access list and nat entries but it's not getting through.

here is the config.

crypto pki trustpoint TP-self-signed

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-

revocation-check none

rsakeypair TP-self-signed-1

!

!

crypto pki certificate chain TP-self-signed-

ip auth-proxy max-login-attempts 5

ip admission max-login-attempts 5

!

!

ip port-map http port tcp 80 list 2

ip port-map https port tcp 444 list 1

!

parameter-map type inspect global

log dropped-packets enable

!

class-map match-any VOIP

match ip dscp cs3 ef

class-map type inspect match-all ccp-cls--1

match access-group name ANY1

class-map type inspect match-all ccp-cls--3

match access-group name ANY3

class-map type inspect match-all ccp-cls--2

match access-group name ANY2

class-map type inspect match-any http

match protocol http

class-map type inspect match-any DROP_OUTBOUND

match protocol smtp

class-map type inspect match-any http-https

match protocol http

match protocol https

class-map type inspect match-all ccp-cls--4

match class-map http-https

match access-group name Security_system

class-map type inspect match-all ccp-cls-ccp-policy-ccp-cls--1-1

match class-map http

match access-group name http_to_alarm

!

policy-map type inspect ccp-policy-ccp-cls--4

class type inspect ccp-cls--4

pass

class class-default

drop

policy-map type inspect ccp-policy-ccp-cls--1

class type inspect ccp-cls-ccp-policy-ccp-cls--1-1

pass

class type inspect DROP_OUTBOUND

drop log

class type inspect ccp-cls--1

inspect

class class-default

drop

policy-map type inspect ccp-policy-ccp-cls--2

class type inspect ccp-cls--2

inspect

class class-default

drop

policy-map type inspect ccp-policy-ccp-cls--3

class type inspect ccp-cls--3

inspect

class class-default

drop

policy-map OUTBOUND

class VOIP

priority

!

zone security INSIDE

zone security OUTSIDE

zone security VPN

zone-pair security sdm-zp-INSIDE-OUTSIDE source INSIDE destination OUTSIDE

service-policy type inspect ccp-policy-ccp-cls--1

zone-pair security sdm-zp-VPN-INSIDE source VPN destination INSIDE

service-policy type inspect ccp-policy-ccp-cls--3

zone-pair security sdm-zp-INSIDE-VPN source INSIDE destination VPN

service-policy type inspect ccp-policy-ccp-cls--2

zone-pair security sdm-zp-OUTSIDE-INSIDE source OUTSIDE destination INSIDE

service-policy type inspect ccp-policy-ccp-cls--4

!

!

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp

!

!

crypto ipsec transform-set STRONG esp-3des esp-md5-hmac

mode transport

!

crypto ipsec profile PROFILE01

set security-association lifetime seconds 900

set transform-set STRONG

!

interface Tunnel0

!

interface FastEthernet4

description $FW_OUTSIDE$

ip address dhcp

ip flow ingress

ip nat outside

ip virtual-reassembly in

zone-member security OUTSIDE

duplex auto

speed auto

service-policy output OUTBOUND

!

interface Vlan1

description $FW_INSIDE$

ip address 10.2.22.253 255.255.255.0

no ip redirects

ip flow ingress

ip nat inside

ip virtual-reassembly in

zone-member security INSIDE

ip nat inside source list 10 interface FastEthernet4 overload

ip nat inside source static tcp 10.2.22.231 80 interface FastEthernet4 80

ip nat inside source static tcp 10.2.22.231 443 interface FastEthernet4 443

!

ip access-list standard SUBNETS_TO_EIGRP

permit 10.1.5.0 0.0.0.255

permit 10.2.22.0 0.0.0.255

permit 10.2.23.0 0.0.0.255

deny any

!

ip access-list extended ANY1

remark CCP_ACL Category=128

permit ip any any

ip access-list extended ANY2

remark CCP_ACL Category=128

permit ip any any

ip access-list extended ANY3

remark CCP_ACL Category=128

permit ip any any

ip access-list extended Security_system

remark CCP_ACL Category=128

permit ip any host 10.2.22.231

ip access-list extended security_system

remark CCP_ACL Category=2

permit ip any host 10.2.22.231

!

access-list 1 remark CCP_ACL Category=1

access-list 1 permit 10.2.22.231

access-list 2 remark CCP_ACL Category=1

access-list 2 permit 10.2.22.231

access-list 10 permit 10.2.22.0 0.0.0.255

access-list 10 permit 10.2.23.0 0.0.0.255

access-list 12 permit 10.0.0.0 0.255.255.255

access-list 12 permit 192.168.0.0 0.0.255.255

access-list 12 permit 172.16.0.0 0.15.255.255

!

end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to bob bob

‎04-25-2013 09:26 PM

Hello,

Right to the point

ip access-list extended Security_system

remark CCP_ACL Category=128

permit tcp any host 10.2.22.231 eq 80

permit tcp any host 10.2.22.231 eq 443

class-map type inspect match-all ccp-cls--4

no match class-map http-https

match access-group name Security_system

policy-map type inspect ccp-policy-ccp-cls--4

class type inspect ccp-cls--4

no pass

Inspect

Do the changes and let me know

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
3 Replies 3

Go to solution
bob bob
Level 1
Level 1

‎04-25-2013 06:44 AM

sh access-lists

Standard IP access list 1

    10 permit 10.2.22.231

Standard IP access list 2

    10 permit 10.2.22.231 (218 matches)

Standard IP access list 10

    10 permit 10.2.22.0, wildcard bits 0.0.0.255 (6783 matches)

    20 permit 10.2.23.0, wildcard bits 0.0.0.255

Standard IP access list 12

    10 permit 10.0.0.0, wildcard bits 0.255.255.255 (22675 matches)

    20 permit 192.168.0.0, wildcard bits 0.0.255.255

    30 permit 172.16.0.0, wildcard bits 0.15.255.255

Standard IP access list SUBNETS_TO_EIGRP

    10 permit 10.1.5.0, wildcard bits 0.0.0.255 (10 matches)

    20 permit 10.2.22.0, wildcard bits 0.0.0.255 (15 matches)

    30 permit 10.2.23.0, wildcard bits 0.0.0.255 (10 matches)

    40 deny   any (5533 matches)

Extended IP access list ANY1

    10 permit ip any any (1 match)

Extended IP access list ANY2

    10 permit ip any any

Extended IP access list ANY3

    10 permit ip any any

Extended IP access list Security_system

    10 permit ip any host 10.2.22.231 (208 matches)

Extended IP access list security_system

    10 permit ip any host 10.2.22.231

Standard IP access list 1

    10 permit 10.2.22.231

Standard IP access list 2

    10 permit 10.2.22.231 (218 matches)

Standard IP access list 10

    10 permit 10.2.22.0, wildcard bits 0.0.0.255 (6783 matches)

    20 permit 10.2.23.0, wildcard bits 0.0.0.255

Standard IP access list 12

    10 permit 10.0.0.0, wildcard bits 0.255.255.255 (22675 matches)

    20 permit 192.168.0.0, wildcard bits 0.0.255.255

    30 permit 172.16.0.0, wildcard bits 0.15.255.255

Standard IP access list SUBNETS_TO_EIGRP

    10 permit 10.1.5.0, wildcard bits 0.0.0.255 (10 matches)

    20 permit 10.2.22.0, wildcard bits 0.0.0.255 (15 matches)

    30 permit 10.2.23.0, wildcard bits 0.0.0.255 (10 matches)

    40 deny   any (5533 matches)

Extended IP access list ANY1

    10 permit ip any any (1 match)

Extended IP access list ANY2

    10 permit ip any any

Extended IP access list ANY3

    10 permit ip any any

Extended IP access list Security_system

    10 permit ip any host 10.2.22.231 (208 matches)

Extended IP access list security_system

    10 permit ip any host 10.2.22.231

0 Helpful

Go to solution
bob bob
Level 1
Level 1
In response to bob bob

‎04-25-2013 12:52 PM

any body confirm that this is right, or ma I way off?

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to bob bob

‎04-25-2013 09:26 PM

Hello,

Right to the point

ip access-list extended Security_system

remark CCP_ACL Category=128

permit tcp any host 10.2.22.231 eq 80

permit tcp any host 10.2.22.231 eq 443

class-map type inspect match-all ccp-cls--4

no match class-map http-https

match access-group name Security_system

policy-map type inspect ccp-policy-ccp-cls--4

class type inspect ccp-cls--4

no pass

Inspect

Do the changes and let me know

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card