cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4323
Views
14
Helpful
15
Replies

Zone Based Firewall configuration question

abrrymnvette
Level 1
Level 1

I'm trying to install an 871 router and having an issue with the zone based firewall. It's by default, it's denying smtp port 25 but allowing me out to the internet.


The only way I'm able to get email to work and also get internet to work is to apply an acl on the interfaces with a permit any any. I've never seen the ZBF until today, so I'm trying to readup on it and learn, but I have some questions.

Here's my setup.

Server hosts Exchange, DHCP, DNS, network files, and OMA/OWA. IP is 192.168.1.253

LAN is 192.168.1.0/24

871 Router is 192.168.1.250

Inside interface is VLAN1

Outside interface is Dialer0

Here's the current config right now. I'm not sure on what I need to edit to allow http, https, smtp.

class-map type inspect match-all sdm-nat-http-1
match access-group 101
match protocol http
class-map type inspect match-all sdm-nat-smtp-1
match access-group 102
match protocol smtp
class-map type inspect match-any SDM_WEBVPN
match access-group name SDM_WEBVPN
class-map type inspect match-all SDM_WEBVPN_TRAFFIC
match class-map SDM_WEBVPN
match access-group 104
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all out_to_in
match access-group 103
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-http-1
  inspect
class type inspect sdm-nat-smtp-1
  inspect
class type inspect out_to_in
  inspect
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
  drop log
class type inspect sdm-insp-traffic
  inspect
class type inspect sdm-protocol-http
  inspect
class type inspect SDM-Voice-permit
  inspect
class class-default
  pass
policy-map type inspect sdm-permit
class type inspect SDM_WEBVPN_TRAFFIC
  inspect
class class-default
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!

interface Vlan1
description $FW_INSIDE$
ip address 192.168.1.250 255.255.255.0
ip access-group 110 in
ip nat inside
ip virtual-reassembly
zone-member security in-zone

!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1

!

!
access-list 1 remark SDM_ACL Category=18
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=0
access-list 101 permit ip any host 192.168.1.253
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.1.253
access-list 103 permit ip any any
access-list 110 remark inside_access_out
access-list 110 permit ip any any
dialer-list 1 protocol ip permit
!
!

Any tips? I'm reading this article right now and trying to learn as fast as possible, but thought I'd post up hoping someone could give some guidance.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

When I set somethign to "inspect" does that allow it by default until it sees an issue, then drops the traffic?

FastEthernet0 is up, line protocol is down
  Internet protocol processing disabled
FastEthernet1 is up, line protocol is up
  Internet protocol processing disabled
FastEthernet2 is up, line protocol is down
  Internet protocol processing disabled
FastEthernet3 is up, line protocol is down
  Internet protocol processing disabled
FastEthernet4 is up, line protocol is up
  Internet protocol processing disabled
Vlan1 is up, line protocol is up
  Internet address is 192.168.1.250/24
  Broadcast address is 255.255.255.255
  Outgoing access list is not set
  Inbound  access list is 110

Loopback0 is up, line protocol is up
  Internet address is 10.1.1.1/24
  Broadcast address is 255.255.255.255
  Outgoing access list is not set
  Inbound  access list is not set

NVI0 is up, line protocol is up
  Interface is unnumbered. Using address of Loopback0 (10.1.1.1)
  Broadcast address is 255.255.255.255
  Outgoing access list is not set
  Inbound  access list is not set

Dialer0 is up, line protocol is up
  Internet address is x.x.x.x/32
  Broadcast address is 255.255.255.255
  Outgoing access list is not set
  Inbound  access list is not set

Virtual-Access1 is up, line protocol is up
  Peer address is x.x.x.x

  Dialer interface is Dialer0

1 Accepted Solution

Accepted Solutions

Hello,

There is a command that can tell you which part of the config is dropping you the packet (If dropped by the ZBF). Would you please go to enable mode and do the following?

ip inspect log drop-pkt

do term mon

Try to send and or receive mails, we will be able to see the Zone based dropping the sessions, after this... we can go two ways, one would be configuring just inspection of general TCP for this traffic or the other one, correct the problem on the config (if any)

Cheers

Mike

Mike

View solution in original post

15 Replies 15

cadet alain
VIP Alumni
VIP Alumni

In your zbf config you are inspecting http and smtp traffic destined for the ip address of your server which is private.

I suppose you have a static nat to enable access to your server from outside if so then in your zbf you must permit the natted public ip address in your class-maps.

Regards.

Don't forget to rate helpful posts.

I do have NAT done.

ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.253 25 134.43.23.11 25 extendable
ip nat inside source static tcp 192.168.1.253 80 134.43.23.11  80 extendable
ip nat inside source static tcp 192.168.1.253 443 134.43.23.11  443 extendable
ip nat inside source static 192.168.1.253 134.43.23.11  extendable
ip nat inside source static tcp 192.168.1.250 22 134.43.23.12 22 extendable

Hello,

There is a command that can tell you which part of the config is dropping you the packet (If dropped by the ZBF). Would you please go to enable mode and do the following?

ip inspect log drop-pkt

do term mon

Try to send and or receive mails, we will be able to see the Zone based dropping the sessions, after this... we can go two ways, one would be configuring just inspection of general TCP for this traffic or the other one, correct the problem on the config (if any)

Cheers

Mike

Mike

ok so as you've got static NAT then in your ACLs 101 and 102 replace 192.168.1.253 by 134.43.xx.xx which is your public IP.

Regards.

Don't forget to rate helpful posts.

Thanks for the tip on the logging. Turned that on and tried to send/receive emails. Saw this in the log:


Apr 20 14:27:26.735: %FW-6-DROP_PKT: Dropping Other session 166.137.143.92:8562 192.168.1.253:443 on zone-pair sdm-zp-NATOutsideToInside-1 class class-default due to  policy match failure with ip ident 23252 tcpflags 0x7002 seq.no 2651868498 ack 0

Once I saw that I noticed I needed to add https to the class map.

So, I added this:

class type inspect sdm-nat-https-1

inspect

And I added that class type to the already existing policy map and it looks like this now

policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-http-1
  inspect
class type inspect sdm-nat-smtp-1
  inspect
class type inspect out_to_in
  inspect

class type inspect sdm-nat-https-1

  inspect
class class-default

I then did a copy run start, and reloaded. After that I was able to send and receive email, OWA is working and internet is working. Only thing that I don't like is that it looks like the ip 192.168.1.253 is open from everything on the internet? Am I reading that right? Basically the only things that should be open are DNS (53) http (80) which redirects to https (443) and smtp (25). We don't run a company website, only OWA.

Hello,

Not really, the first class map says that it needs to match everything that is on it... currently, it has an http class map and the ACL 101.. so the packet would need to come from anyone in http, if the packet comes from anyone on another port, it will not match that class map and will go down the list until it finds a match... thats why https was getting dropped, at the moment you added the new class map it did not hit the first, went to the bottom and then matched the last class map which only had the inspection for https.

If you have any doubts please let me know.

Cheers.

Mike

Mike

Mike,

class-map type inspect match-all sdm-nat-http-1

match access-group 101

match protocol http

access-list 101 permit ip any host 192.168.1.253

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect sdm-nat-http-1

  inspect

class type inspect sdm-nat-smtp-1

  inspect

class type inspect out_to_in

  inspect

class class-default

policy-map type inspect sdm-inspect

class type inspect sdm-invalid-src

  drop log

class type inspect sdm-insp-traffic

  inspect

class type inspect sdm-protocol-http

  inspect

zone-pair security sdm-zp-in-out source in-zone destination out-zone

service-policy type inspect sdm-inspect

People trying to gain access to inside web services  from outside will have th public ip address as destination no?

if so then acl 101 explicit permit is not matched and so class-map sdm-nat-http-1 is not matched either because it is a match-all class-map.

so the traffic will be classified as class-default, correct?

what is the class-default action in the policy if it's a pass then that traffic is permitted from out to in and dest ip address is natted back to the private ip add, correct?

then we need to have a service-policy from in to out which permits http which is the case, correct?

If class-default action was inspect ther was no need for a service-policy in-to-out, correct?

and if class-default was drop then there was no communication.

So my question is how wasn't it not working before and now it's ok if he didn't change the ACLs referenced in the class-maps but just added  a class-map for https.

Was he only trying https before?

Don't forget to rate helpful posts.

Hello,

Yup, seems like it was only trying https. If I am not mistaken, OWA uses SSL to protect the communication between the host and the client. I totally understand your question... You must be thinking... well if OWA says to me open 80, 443 and 25.... why it was only trying 443? The answer (And this is a personal Opinion) is that the first contact that you do for authentication to the OWA server is on port 443...If this authentication is not successful, then the other ports are not needed.....

Defaul action of every class default is drop... execept for the one that goes to the Self-zone...

Hope it makes sense.

Cheers

Mike

Mike

So, when I add ACL's do I want the destinations to be my private IP or the Public NAT'd IP?

Also, say I want to block 192.168.53.0/24 from getting out of the network. SO, I would put an ACL inbound on the VLAN1 interface. But, if I do that, it doesn't seem to have any effect. Do I have to do it with a zone policy basically?

What I tried was:

access-list 125 deny IP 192.168.53.0 0.0.0.255 any

Then I did the following:

conf t

interface vlan1

ip access-class 125 in

But it didn't seem to have any effect.

Hello,

When using Zone based firewall, you will use the Private IP address instead of the public. This feature is called "Real IP address". It has been also added to the ASA on version 8.3. Regarding to your question, as per the documentation on the zone based firewall design guide. ACLs and Zone based  should not be applied at the same time.

Regarding to your concern, yes, you will need to block this network using the Zone based firewall. There are several ways that you can achieve this, but I see one that seems to be the easiest.

You have already a class map that is called invalid source. It is matching an ACL with several IP addresses that are not meant to come as source Address in a packet. The action of this class map is drop, If you add Lines to the acl 100 (which is the one that is being matched to drop packets) the packets will be dropped.

By simply adding this line

access-list 100 deny IP 192.168.53.0 0.0.0.255 any

That network should be block.

Please try it and let me know.

Thank you.

Mike

Mike

Thanks for all the help and it's helping tons. Issue resolved.

cadet alain
VIP Alumni
VIP Alumni

hi,

By default all traffic to or from  your router interfaces( or self zone from a zbf standpoint) is permitted so no need to add a service-policy unless you want to deny some traffic.

So I would get rid of this config lines you added in your zone based firewall.

Regards.

Don't forget to rate helpful posts.

But that's what I'm trying to do. I'm trying to block ssh access from everything but my 1 IP.

then you can try applying an ACL permitting only your ip  as an inbound access-class to your vty line.

If it's compatible with ZBF, give it a try.

Don't forget to rate helpful posts.
Review Cisco Networking for a $25 gift card