Re: zone based firewall - ftp

Joseph Chambers · ‎11-09-2011

I'm having an issue where ftp is allowed out, but is dropping on the way back in.

seeing

Dropping tcp pkt 209.95.232.144:20 => 192.168.0.11:62589

Does that mean an ACL is dropping and not the ZBF?

Julio Carvajal · ‎11-09-2011

Hello Joseph,

have you the following command:

-ip inspect log drop-pkt

And yes, the ZBF drop should look like this

%FW-6-DROP_PKT.

If you want you can post your running configuration with some changes of course because of security

Have a great day,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Joseph Chambers · ‎11-09-2011

class-map type inspect match-all sdm-cls-VPNOutsideToInside-1

match access-group 116

class-map type inspect match-all sdm-nat-user-protocol--1-2

match access-group 107

match protocol user-protocol--1

class-map type inspect match-any sdm-service-sdm-pol-NATOutsideToInside-1

match protocol http

match protocol https

class-map type inspect match-all sdm-nat-http-1

match access-group 108

match class-map sdm-service-sdm-pol-NATOutsideToInside-1

class-map type inspect match-all sdm-nat-user-protocol--1-1

match access-group 106

match protocol user-protocol--1

class-map type inspect match-any FTP

match protocol ftps

match protocol ftp

class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-1

match class-map FTP

match access-group 120

--More-- class-map type inspect match-all sdm-nat-smtp-1

match access-group 104

match protocol smtp

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any SDM_WEBVPN

match access-group name SDM_WEBVPN

class-map type inspect match-all SDM_WEBVPN_TRAFFIC

match class-map SDM_WEBVPN

match access-group 110

class-map type inspect match-any CCP-Voice-permit

match protocol h323

match protocol skinny

match protocol sip

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

--More-- match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any all

match protocol tcp

match protocol udp

match protocol icmp

class-map type inspect match-all sdm-cls--1

match class-map all

match access-group name to_ezvpn

class-map type inspect match-all SDM_IP

match access-group name SDM_IP

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

--More-- class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_EASY_VPN_SERVER_PT

match class-map SDM_EASY_VPN_SERVER_TRAFFIC

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-invalid-src

match access-group 103

class-map type inspect match-all sdm-nat-https-2

match access-group 109

match protocol https

class-map type inspect match-all sdm-nat-https-1

match access-group 105

match protocol https

class-map type inspect match-all ccp-protocol-http

match protocol http

--More-- !

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

inspect

class class-default

pass

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect sdm-nat-smtp-1

inspect

class type inspect sdm-nat-https-1

inspect

class type inspect sdm-nat-user-protocol--1-1

inspect

class type inspect sdm-nat-user-protocol--1-2

inspect

class type inspect sdm-nat-http-1

inspect

class type inspect sdm-nat-https-2

inspect

class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-1

inspect

class class-default

--More-- policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

drop log

class type inspect ccp-protocol-http

inspect

class type inspect ccp-insp-traffic

inspect

class type inspect CCP-Voice-permit

inspect

class class-default

inspect

policy-map type inspect ccp-permit

class type inspect SDM_EASY_VPN_SERVER_PT

pass

class type inspect SDM_WEBVPN_TRAFFIC

inspect

class class-default

policy-map type inspect sdm-policy-sdm-cls--1

class type inspect sdm-cls--1

inspect

class class-default

policy-map type inspect sdm-inspect-all

class type inspect sdm-cls-VPNOutsideToInside-1

--More-- inspect

class class-default

policy-map type inspect sdm-permit-ip

class type inspect SDM_IP

inspect

class class-default

drop log

!

zone security LAN

zone security Outside

zone security out-zone

zone security in-zone

zone security ezvpn-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone

--More-- service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-self-ezvpn-zone source self destination ezvpn-zone

service-policy type inspect sdm-policy-sdm-cls--1

!

interface Loopback0

description Do not delete - SDM WebVPN generated interface

ip address 192.168.1.1 255.255.255.252

ip nat inside

ip virtual-reassembly

!

interface Loopback1

--More-- ip address 192.168.52.254 255.255.255.0

!

interface Loopback5

ip address 192.168.57.254 255.255.255.0

!

interface Loopback6

ip address 192.168.58.254 255.255.255.0

!

interface Loopback9

ip address 192.168.61.254 255.255.255.0

!

interface FastEthernet0/0

description connected to EthernetLAN$ETH-LAN$$FW_INSIDE$$ES_LAN$

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security in-zone

no ip route-cache cef

no ip route-cache

no ip mroute-cache

duplex auto

speed auto

!

--More-- interface FastEthernet0/1

description $ETH-WAN$$FW_OUTSIDE$

ip address x.x.x.82 255.255.255.0

ip nat outside

ip virtual-reassembly

zone-member security out-zone

duplex full

speed auto

crypto map SDM_CMAP_1

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map nonat interface FastEthernet0/1 overload

ip nat inside source static tcp 192.168.0.30 25 x.x.x.83 25 extendable

ip nat inside source static tcp 192.168.0.30 443 x.x.x.83 443 extendable

ip nat inside source static tcp 192.168.0.31 3389 x.x.x.84 3389 extendable

ip nat inside source static tcp 192.168.0.19 3389 x.x.x.85 3389 extendable

ip nat inside source static tcp 192.168.0.8 443 x.x.x.86 443 extendable

ip nat inside source static tcp 192.168.0.11 20 x.x.x.88 20 extendable

ip nat inside source static tcp 192.168.0.11 21 x.x.x.88 21 extendable

ip nat inside source static tcp 192.168.0.11 3389 x.x.x.88 3389 extendable

ip nat inside source static tcp 192.168.0.6 3389 x.x.x.89 3389 extendable

ip nat inside source static tcp 192.168.0.7 21 x.x.x.90 21 extendable

ip nat inside source static tcp 192.168.1.1 443 192.168.0.1 4443 extendable

!

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

ip access-list extended SDM_IP

remark CCP_ACL Category=1

permit ip any any

ip access-list extended SDM_WEBVPN

remark CCP_ACL Category=1

permit tcp any any eq 443

ip access-list extended VPN

permit udp any host 192.168.0.1 eq non500-isakmp

permit udp any host 192.168.0.1 eq isakmp

permit esp any host 192.168.0.1

permit ahp any host 192.168.0.1

--More-- ip access-list extended to_ezvpn

remark CCP_ACL Category=128

permit ip any any

!

ip radius source-interface FastEthernet0/0

logging trap debugging

access-list 100 remark SDM_ACL Category=4

access-list 100 permit ip 192.168.0.0 0.0.0.255 any

access-list 101 remark SDM_ACL Category=4

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

access-list 102 permit ip 192.168.0.0 0.0.0.255 any

access-list 103 remark CCP_ACL Category=128

access-list 103 permit ip host 255.255.255.255 any

access-list 103 permit ip 127.0.0.0 0.255.255.255 any

access-list 103 permit ip 66.195.205.0 0.0.0.255 any

access-list 104 remark CCP_ACL Category=0

access-list 104 permit ip 216.82.240.0 0.0.15.255 host 192.168.0.30

access-list 104 permit ip 67.219.240.0 0.0.15.255 host 192.168.0.30

access-list 104 permit ip 85.158.136.0 0.0.7.255 host 192.168.0.30

access-list 104 permit ip 95.131.104.0 0.0.7.255 host 192.168.0.30

access-list 104 permit ip 117.120.16.0 0.0.7.255 host 192.168.0.30

access-list 104 permit ip 193.109.254.0 0.0.1.255 host 192.168.0.30

access-list 104 permit ip 194.106.220.0 0.0.1.255 host 192.168.0.30

access-list 104 permit ip 195.245.230.0 0.0.1.255 host 192.168.0.30

access-list 105 remark CCP_ACL Category=0

access-list 105 permit ip any host 192.168.0.30

access-list 106 remark CCP_ACL Category=0

access-list 106 permit ip any host 192.168.0.31

access-list 107 remark CCP_ACL Category=0

access-list 107 permit ip any host 192.168.0.11

access-list 107 permit ip any host 192.168.0.6

access-list 108 remark CCP_ACL Category=0

access-list 108 permit ip any host 192.168.0.8

access-list 109 remark CCP_ACL Category=0

access-list 109 permit ip any host 192.168.1.1

access-list 110 remark CCP_ACL Category=128

access-list 110 permit ip any host 66.195.205.82

access-list 111 remark CCP_ACL Category=4

access-list 111 permit ip 192.168.0.0 0.0.0.255 any

access-list 112 remark CCP_ACL Category=4

access-list 112 permit ip 192.168.0.0 0.0.0.255 any

access-list 113 remark CCP_ACL Category=4

access-list 113 permit ip 192.168.0.0 0.0.0.255 any

access-list 114 permit ip host 192.168.0.6 192.168.50.0 0.0.0.255

access-list 114 permit ip 192.168.0.0 0.0.0.255 192.168.52.0 0.0.0.255

access-list 114 permit ip 192.168.0.0 0.0.0.255 192.168.53.0 0.0.0.255

--More-- access-list 114 permit ip 192.168.0.0 0.0.0.255 192.168.54.0 0.0.0.255

access-list 115 permit tcp host 192.168.0.30 any eq smtp

access-list 115 permit tcp host 192.168.0.31 any eq smtp

access-list 115 deny tcp any any eq smtp

access-list 115 permit ip 192.168.0.0 0.0.0.255 any

access-list 116 remark CCP_ACL Category=4

access-list 116 permit ip 192.168.0.0 0.0.0.255 any

access-list 120 remark CCP_ACL Category=128

access-list 120 permit ip any host 192.168.0.11

access-list 121 permit ip host 209.95.232.144 host 192.168.0.11

!

route-map nonat deny 10

match ip address 114

!

route-map nonat permit 20

match ip address 115

Julio Carvajal · ‎11-09-2011

Hello Josheph,

Can you try the following please:

- no class-map type inspect match-all ccp-insp-traffic

- class-map type inspect match-any ccp-insp-traffic

I also would like you to apply the following command into your configuration:

-ip inspect log drop-pkt

Then send us the logs while the issue is happening.

Please let me know if this works.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Joseph Chambers · ‎11-10-2011

that didn't fix it.

Never mind, I dropped in an ASA today. Problem solved

Julio Carvajal · ‎11-10-2011

Hello Joseph,

Sure, without the logs is almost impossible to solve this kind of issues.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Joseph Chambers · ‎11-10-2011

No worries. Asa is so much easier to deal w vs zbf

Sent from Cisco Technical Support iPhone App

Maykol Rojas · ‎11-10-2011

Hi,

Just in case you wanted to know the reason, it is because the ZBF is not inspecting FTP, so the dynamic data channel (in this case port 20) is going to be dropped. In order to overcome this issue you need to inspect FTP, so the Firewall know that a data connection will come.

The command you needed was this:

class-map type inspect match-any ccp-cls-insp-traffi

inspect ftp

Anyways, I love the ASA, but ZBF is not a bad approach if you dont have enough budget

Mike