01-13-2021 02:08 AM
Hi Guys,
I have configured a Zone Based Firewall (ZBF) on an ASR1000 and doesn’t appear to be working. The traffic flow on my setup is as attached.
Our main objective from the ASR is as follows.
I am still in the testing stage and would like all the traffic generated from 172.18.2.0/24 & 172.18.3.0/24 to PASS through the ZBF and reach the internet – However this doesn’t seem to be working. Any idea why??
A network diagram of the setup is attached
The ZBF Config is as follows.
zone security MOBILE_DATA
zone security VASILEFT3
zone security VASIRIGHT3
zone security UNTRUST
=============
ip access-list extended 199
10 permit ip any any
class-map type inspect match-any MOBILE_DATA-TO-UNTRUST-CLASS
match access-group 199
policy-map type inspect MOBILE_DATA-TO-UNTRUST-POLICY
class type inspect MOBILE_DATA-TO-UNTRUST-CLASS
inspect
class class-default
pass
=================
zone-pair security MOBILE_DATA_to_VASILEFT3 source MOBILE_DATA destination VASILEFT3
service-policy type inspect MOBILE_DATA-TO-UNTRUST-POLICY
zone-pair security VASILEFT3_to_VASIRIGHT3 source VASILEFT3 destination VASIRIGHT3
service-policy type inspect MOBILE_DATA-TO-UNTRUST-POLICY
zone-pair security VASIRIGHT3_to_UNTRUST source VASIRIGHT3 destination UNTRUST
service-policy type inspect MOBILE_DATA-TO-UNTRUST-POLICY
==================
interface Port-channel1.1761
encapsulation dot1Q 1761
vrf forwarding vrf_sgi_mobile_data
ip address 10.0.23.4 255.255.255.254
ip nat inside
zone-member security MOBILE_DATA
end
interface vasileft3
vrf forwarding vrf_sgi_mobile_data
ip address 10.1.1.9 255.255.255.252
ip nat outside
zone-member security VASILEFT3
no keepalive
end
interface vasiright3
vrf forwarding mobile_data_external
ip address 10.1.1.10 255.255.255.252
zone-member security VASIRIGHT3
no keepalive
end
interface TenGigabitEthernet0/0/0
description Uplink_to_Internet
vrf forwarding FVRF
ip address <Pubic IP>
ip nat outside
zone-member security UNTRUST
end
01-13-2021 02:36 AM
02-03-2021 04:48 AM
I made TenGigabitEthernet0/0/0 and VasiRight3 to be on the same ZONE and same VRF
And just added the following policy.
zone-pair security MOBILE_DATA_to_VASILEFT3 source MOBILE_DATA destination VASILEFT3
service-policy type inspect MOBILE_DATA-TO-VASILEFT3-POLICY
Works like a charm !!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide