Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4209
Views
19
Helpful
16
Replies

Zone based firewall malfunction

Go to solution
Tommy Svensson
Level 1
Level 1

‎03-03-2011 05:28 AM - edited ‎03-11-2019 01:00 PM

Hi.

Im setting up a network with multiple VLANs and i want every VLAN to just access the Internet and not other VLANs. my config is misconfigured and i cant see where. I want VLAN 10 and 20 do access the services ive listed in my config on the Internet but not on other VLANs.

Regards Tommy Svensson

R1#show run
Building configuration...

Current configuration : 7381 bytes
!
! Last configuration change at 14:17:07 PCTime Thu Mar 3 2011 by iosoft
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname R1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 xxxxxxxxxxxxxxxxx
!
no aaa new-model
!
!
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
no ipv6 cef
no ip source-route
ip cef
!
!
ip dhcp excluded-address 10.10.10.1 10.10.10.49
ip dhcp excluded-address 10.10.10.251 10.10.10.254
ip dhcp excluded-address 10.10.20.1 10.10.20.49
ip dhcp excluded-address 10.10.20.251 10.10.20.254
ip dhcp excluded-address 10.10.100.1 10.10.100.49
ip dhcp excluded-address 10.10.100.251 10.10.100.254
ip dhcp excluded-address 10.10.30.1 10.10.30.49
ip dhcp excluded-address 10.10.30.251 10.10.30.254
!
ip dhcp pool ccp-pool1
 network 10.10.10.0 255.255.255.0
 domain-name tedact.local
 dns-server 192.168.98.2
 default-router 10.10.10.1
!
ip dhcp pool ccp-pool2
 import all
 network 10.10.20.0 255.255.255.0
 domain-name tedact.local
 dns-server 192.168.98.2
 default-router 10.10.20.1
!
ip dhcp pool Management
 import all
 network 10.10.100.0 255.255.255.0
 domain-name Tedact.local
 dns-server 192.168.98.2
 default-router 10.10.100.1
!
ip dhcp pool AP
 import all
 network 10.10.30.0 255.255.255.0
 domain-name Tedact.local
 dns-server 192.168.98.2
 default-router 10.10.30.1
!
!
no ip bootp server
ip domain name tedact.local
ip name-server 192.168.98.2
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-530346110
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-530346110
 revocation-check none
 rsakeypair TP-self-signed-530346110
!
!
crypto pki certificate chain TP-self-signed-530346110
 certificate self-signed 01
 30820245 308201AE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
 30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
 69666963 6174652D 35333033 34363131 30301E17 0D313130 32323430 37323030
 315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
 532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3533 30333436
 31313030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
 CCC4DE13 6476A2A0 B05D718B BDA1BB42 953FED57 2F37490D BEF58A1B 8F4774A0
 17F52B83 A48A59BC 46F1BFBA 68D2BBE3 66A40219 8B6FB14E 96424551 4AFB4598
 C2F0E9DA 53946559 767A6468 88253DDF B42DEFA3 EF0693F2 E2B77B24 2EFD3F6C
 620E1F33 3B994749 A9C1F5A9 63821FD4 0A0C808F DF3D70D7 9C1E813E D78E79C7
 02030100 01A36F30 6D300F06 03551D13 0101FF04 05300301 01FF301A 0603551D
 11041330 11820F52 312E7465 64616374 2E6C6F63 616C301F 0603551D 23041830
 16801439 3E27ECCE E810B254 66EA1C16 3213546A 2C345230 1D060355 1D0E0416
 0414393E 27ECCEE8 10B25466 EA1C1632 13546A2C 3452300D 06092A86 4886F70D
 01010405 00038181 001AE204 00263DC0 F478478D 94CD33B9 CFCC4685 16D3EC89
 0EE17A28 709F7B2A 7060A2C1 C851D34C 4A5A5E82 428E5101 2CF2E90D FFBAC276
 81B09ADF BDA33EC5 E6EB5F38 13613C88 15D43E93 F40F6C53 2C92AE4E 0F169075
 0964F08C DB2A0F71 BFAC9BF0 C51A92BC CC7B93A3 D6AEEBAF 50AEBF71 E3F8BFAE
 E9FB1AB8 726902D1 78
 quit
license udi pid CISCO2911/K9 sn xxxxxxxxx
!
!
username xxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx.
username xxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx.
!
redundancy
!
!
ip tcp synwait-time 10
ip ssh authentication-retries 5
!
class-map type inspect match-all VLAN_TO_WAN_CLASS
 description VLAN_TO_WAN_CLASS
 match protocol pop3
 match protocol imap
 match protocol smtp
 match protocol icmp
 match protocol echo
 match protocol ssh
 match protocol http
 match protocol ftp
 match protocol https
 match protocol pop3s
 match protocol imaps
 match protocol imap3
 match protocol irc
 match protocol irc-serv
!
!
policy-map type inspect VLAN_TO_WAN_POLICY
 class type inspect VLAN_TO_WAN_CLASS
 pass
 class class-default
 drop
!
zone security zx_1543423965
zone security zy_1027413455
zone security VLAN_10_ZONE
zone security VLAN_20_ZONE
zone security WAN_ZONE
zone-pair security zx-zy_1919797047 source zx_1543423965 destination zy_1027413455
 service-policy type inspect-internal px-py
zone-pair security VLAN_10_TO_WAN source VLAN_10_ZONE destination WAN_ZONE
 service-policy type inspect VLAN_TO_WAN_POLICY
zone-pair security FW_INT_REV_VLAN_10_TO_WAN_680015950 source WAN_ZONE destination VLAN_10_ZONE
 service-policy type inspect-internal I_VLAN_TO_WAN_POLICY
zone-pair security VLAN_20_TO_WAN source VLAN_20_ZONE destination WAN_ZONE
 service-policy type inspect VLAN_TO_WAN_POLICY
zone-pair security FW_INT_REV_VLAN_20_TO_WAN_3879632611 source WAN_ZONE destination VLAN_20_ZONE
 service-policy type inspect-internal I_VLAN_TO_WAN_POLICY
!
!
!
!
!
!
!
interface GigabitEthernet0/0
 description NOT USED
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
 !
!
interface GigabitEthernet0/0.1
 description VLAN 10 CompanyA
 encapsulation dot1Q 10
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security VLAN_10_ZONE
 no cdp enable
!
interface GigabitEthernet0/0.2
 description VLAN 20 CompanyB$ETH-LAN$
 encapsulation dot1Q 20
 ip address 10.10.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no cdp enable
!
interface GigabitEthernet0/0.3
 description VLAN 30 AP
 encapsulation dot1Q 3
 ip address 10.10.30.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no cdp enable
!
interface GigabitEthernet0/0.100
 description VLAN 100 Management
 encapsulation dot1Q 100
 ip address 10.10.100.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no cdp enable
!
interface GigabitEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 shutdown
 duplex auto
 speed auto
 no mop enabled
 !
!
interface GigabitEthernet0/2
 description $ETH-WAN$
 ip address 192.168.98.205 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 zone-member security WAN_ZONE
 duplex auto
 speed auto
 no mop enabled
 !
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool with_overload 192.168.98.205 192.168.98.205 prefix-length 24
ip nat inside source list 7 pool with_overload overload
ip route 0.0.0.0 0.0.0.0 192.168.98.254
!
logging trap debugging
access-list 7 permit 10.10.10.0 0.0.0.255
access-list 7 permit 10.10.20.0 0.0.0.255
access-list 7 permit 10.10.100.0 0.0.0.255
access-list 7 permit 10.10.30.0 0.0.0.255
!
no cdp run

!
!
!
!
!
control-plane
 !
!
banner exec ^C HOHO ^C
banner login ^CAuthorized access only!
^C
!
line con 0
 timeout login response 300
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input ssh
!
scheduler allocate 20000 1000
end

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎03-07-2011 02:30 AM

Great,....

Looks like you are missing DNS inspection

Here we go:

class-map type inspect match-any VLAN_TO_WAN_CLASS
      match protocol dns

View solution in original post

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Tommy Svensson

‎03-07-2011 04:33 AM

Absolutely correct, the default action from outside towards internal subnets would be deny by default. And if you do want access from the internet towards the internal hosts, you will still need to configure translation to a public ip address so it's accessible from the internet.

And yes, you are right. If you are happy with just acccess towards the router interfaces from the internal subnets, then we don't need to configure any self rule.

View solution in original post

0 Helpful
16 Replies 16

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎03-04-2011 02:23 AM

The followings are the ones that cause the failure:

1) "class-map type inspect match-all VLAN_TO_WAN_CLASS", it should say:

"class-map type inspect match-any VLAN_TO_WAN_CLASS" instead.

2) policy-map type inspect VLAN_TO_WAN_POLICY
           class type inspect VLAN_TO_WAN_CLASS
                     pass

It should say "inspect" instead:

policy-map type inspect VLAN_TO_WAN_POLICY
      class type inspect VLAN_TO_WAN_CLASS
           inspect

3) You do not need the following if you only want outbound connectivity:

zone-pair security FW_INT_REV_VLAN_10_TO_WAN_680015950 source WAN_ZONE destination VLAN_10_ZONE
 service-policy type inspect-internal I_VLAN_TO_WAN_POLICY

zone-pair security FW_INT_REV_VLAN_20_TO_WAN_3879632611 source WAN_ZONE destination VLAN_20_ZONE
 service-policy type inspect-internal I_VLAN_TO_WAN_POLICY

Hope that helps.

Go to solution
Tommy Svensson
Level 1
Level 1
In response to Jennifer Halim

‎03-04-2011 06:13 AM

Hi again.

I have now tried to solve it whitout succeeding. When i assign a zone to an interface it all goes down, the hosts on different VLANs cant ping eachother wich is good, but it cant ping anything out the WAN interface either. Hoping to get some pointers in the matter.

EDIT:
What do i need to configure for the router to have a standard firewall towards the Internet. The WAN interface is in the zone WAN_ZONE, do i need to specify a zone-pair for every WAN to VLAN connection? Like i do from VLAN to WAN.

It is a company hotel for more than 25 companies and if i have to make zone-pairs for every VLAN to WAN & WAN to VLAN possibility there is im gonna puke

The thing is that every company is going to have their own VLAN and i just want them to access the Internet and no other VLAN. Also i want the entire network to be as safe as it can behind my firewall. What do i need to do?

Regards Tommy Svensson

R1#show run
Building configuration...

Current configuration : 6983 bytes
!
! Last configuration change at 15:00:02 PCTime Fri Mar 4 2011 by iosoft
!
version 15.0
!
hostname R1
!
!
no ipv6 cef
no ip source-route
ip cef
!
!
ip dhcp excluded-address 10.10.10.1 10.10.10.49
ip dhcp excluded-address 10.10.10.251 10.10.10.254
ip dhcp excluded-address 10.10.20.1 10.10.20.49
ip dhcp excluded-address 10.10.20.251 10.10.20.254
ip dhcp excluded-address 10.10.100.1 10.10.100.49
ip dhcp excluded-address 10.10.100.251 10.10.100.254
ip dhcp excluded-address 10.10.30.1 10.10.30.49
ip dhcp excluded-address 10.10.30.251 10.10.30.254
!
ip dhcp pool ccp-pool1
 network 10.10.10.0 255.255.255.0
 domain-name tedact.local
 dns-server 192.168.98.2
 default-router 10.10.10.1
!
ip dhcp pool ccp-pool2
 import all
 network 10.10.20.0 255.255.255.0
 domain-name tedact.local
 dns-server 192.168.98.2
 default-router 10.10.20.1
!
ip dhcp pool Management
 import all
 network 10.10.100.0 255.255.255.0
 domain-name Tedact.local
 dns-server 192.168.98.2
 default-router 10.10.100.1
!
ip dhcp pool AP
 import all
 network 10.10.30.0 255.255.255.0
 domain-name Tedact.local
 dns-server 192.168.98.2
 default-router 10.10.30.1
!
!
no ip bootp server
ip domain name tedact.local
ip name-server 192.168.98.2
!
multilink bundle-name authenticated

username xxxxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
username xxxxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxx.
!
!
ip tcp synwait-time 10
ip ssh authentication-retries 5
!
class-map type inspect match-any VLAN_TO_WAN_CLASS
 match protocol icmp
 match protocol echo
 match protocol http
 match protocol https
 match protocol pop3
 match protocol pop3s
 match protocol smtp
 match protocol imap
 match protocol imaps
 match protocol imap3
 match protocol ftp
 match protocol ssh
!
!
policy-map type inspect VLAN_TO_WAN_POLICY
 class type inspect VLAN_TO_WAN_CLASS
 inspect
!
zone security VLAN10_ZONE
zone security VLAN20_ZONE
zone security VLAN30_ZONE
zone security VLAN100_ZONE
zone security WAN_ZONE
zone-pair security VLAN_10_TO_WAN source VLAN10_ZONE destination WAN_ZONE
zone-pair security VLAN_20_TO_WAN source VLAN20_ZONE destination WAN_ZONE
zone-pair security VLAN_30_TO_WAN source VLAN30_ZONE destination WAN_ZONE
zone-pair security VLAN_100_TO_WAN source VLAN100_ZONE destination WAN_ZONE
!
!
!
!
!
!
!
interface GigabitEthernet0/0
 description NOT USED
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
 !
!
interface GigabitEthernet0/0.1
 description VLAN 10 CompanyA
 encapsulation dot1Q 10
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security VLAN10_ZONE
 no cdp enable
!
interface GigabitEthernet0/0.2
 description VLAN 20 CompanyB
 encapsulation dot1Q 20
 ip address 10.10.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security VLAN20_ZONE
 no cdp enable
!
interface GigabitEthernet0/0.3
 description VLAN 30 AP
 encapsulation dot1Q 3
 ip address 10.10.30.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security VLAN30_ZONE
 no cdp enable
!
interface GigabitEthernet0/0.100
 description VLAN 100 Management
 encapsulation dot1Q 100
 ip address 10.10.100.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security VLAN100_ZONE
 no cdp enable
!
interface GigabitEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 shutdown
 duplex auto
 speed auto
 no mop enabled
 !
!
interface GigabitEthernet0/2
 description $ETH-WAN$
 ip address 192.168.98.205 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 zone-member security WAN_ZONE
 duplex auto
 speed auto
 no mop enabled
 !
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool with_overload 192.168.98.205 192.168.98.205 prefix-length 24
ip nat inside source list 7 pool with_overload overload
ip route 0.0.0.0 0.0.0.0 192.168.98.254
!
logging trap debugging
access-list 7 permit 10.10.10.0 0.0.0.255
access-list 7 permit 10.10.20.0 0.0.0.255
access-list 7 permit 10.10.100.0 0.0.0.255
access-list 7 permit 10.10.30.0 0.0.0.255
!
no cdp run

!
!
!
!
!
control-plane
 !
!
banner exec ^C HOHO ^C
banner login ^CAuthorized access only!
^C
!
line con 0
 timeout login response 300
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input ssh
!
scheduler allocate 20000 1000
end

R1#

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Tommy Svensson

‎03-05-2011 03:41 AM

The reason why it's not working is because you haven't configured the service-policy to all the following zone-pair:

zone-pair security VLAN_10_TO_WAN source VLAN10_ZONE destination WAN_ZONE
zone-pair security VLAN_20_TO_WAN source VLAN20_ZONE destination WAN_ZONE
zone-pair security VLAN_30_TO_WAN source VLAN30_ZONE destination WAN_ZONE
zone-pair security VLAN_100_TO_WAN source VLAN100_ZONE destination WAN_ZONE

It should be configured as follows:

zone-pair security VLAN_10_TO_WAN source VLAN10_ZONE destination WAN_ZONE

     service-policy type inspect VLAN_TO_WAN_POLICY

zone-pair security VLAN_20_TO_WAN source VLAN20_ZONE destination WAN_ZONE

     service-policy type inspect VLAN_TO_WAN_POLICY

zone-pair security VLAN_30_TO_WAN source VLAN30_ZONE destination WAN_ZONE

     service-policy type inspect VLAN_TO_WAN_POLICY

zone-pair security VLAN_100_TO_WAN source VLAN100_ZONE destination WAN_ZONE

     service-policy type inspect VLAN_TO_WAN_POLICY

Since you only would like outbound connectivity, you only need to configure all the internal zones as the source with WAN_ZONE as the destination like you already configured. The opposite direction is not required unless they are going to host web servers/etc that needs to be accessible from the Internet.

Go to solution
Tommy Svensson
Level 1
Level 1
In response to Jennifer Halim

‎03-07-2011 02:09 AM

Hi again.

I cant get it to work still. Hoping you could spot some fault in my running config.

Regards Tommy Svensson

R1#show run
Building configuration...

Current configuration : 7203 bytes
!
! Last configuration change at 11:03:09 PCTime Mon Mar 7 2011 by xxxxxxxx
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname R1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 xxxxxxxxxxxxxxxxx
!
no aaa new-model
!
!
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
no ipv6 cef
no ip source-route
ip cef
!
!
ip dhcp excluded-address 10.10.10.1 10.10.10.49
ip dhcp excluded-address 10.10.10.251 10.10.10.254
ip dhcp excluded-address 10.10.20.1 10.10.20.49
ip dhcp excluded-address 10.10.20.251 10.10.20.254
ip dhcp excluded-address 10.10.100.1 10.10.100.49
ip dhcp excluded-address 10.10.100.251 10.10.100.254
ip dhcp excluded-address 10.10.30.1 10.10.30.49
ip dhcp excluded-address 10.10.30.251 10.10.30.254
!
ip dhcp pool ccp-pool1
 network 10.10.10.0 255.255.255.0
 domain-name tedact.local
 dns-server 192.168.98.2
 default-router 10.10.10.1
!
ip dhcp pool ccp-pool2
 import all
 network 10.10.20.0 255.255.255.0
 domain-name tedact.local
 dns-server 192.168.98.2
 default-router 10.10.20.1
!
ip dhcp pool Management
 import all
 network 10.10.100.0 255.255.255.0
 domain-name Tedact.local
 dns-server 192.168.98.2
 default-router 10.10.100.1
!
ip dhcp pool AP
 import all
 network 10.10.30.0 255.255.255.0
 domain-name Tedact.local
 dns-server 192.168.98.2
 default-router 10.10.30.1
!
!
no ip bootp server
ip domain name tedact.local
ip name-server 192.168.98.2
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-530346110
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-530346110
 revocation-check none
 rsakeypair TP-self-signed-530346110
!
!
crypto pki certificate chain TP-self-signed-530346110
 certificate self-signed 01
 30820245 308201AE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
 30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
 69666963 6174652D 35333033 34363131 30301E17 0D313130 32323430 37323030
 315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
 532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3533 30333436
 31313030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
 CCC4DE13 6476A2A0 B05D718B BDA1BB42 953FED57 2F37490D BEF58A1B 8F4774A0
 17F52B83 A48A59BC 46F1BFBA 68D2BBE3 66A40219 8B6FB14E 96424551 4AFB4598
 C2F0E9DA 53946559 767A6468 88253DDF B42DEFA3 EF0693F2 E2B77B24 2EFD3F6C
 620E1F33 3B994749 A9C1F5A9 63821FD4 0A0C808F DF3D70D7 9C1E813E D78E79C7
 02030100 01A36F30 6D300F06 03551D13 0101FF04 05300301 01FF301A 0603551D
 11041330 11820F52 312E7465 64616374 2E6C6F63 616C301F 0603551D 23041830
 16801439 3E27ECCE E810B254 66EA1C16 3213546A 2C345230 1D060355 1D0E0416
 0414393E 27ECCEE8 10B25466 EA1C1632 13546A2C 3452300D 06092A86 4886F70D
 01010405 00038181 001AE204 00263DC0 F478478D 94CD33B9 CFCC4685 16D3EC89
 0EE17A28 709F7B2A 7060A2C1 C851D34C 4A5A5E82 428E5101 2CF2E90D FFBAC276
 81B09ADF BDA33EC5 E6EB5F38 13613C88 15D43E93 F40F6C53 2C92AE4E 0F169075
 0964F08C DB2A0F71 BFAC9BF0 C51A92BC CC7B93A3 D6AEEBAF 50AEBF71 E3F8BFAE
 E9FB1AB8 726902D1 78
 quit
license udi pid CISCO2911/K9 sn xxxxxxxxxxxxx
!
!
username xxxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
username xxxxxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
!
redundancy
!
!
ip tcp synwait-time 10
ip ssh authentication-retries 5
!
class-map type inspect match-any VLAN_TO_WAN_CLASS
 match protocol icmp
 match protocol echo
 match protocol http
 match protocol https
 match protocol pop3
 match protocol pop3s
 match protocol smtp
 match protocol imap
 match protocol imaps
 match protocol imap3
 match protocol ftp
 match protocol ssh
!
!
policy-map type inspect VLAN_TO_WAN_POLICY
 class type inspect VLAN_TO_WAN_CLASS
 inspect
 class class-default
 drop
!
zone security VLAN10_ZONE
zone security VLAN20_ZONE
zone security VLAN30_ZONE
zone security VLAN100_ZONE
zone security WAN_ZONE
zone-pair security VLAN_10_TO_WAN source VLAN10_ZONE destination WAN_ZONE
 service-policy type inspect VLAN_TO_WAN_POLICY
zone-pair security VLAN_20_TO_WAN source VLAN20_ZONE destination WAN_ZONE
 service-policy type inspect VLAN_TO_WAN_POLICY
zone-pair security VLAN_30_TO_WAN source VLAN30_ZONE destination WAN_ZONE
 service-policy type inspect VLAN_TO_WAN_POLICY
zone-pair security VLAN_100_TO_WAN source VLAN100_ZONE destination WAN_ZONE
 service-policy type inspect VLAN_TO_WAN_POLICY
!
!
!
!
!
!
!
interface GigabitEthernet0/0
 description NOT USED
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
 !
!
interface GigabitEthernet0/0.1
 description VLAN 10 CompanyA
 encapsulation dot1Q 10
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security VLAN10_ZONE
 no cdp enable
!
interface GigabitEthernet0/0.2
 description VLAN 20 CompanyB
 encapsulation dot1Q 20
 ip address 10.10.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security VLAN20_ZONE
 no cdp enable
!
interface GigabitEthernet0/0.3
 description VLAN 30 AP
 encapsulation dot1Q 3
 ip address 10.10.30.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security VLAN30_ZONE
 no cdp enable
!
interface GigabitEthernet0/0.100
 description VLAN 100 Management
 encapsulation dot1Q 100
 ip address 10.10.100.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security VLAN100_ZONE
 no cdp enable
!
interface GigabitEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 shutdown
 duplex auto
 speed auto
 no mop enabled
 !
!
interface GigabitEthernet0/2
 description $ETH-WAN$
 ip address 192.168.98.205 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 zone-member security WAN_ZONE
 duplex auto
 speed auto
 no mop enabled
 !
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool with_overload 192.168.98.205 192.168.98.205 prefix-length 24
ip nat inside source list 7 pool with_overload overload
ip route 0.0.0.0 0.0.0.0 192.168.98.254
!
logging trap debugging
access-list 7 permit 10.10.10.0 0.0.0.255
access-list 7 permit 10.10.20.0 0.0.0.255
access-list 7 permit 10.10.100.0 0.0.0.255
access-list 7 permit 10.10.30.0 0.0.0.255
!
no cdp run

!
!
!
!
!
control-plane
 !
!
banner exec ^C HOHO ^C
banner login ^CAuthorized access only!
^C
!
line con 0
 timeout login response 300
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input ssh
!
scheduler allocate 20000 1000
end

R1#

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Tommy Svensson

‎03-07-2011 02:21 AM

Can you please advise what is failing?

How did you test? ping? http? do you try ping by ip address, http by ip address?

Also what is your source and destination ip address?

I am assuming that if you take the zone member off, Internet connectivity works fine?

Go to solution
Tommy Svensson
Level 1
Level 1
In response to Jennifer Halim

‎03-07-2011 02:25 AM

I have a host on VLAN 10 with IP of 10.10.10.50 and i tried to ping google.com and browsing to http://google.com and it did not work. When i take away interface association to security zones it works again but no firewall is enabled on the interface.

Regards Tommy Svensson

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Tommy Svensson

‎03-07-2011 02:27 AM

Does ping to 4.2.2.2 work?

Go to solution
Tommy Svensson
Level 1
Level 1
In response to Jennifer Halim

‎03-07-2011 02:28 AM

Yes it works!

Must be something with the DNS traffic i suppose cause pinging IP works just fine.

I can also ping 10.10.100.1, 10.10.20.1 & 10.10.30.1. Should i be able to do that?

Regards Tommy Svensson

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎03-07-2011 02:30 AM

Great,....

Looks like you are missing DNS inspection

Here we go:

class-map type inspect match-any VLAN_TO_WAN_CLASS
      match protocol dns

0 Helpful

Go to solution
Tommy Svensson
Level 1
Level 1
In response to Jennifer Halim

‎03-07-2011 02:42 AM

As i said in previous post, i can still ping gateways of the other VLANs, such as from host 10.10.10.50 to 10.10.20.1 & 10.10.100.1. I cant ping the hosts on the VLAN, such as 10.10.100.50. How come? I tought i set the policy on the interface and it would prevent that kind of traffic.

Regards Tommy Svensson

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Tommy Svensson

‎03-07-2011 02:45 AM

Apart from ping, can you please try to see if you can telnet to 10.10.20.1 & 10.10.100.1 from 10.10.10.50?

0 Helpful

Go to solution
Tommy Svensson
Level 1
Level 1
In response to Jennifer Halim

‎03-07-2011 02:48 AM

Yes i can telnet to 10.10.20.1 & 10.10.100.1

I cant do a remote desktop from 10.10.10.50 to 10.10.100.50 however.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Tommy Svensson

‎03-07-2011 02:53 AM

And just to confirm, you can remote desktop from 10.10.10.50 to 10.10.100.50 when the zone member is removed from the interface?

If you can, then self zone does not seem to be working.

BTW, before I proceed to create policy to self zone, what access would you like towards the interfaces?

Ping only from the directly connected subnet?

What about telnet?

What other access do you need towards the router interfaces? GUI?

0 Helpful

Go to solution
Tommy Svensson
Level 1
Level 1
In response to Jennifer Halim

‎03-07-2011 04:01 AM

Yes i can use remote desktop to 10.10.100.50 from 10.10.10.50 when the firewall is down but not after. As it should be, i dont want any connection between VLANs as companies will use their own VLAN only. But om wondering about if it should be possible to telnet to another subnets default gateway like 10.10.30.1. The thing is that the companies must not be able to acces eachothers machines, so the telnet possibility to the default gateway is not a problem, i will set it to use SSH and with a very strong password so its going to be hard to get access to the router.

Another thing im wondering about now is that if i have a functional firewall towards the "outside" or Internet? I have not specified any access into the network so im just wondering if its a default deny or something like that?

Regards Tommy Svensson

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card