Zone Based Firewall - ASR 1000 IOS XE

kasunrajapakse · ‎01-13-2021

Hi Guys,

I have configured a Zone Based Firewall (ZBF) on an ASR1000 and doesn’t appear to be working. The traffic flow on my setup is as attached.

Our main objective from the ASR is as follows.

NAT the 172.18.2.0/24 & 172.18.3.0/24 using a NAT pool and send traffic to internet.
Implement a Zone Based Firewall and inspect traffic.

I am still in the testing stage and would like all the traffic generated from 172.18.2.0/24 & 172.18.3.0/24 to PASS through the ZBF and reach the internet – However this doesn’t seem to be working. Any idea why??

A network diagram of the setup is attached
The ZBF Config is as follows.

zone security MOBILE_DATA
zone security VASILEFT3
zone security VASIRIGHT3
zone security UNTRUST

=============

ip access-list extended 199
10 permit ip any any

class-map type inspect match-any MOBILE_DATA-TO-UNTRUST-CLASS
match access-group 199

policy-map type inspect MOBILE_DATA-TO-UNTRUST-POLICY
class type inspect MOBILE_DATA-TO-UNTRUST-CLASS
inspect
class class-default
pass

=================

zone-pair security MOBILE_DATA_to_VASILEFT3 source MOBILE_DATA destination VASILEFT3
service-policy type inspect MOBILE_DATA-TO-UNTRUST-POLICY

zone-pair security VASILEFT3_to_VASIRIGHT3 source VASILEFT3 destination VASIRIGHT3
service-policy type inspect MOBILE_DATA-TO-UNTRUST-POLICY

zone-pair security VASIRIGHT3_to_UNTRUST source VASIRIGHT3 destination UNTRUST
service-policy type inspect MOBILE_DATA-TO-UNTRUST-POLICY

==================

interface Port-channel1.1761
encapsulation dot1Q 1761
vrf forwarding vrf_sgi_mobile_data
ip address 10.0.23.4 255.255.255.254
ip nat inside
zone-member security MOBILE_DATA
end

interface vasileft3
vrf forwarding vrf_sgi_mobile_data
ip address 10.1.1.9 255.255.255.252
ip nat outside
zone-member security VASILEFT3
no keepalive
end

interface vasiright3
vrf forwarding mobile_data_external
ip address 10.1.1.10 255.255.255.252
zone-member security VASIRIGHT3
no keepalive
end

interface TenGigabitEthernet0/0/0
description Uplink_to_Internet
vrf forwarding FVRF
ip address <Pubic IP>
ip nat outside
zone-member security UNTRUST
end

Mohammed al Baqari · ‎01-13-2021

Hi,

Even though its the same policy-map, don't apply it to same zone-pairs. Try
to keep it on one zone-pair only and see if it works (I faced problems with
this). If not perform packet trace on IOS-XE and see where the packets are
getting dropped.

You might need zone-pair for self-zone as you are natting the traffic, i.e.
it will be initiated using local IP. But you can confirm this with traces

IOS-XE Trace
*************************

clear platform condition all
debug platform condition ipv4 x.x.x.x #ingress or any other direction#
debug platform packet-trace enable
debug platform packet-trace statistics
debug platform packet-trace packet 256 FIA
debug platform condition start

Then after you initiate traffic check using

show platform packet-trace summary
show platform packet-trace packet

**** please remember to rate useful posts

kasunrajapakse · ‎02-03-2021

I made TenGigabitEthernet0/0/0 and VasiRight3 to be on the same ZONE and same VRF
And just added the following policy.

zone-pair security MOBILE_DATA_to_VASILEFT3 source MOBILE_DATA destination VASILEFT3
service-policy type inspect MOBILE_DATA-TO-VASILEFT3-POLICY

Works like a charm !!!