Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3783
Views
19
Helpful
16
Replies

Zone based firewall malfunction

Go to solution
Tommy Svensson
Level 1
Level 1

‎03-03-2011 05:28 AM - edited ‎03-11-2019 01:00 PM

Hi.

Im setting up a network with multiple VLANs and i want every VLAN to just access the Internet and not other VLANs. my config is misconfigured and i cant see where. I want VLAN 10 and 20 do access the services ive listed in my config on the Internet but not on other VLANs.

Regards Tommy Svensson

R1#show run
Building configuration...

Current configuration : 7381 bytes
!
! Last configuration change at 14:17:07 PCTime Thu Mar 3 2011 by iosoft
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname R1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 xxxxxxxxxxxxxxxxx
!
no aaa new-model
!
!
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
no ipv6 cef
no ip source-route
ip cef
!
!
ip dhcp excluded-address 10.10.10.1 10.10.10.49
ip dhcp excluded-address 10.10.10.251 10.10.10.254
ip dhcp excluded-address 10.10.20.1 10.10.20.49
ip dhcp excluded-address 10.10.20.251 10.10.20.254
ip dhcp excluded-address 10.10.100.1 10.10.100.49
ip dhcp excluded-address 10.10.100.251 10.10.100.254
ip dhcp excluded-address 10.10.30.1 10.10.30.49
ip dhcp excluded-address 10.10.30.251 10.10.30.254
!
ip dhcp pool ccp-pool1
 network 10.10.10.0 255.255.255.0
 domain-name tedact.local
 dns-server 192.168.98.2
 default-router 10.10.10.1
!
ip dhcp pool ccp-pool2
 import all
 network 10.10.20.0 255.255.255.0
 domain-name tedact.local
 dns-server 192.168.98.2
 default-router 10.10.20.1
!
ip dhcp pool Management
 import all
 network 10.10.100.0 255.255.255.0
 domain-name Tedact.local
 dns-server 192.168.98.2
 default-router 10.10.100.1
!
ip dhcp pool AP
 import all
 network 10.10.30.0 255.255.255.0
 domain-name Tedact.local
 dns-server 192.168.98.2
 default-router 10.10.30.1
!
!
no ip bootp server
ip domain name tedact.local
ip name-server 192.168.98.2
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-530346110
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-530346110
 revocation-check none
 rsakeypair TP-self-signed-530346110
!
!
crypto pki certificate chain TP-self-signed-530346110
 certificate self-signed 01
 30820245 308201AE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
 30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
 69666963 6174652D 35333033 34363131 30301E17 0D313130 32323430 37323030
 315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
 532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3533 30333436
 31313030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
 CCC4DE13 6476A2A0 B05D718B BDA1BB42 953FED57 2F37490D BEF58A1B 8F4774A0
 17F52B83 A48A59BC 46F1BFBA 68D2BBE3 66A40219 8B6FB14E 96424551 4AFB4598
 C2F0E9DA 53946559 767A6468 88253DDF B42DEFA3 EF0693F2 E2B77B24 2EFD3F6C
 620E1F33 3B994749 A9C1F5A9 63821FD4 0A0C808F DF3D70D7 9C1E813E D78E79C7
 02030100 01A36F30 6D300F06 03551D13 0101FF04 05300301 01FF301A 0603551D
 11041330 11820F52 312E7465 64616374 2E6C6F63 616C301F 0603551D 23041830
 16801439 3E27ECCE E810B254 66EA1C16 3213546A 2C345230 1D060355 1D0E0416
 0414393E 27ECCEE8 10B25466 EA1C1632 13546A2C 3452300D 06092A86 4886F70D
 01010405 00038181 001AE204 00263DC0 F478478D 94CD33B9 CFCC4685 16D3EC89
 0EE17A28 709F7B2A 7060A2C1 C851D34C 4A5A5E82 428E5101 2CF2E90D FFBAC276
 81B09ADF BDA33EC5 E6EB5F38 13613C88 15D43E93 F40F6C53 2C92AE4E 0F169075
 0964F08C DB2A0F71 BFAC9BF0 C51A92BC CC7B93A3 D6AEEBAF 50AEBF71 E3F8BFAE
 E9FB1AB8 726902D1 78
 quit
license udi pid CISCO2911/K9 sn xxxxxxxxx
!
!
username xxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx.
username xxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx.
!
redundancy
!
!
ip tcp synwait-time 10
ip ssh authentication-retries 5
!
class-map type inspect match-all VLAN_TO_WAN_CLASS
 description VLAN_TO_WAN_CLASS
 match protocol pop3
 match protocol imap
 match protocol smtp
 match protocol icmp
 match protocol echo
 match protocol ssh
 match protocol http
 match protocol ftp
 match protocol https
 match protocol pop3s
 match protocol imaps
 match protocol imap3
 match protocol irc
 match protocol irc-serv
!
!
policy-map type inspect VLAN_TO_WAN_POLICY
 class type inspect VLAN_TO_WAN_CLASS
 pass
 class class-default
 drop
!
zone security zx_1543423965
zone security zy_1027413455
zone security VLAN_10_ZONE
zone security VLAN_20_ZONE
zone security WAN_ZONE
zone-pair security zx-zy_1919797047 source zx_1543423965 destination zy_1027413455
 service-policy type inspect-internal px-py
zone-pair security VLAN_10_TO_WAN source VLAN_10_ZONE destination WAN_ZONE
 service-policy type inspect VLAN_TO_WAN_POLICY
zone-pair security FW_INT_REV_VLAN_10_TO_WAN_680015950 source WAN_ZONE destination VLAN_10_ZONE
 service-policy type inspect-internal I_VLAN_TO_WAN_POLICY
zone-pair security VLAN_20_TO_WAN source VLAN_20_ZONE destination WAN_ZONE
 service-policy type inspect VLAN_TO_WAN_POLICY
zone-pair security FW_INT_REV_VLAN_20_TO_WAN_3879632611 source WAN_ZONE destination VLAN_20_ZONE
 service-policy type inspect-internal I_VLAN_TO_WAN_POLICY
!
!
!
!
!
!
!
interface GigabitEthernet0/0
 description NOT USED
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
 !
!
interface GigabitEthernet0/0.1
 description VLAN 10 CompanyA
 encapsulation dot1Q 10
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security VLAN_10_ZONE
 no cdp enable
!
interface GigabitEthernet0/0.2
 description VLAN 20 CompanyB$ETH-LAN$
 encapsulation dot1Q 20
 ip address 10.10.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no cdp enable
!
interface GigabitEthernet0/0.3
 description VLAN 30 AP
 encapsulation dot1Q 3
 ip address 10.10.30.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no cdp enable
!
interface GigabitEthernet0/0.100
 description VLAN 100 Management
 encapsulation dot1Q 100
 ip address 10.10.100.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no cdp enable
!
interface GigabitEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 shutdown
 duplex auto
 speed auto
 no mop enabled
 !
!
interface GigabitEthernet0/2
 description $ETH-WAN$
 ip address 192.168.98.205 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 zone-member security WAN_ZONE
 duplex auto
 speed auto
 no mop enabled
 !
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool with_overload 192.168.98.205 192.168.98.205 prefix-length 24
ip nat inside source list 7 pool with_overload overload
ip route 0.0.0.0 0.0.0.0 192.168.98.254
!
logging trap debugging
access-list 7 permit 10.10.10.0 0.0.0.255
access-list 7 permit 10.10.20.0 0.0.0.255
access-list 7 permit 10.10.100.0 0.0.0.255
access-list 7 permit 10.10.30.0 0.0.0.255
!
no cdp run

!
!
!
!
!
control-plane
 !
!
banner exec ^C HOHO ^C
banner login ^CAuthorized access only!
^C
!
line con 0
 timeout login response 300
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input ssh
!
scheduler allocate 20000 1000
end

Labels:
0 Helpful
16 Replies 16

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Tommy Svensson

‎03-07-2011 04:33 AM

Absolutely correct, the default action from outside towards internal subnets would be deny by default. And if you do want access from the internet towards the internal hosts, you will still need to configure translation to a public ip address so it's accessible from the internet.

And yes, you are right. If you are happy with just acccess towards the router interfaces from the internal subnets, then we don't need to configure any self rule.

0 Helpful

Go to solution
Tommy Svensson
Level 1
Level 1
In response to Jennifer Halim

‎03-15-2011 01:11 AM

Hi again.

I have worked a bit with the router and i have now another problem with my firewall.. I was hoping you could help me thist time again.

My hosts on the different VLANs cant reach Internet. Does not awnser to ping or http/https. I cant ping my DNS on 192.168.98.2 from any IP inside any VLAN.

Regards Tommy Svensson

class-map type inspect match-any VLAN_TO_WAN_CLASS
 match protocol icmp
 match protocol echo
 match protocol http
 match protocol pop3
 match protocol pop3s
 match protocol smtp
 match protocol imap
 match protocol imaps
 match protocol imap3
 match protocol ftp
 match protocol ssh
 match protocol dns
 match protocol h323
 match protocol tftp
 match protocol ntp
 match protocol irc
 match protocol ircs
 match protocol telnet
 match protocol ldap
 match protocol snmp
 match protocol https
 match protocol appleqtc
 match protocol cifs
 match protocol exec
 match protocol h323-annexe
 match protocol h323-nxg
 match protocol icabrowser
 match protocol icq
 match protocol gtpv0
 match protocol gtpv1
 match protocol l2tp
 match protocol ldap-admin
 match protocol login
 match protocol lotusnote
 match protocol lotusmtap
 match protocol ms-sql
 match protocol ms-sql-m
 match protocol msexch-routing
 match protocol nfs
 match protocol nntp
 match protocol radius
 match protocol pptp
 match protocol realmedia
 match protocol rsvp_tunnel
 match protocol rtelnet
 match protocol shell
 match protocol sip-tls
 match protocol sip
 match protocol telnets
 match protocol time
!
!
policy-map type inspect VLAN_TO_WAN_POLICY
 class type inspect VLAN_TO_WAN_CLASS
 inspect
!
zone security VLAN10_ZONE
zone security VLAN20_ZONE
zone security VLAN30_ZONE
zone security VLAN100_ZONE
zone security WAN_ZONE
zone security VLAN1_ZONE
zone security VLAN2_ZONE
zone security VLAN3_ZONE
zone-pair security VLAN_10_TO_WAN source VLAN10_ZONE destination WAN_ZONE
 service-policy type inspect VLAN_TO_WAN_POLICY
zone-pair security VLAN_20_TO_WAN source VLAN20_ZONE destination WAN_ZONE
 service-policy type inspect VLAN_TO_WAN_POLICY
zone-pair security VLAN_30_TO_WAN source VLAN30_ZONE destination WAN_ZONE
 service-policy type inspect VLAN_TO_WAN_POLICY
zone-pair security VLAN_100_TO_WAN source VLAN100_ZONE destination WAN_ZONE
 service-policy type inspect VLAN_TO_WAN_POLICY
zone-pair security VLAN_1_TO_WAN source VLAN1_ZONE destination WAN_ZONE
 service-policy type inspect VLAN_TO_WAN_POLICY
zone-pair security VLAN_2_TO_WAN source VLAN2_ZONE destination WAN_ZONE
 service-policy type inspect VLAN_TO_WAN_POLICY
zone-pair security VLAN_3_TO_WAN source VLAN3_ZONE destination WAN_ZONE
 service-policy type inspect VLAN_TO_WAN_POLICY
!
!
!
!
!
!
!
interface GigabitEthernet0/0
 description NOT USED
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
 !
!
interface GigabitEthernet0/0.1
 description VLAN_1_Native
 encapsulation dot1Q 1 native
 ip address 10.10.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security VLAN1_ZONE
 no cdp enable
!
interface GigabitEthernet0/0.2
 description VLAN_2_Company2
 encapsulation dot1Q 2
 ip address 10.10.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security VLAN2_ZONE
 no cdp enable
!
interface GigabitEthernet0/0.3
 description VLAN_3_Company3
 encapsulation dot1Q 3
 ip address 10.10.3.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security VLAN3_ZONE
 no cdp enable
!
interface GigabitEthernet0/0.10
 description VLAN_10_Company10
 encapsulation dot1Q 10
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security VLAN10_ZONE
 no cdp enable
!
interface GigabitEthernet0/0.20
 description VLAN_20_Company20
 encapsulation dot1Q 20
 ip address 10.10.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security VLAN20_ZONE
 no cdp enable
!
interface GigabitEthernet0/0.30
 description VLAN_30_Company30
 encapsulation dot1Q 30
 ip address 10.10.30.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security VLAN30_ZONE
 no cdp enable
!
interface GigabitEthernet0/0.100
 description VLAN 100 Management
 encapsulation dot1Q 100
 ip address 10.10.100.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security VLAN100_ZONE
 no cdp enable
!
interface GigabitEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 shutdown
 duplex auto
 speed auto
 no mop enabled
 !
!
interface GigabitEthernet0/2
 description WAN_INTERFACE
 ip address 192.168.98.205 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 zone-member security WAN_ZONE
 duplex auto
 speed auto
 no mop enabled

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card