cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4326
Views
14
Helpful
15
Replies

Zone Based Firewall configuration question

abrrymnvette
Level 1
Level 1

I'm trying to install an 871 router and having an issue with the zone based firewall. It's by default, it's denying smtp port 25 but allowing me out to the internet.


The only way I'm able to get email to work and also get internet to work is to apply an acl on the interfaces with a permit any any. I've never seen the ZBF until today, so I'm trying to readup on it and learn, but I have some questions.

Here's my setup.

Server hosts Exchange, DHCP, DNS, network files, and OMA/OWA. IP is 192.168.1.253

LAN is 192.168.1.0/24

871 Router is 192.168.1.250

Inside interface is VLAN1

Outside interface is Dialer0

Here's the current config right now. I'm not sure on what I need to edit to allow http, https, smtp.

class-map type inspect match-all sdm-nat-http-1
match access-group 101
match protocol http
class-map type inspect match-all sdm-nat-smtp-1
match access-group 102
match protocol smtp
class-map type inspect match-any SDM_WEBVPN
match access-group name SDM_WEBVPN
class-map type inspect match-all SDM_WEBVPN_TRAFFIC
match class-map SDM_WEBVPN
match access-group 104
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all out_to_in
match access-group 103
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-http-1
  inspect
class type inspect sdm-nat-smtp-1
  inspect
class type inspect out_to_in
  inspect
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
  drop log
class type inspect sdm-insp-traffic
  inspect
class type inspect sdm-protocol-http
  inspect
class type inspect SDM-Voice-permit
  inspect
class class-default
  pass
policy-map type inspect sdm-permit
class type inspect SDM_WEBVPN_TRAFFIC
  inspect
class class-default
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!

interface Vlan1
description $FW_INSIDE$
ip address 192.168.1.250 255.255.255.0
ip access-group 110 in
ip nat inside
ip virtual-reassembly
zone-member security in-zone

!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1

!

!
access-list 1 remark SDM_ACL Category=18
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=0
access-list 101 permit ip any host 192.168.1.253
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.1.253
access-list 103 permit ip any any
access-list 110 remark inside_access_out
access-list 110 permit ip any any
dialer-list 1 protocol ip permit
!
!

Any tips? I'm reading this article right now and trying to learn as fast as possible, but thought I'd post up hoping someone could give some guidance.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

When I set somethign to "inspect" does that allow it by default until it sees an issue, then drops the traffic?

FastEthernet0 is up, line protocol is down
  Internet protocol processing disabled
FastEthernet1 is up, line protocol is up
  Internet protocol processing disabled
FastEthernet2 is up, line protocol is down
  Internet protocol processing disabled
FastEthernet3 is up, line protocol is down
  Internet protocol processing disabled
FastEthernet4 is up, line protocol is up
  Internet protocol processing disabled
Vlan1 is up, line protocol is up
  Internet address is 192.168.1.250/24
  Broadcast address is 255.255.255.255
  Outgoing access list is not set
  Inbound  access list is 110

Loopback0 is up, line protocol is up
  Internet address is 10.1.1.1/24
  Broadcast address is 255.255.255.255
  Outgoing access list is not set
  Inbound  access list is not set

NVI0 is up, line protocol is up
  Interface is unnumbered. Using address of Loopback0 (10.1.1.1)
  Broadcast address is 255.255.255.255
  Outgoing access list is not set
  Inbound  access list is not set

Dialer0 is up, line protocol is up
  Internet address is x.x.x.x/32
  Broadcast address is 255.255.255.255
  Outgoing access list is not set
  Inbound  access list is not set

Virtual-Access1 is up, line protocol is up
  Peer address is x.x.x.x

  Dialer interface is Dialer0

15 Replies 15

abrrymnvette
Level 1
Level 1

I'm a moron, it was my local firwall blocking my access.I had it setup right all along. Thanks for the help guys!

Review Cisco Networking for a $25 gift card