09-29-2011 11:35 PM - edited 03-11-2019 02:32 PM
Hi I'm trying to setup a zone based firewall. I can't seem to work out what is going wrong. I have added the class maps, policy map, extended acls, and have defined the zones and added the zones to the interfaces. Can anyone see why this wouldn't be working? This is the first time I've configured this type of firewall. I've applied zone-member security outside to the dialer3 interface as well as ip nat outside. It was working before with NAT. It only stopped working when I started applying the zone based firewall configuration so I know it's incorrect somewhere. It doesn't seem to be matching the access-list I've created when I ping from 10.1.1.11. The routers are also running bgp which is working fine. The 10.1.1.11 - 10.1.1.16 range is being NATed to a public address. What I'm trying to do is permit icmp outbound from the 10.1.1.11 addresses and restrict everything else outbound. Inbound I'm trying to permit hosts to the http server which can be accessed on 10.1.1.12 and also telnet but only to that address if that makes sense. I've provided some of my configuration below.
class-map type inspect match-all outbound
match protocol icmp
match access-group name inside>outside
class-map type inspect match-all inbound
match protocol http
match protocol telnet
match access-group name outside>inside
!
!
policy-map type inspect ZONEINSIDE
class type inspect inbound
inspect
class class-default
policy-map type inspect ZONEOUTSIDE
class type inspect outbound
inspect
class class-default
!
zone security inside
zone security outside
zone-pair security ZONEINSIDE source inside destination outside
service-policy type inspect ZONEINSIDE
zone-pair security ZONEOUTSIDE source outside destination inside
service-policy type inspect ZONEOUTSIDE
interface Vlan1
description Inside Interface
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security inside
load-interval 30
ip route 0.0.0.0 0.0.0.0 Dialer3
ip route 10.1.1.17 255.255.255.255 192.168.10.254
!
!
no ip http server
no ip http secure-server
ip nat inside source list NAT interface Dialer3 overload
!
ip access-list extended NAT
permit ip host 10.1.1.12 any
permit ip host 10.1.1.13 any
permit ip host 10.1.1.14 any
permit ip host 10.1.1.15 any
permit ip host 10.1.1.16 any
permit ip host 10.1.1.11 any
ip access-list extended inside>outside
permit icmp any any
ip access-list extended outside>inside
permit 80 any host 10.1.1.12
permit 23 any host 10.1.1.12
!
09-30-2011 01:11 AM
Hi,
Change this:
class-map type inspect match-all inbound
match protocol http
match protocol telnet
match access-group name outside>inside
To this:
class-map type inspect match-all inbound
match access-group name outside>inside
and this:
ip access-list extended outside>inside
permit 80 any host 10.1.1.12
permit 23 any host 10.1.1.12
To this:
ip access-list extended outside>inside
permit tcp any host 10.1.1.12 eq 80
permit tcp any host 10.1.1.12 eq 23
Now if you want access to 10.1.1.12 from outside you need static PAT entries:
ip nat inside source static tcp 10.1.1.12 80 interface dialer3 80
ip nat inside source static tcp 10.1.12.23 interface dialer3 23
And add this global config command: ip inspect log drop-pkt
Regards.
Alain
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide