Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
672
Views
0
Helpful
1
Replies

zone based firewall configuration

Charlotte098
Level 1
Level 1

‎09-29-2011 11:35 PM - edited ‎03-11-2019 02:32 PM

Hi I'm trying to setup a zone based firewall. I can't seem to work out what is going wrong. I have added the class maps, policy map, extended acls, and have defined the zones and added the zones to the interfaces. Can anyone see why this wouldn't be working? This is the first time I've configured this type of firewall. I've applied zone-member security outside to the dialer3 interface as well as ip nat outside. It was working before with NAT. It only stopped working when I started applying the zone based firewall configuration so I know it's incorrect somewhere. It doesn't seem to be matching the access-list I've created when I ping from 10.1.1.11. The routers are also running bgp which is working fine. The 10.1.1.11 - 10.1.1.16 range is being NATed to a public address. What I'm trying to do is permit icmp outbound from the 10.1.1.11 addresses and restrict everything else outbound. Inbound I'm trying to permit hosts to the http server which can be accessed on 10.1.1.12 and also telnet but only to that address if that makes sense. I've provided some of my configuration below.

class-map type inspect match-all outbound

match protocol icmp

match access-group name inside>outside

class-map type inspect match-all inbound

match protocol http

match protocol telnet

match access-group name outside>inside

!

!

policy-map type inspect ZONEINSIDE

class type inspect inbound

  inspect

class class-default

policy-map type inspect ZONEOUTSIDE

class type inspect outbound

  inspect

class class-default

!

zone security inside

zone security outside

zone-pair security ZONEINSIDE source inside destination outside

service-policy type inspect ZONEINSIDE

zone-pair security ZONEOUTSIDE source outside destination inside

service-policy type inspect ZONEOUTSIDE

interface Vlan1

description Inside Interface

ip address 192.168.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security inside

load-interval 30

ip route 0.0.0.0 0.0.0.0 Dialer3

ip route 10.1.1.17 255.255.255.255 192.168.10.254

!

!

no ip http server

no ip http secure-server

ip nat inside source list NAT interface Dialer3 overload

!

ip access-list extended NAT

permit ip host 10.1.1.12 any

permit ip host 10.1.1.13 any

permit ip host 10.1.1.14 any

permit ip host 10.1.1.15 any

permit ip host 10.1.1.16 any

permit ip host 10.1.1.11 any

ip access-list extended inside>outside

permit icmp any any

ip access-list extended outside>inside

permit 80 any host 10.1.1.12

permit 23 any host 10.1.1.12

!

Labels:
0 Helpful
1 Reply 1

cadet alain
VIP Alumni
VIP Alumni

‎09-30-2011 01:11 AM

Hi,

Change this:

class-map type inspect match-all inbound

match protocol http

match protocol telnet

match access-group name outside>inside

To this:

class-map type inspect match-all inbound

match access-group name outside>inside

and this:

ip access-list extended outside>inside

permit 80 any host 10.1.1.12

permit 23 any host 10.1.1.12

To this:

ip access-list extended outside>inside

permit tcp any host 10.1.1.12 eq 80

permit tcp any host 10.1.1.12 eq 23

Now if you want access to 10.1.1.12 from outside you need static PAT entries:

ip nat inside source static tcp 10.1.1.12 80 interface dialer3 80

ip nat inside source static tcp 10.1.12.23 interface dialer3 23

And add this global config command: ip inspect log drop-pkt

Regards.

Alain



Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card