cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1204
Views
0
Helpful
8
Replies

zone Based Firewall on 881W

DavidDemland
Level 1
Level 1

I have an 881W that I am trying to setup a zoned based firewall. Here is what an excerpt of it looks like:

 

----------------------------------------------------------------
Current Config:
----------------------------------------------------------------

ip dhcp excluded-address 192.168.42.1 192.168.42.149
ip dhcp excluded-address 192.168.42.171 192.168.42.254
ip dhcp excluded-address 10.0.42.1 10.0.42.149
ip dhcp excluded-address 10.0.42.171 10.0.42.254
ip dhcp excluded-address 172.16.42.1 172.16.42.149
ip dhcp excluded-address 172.16.42.171 172.16.42.254
ip dhcp excluded-address 10.42.0.1
ip dhcp excluded-address 10.42.0.253
!
ip dhcp pool ccp-pool
 import all
 network 10.42.0.0 255.255.255.0
 default-router 10.42.0.1
!
ip dhcp pool GuessData
 import all
 network 172.16.42.0 255.255.255.0
 dns-server 68.105.28.12 68.105.29.12 68.105.28.11
 default-router 172.16.42.254
!
ip dhcp pool DMZData
 import all
 network 10.0.42.0 255.255.255.0
 default-router 10.0.42.254
 dns-server 68.105.28.12 68.105.29.12 68.105.28.11
!
ip dhcp pool InternalData
 import all
 network 192.168.42.0 255.255.255.0
 dns-server 192.168.42.1 68.105.28.12 68.105.29.12 68.105.28.11
 default-router 192.168.42.254
 lease 2
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
no ipv6 cef
!
!
license udi pid CISCO881W-GN-A-K9 sn FTX1702852X
!
!
username daved privilege 15 secret 4 qe8J3v.JBWtcOXpekg566rrPI0ITGNFB/9NQecxoOLU
!
!
!
!
!
class-map match-any CLASS_COX_OUT
 match any
class-map type inspect match-any INTERNET-CLASS
 match protocol icmp
 match protocol udp
 match protocol tcp
!
!
policy-map POLICY_COX_OUT
 class CLASS_COX_OUT
policy-map type inspect INTERNET-POLICY
 class type inspect INTERNET-CLASS
  inspect
 class class-default
  drop
!
zone security INTERNAL
 description Firewall Zone for Internal Users
zone security DMZ
 description Firewall Zone for DMZ Systems
zone security GUEST
 description Firewall Zone for Guest Wireless Users
zone security INTERNET
 description Firewall Zone for ISP
zone-pair security INTERNET-INTERNAL source INTERNAL destination INTERNET
 service-policy type inspect INTERNET-POLICY
zone-pair security INTERNAL-INTERNET source INTERNET destination INTERNAL
 service-policy type inspect INTERNET-POLICY
zone-pair security INTERNET-DMZ source DMZ destination INTERNET
 service-policy type inspect INTERNET-POLICY
zone-pair security DMZ-INTERNET source INTERNET destination DMZ
 service-policy type inspect INTERNET-POLICY
zone-pair security INTERNET-GUEST source GUEST destination INTERNET
 service-policy type inspect INTERNET-POLICY
zone-pair security GUEST-INTERNET source INTERNET destination GUEST
 service-policy type inspect INTERNET-POLICY
!
!
!
!
!
!
!
interface FastEthernet0
 switchport access vlan 10
 no ip address
!
interface FastEthernet1
 switchport access vlan 20
 no ip address
!
interface FastEthernet2
 no ip address
 shutdown
!
interface FastEthernet3
 no ip address
 shutdown
!
interface FastEthernet4
 description Cox ISP Interface for all data
 ip address dhcp
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 zone-member security INTERNET
 duplex auto
 speed auto
 no cdp enable
 service-policy output POLICY_COX_OUT
!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 ip unnumbered Vlan30
 ip flow ingress
 arp timeout 0
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
 switchport mode trunk
 no ip address
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 10.42.0.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Vlan10
 description Internal Users Network Vlan
 ip address 192.168.42.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security INTERNAL
!
interface Vlan20
 description DMZ Network Vlan
 ip address 10.0.42.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security DMZ
!
interface Vlan30
 description Guest Wireless Network Vlan
 ip address 172.16.42.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security GUEST
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map COX_NAT interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 dhcp
!
access-list 23 permit 10.42.0.0
access-list 110 permit ip 192.168.42.0 0.0.0.255 any
access-list 110 permit ip 172.16.42.0 0.0.0.255 any
access-list 110 permit ip 10.0.42.0 0.0.0.255 any
access-list 110 permit ip 10.42.0.0 0.0.0.255 any
access-list 110 deny   ip any any
no cdp run
!
!
!
!
route-map COX_NAT permit 10
 match ip address 110
 match interface FastEthernet4

 

My problem is that traffic is not being passed from the INTERNAL Zone to the DMZ zone. I have tried everything I can think of. What do I have to do to allow this traffic to pass through?

 

Thank You,

David Demland

8 Replies 8

Bilal Nawaz
VIP Alumni
VIP Alumni

Hello David,

I cannot see any zone-pair configuration from internal to DMZ. If you create this with the correct policy then this should work.

Hope this helps.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

DavidDemland
Level 1
Level 1

After re-looking at the configuration, I have corrected everything I think was wrong and here is the configuration of the ZBW I have:

 

lass-map type inspect match-any CLASS-INTERNET-DMZ
 match protocol icmp
 match protocol udp
 match protocol tcp
class-map type inspect match-any CLASS-INTERNAL-DMZ
 match protocol icmp
 match protocol udp
 match protocol tcp
class-map match-any CLASS_COX_OUT
 match any
class-map type inspect match-any INTERNET-CLASS
 match protocol icmp
 match protocol udp
 match protocol tcp
!
!
policy-map POLICY_COX_OUT
 class CLASS_COX_OUT
policy-map type inspect INTERNET-POLICY
 class type inspect INTERNET-CLASS
  inspect
 class class-default
  drop
policy-map type inspect POLICY-INTERNET-DMZ
 class type inspect CLASS-INTERNET-DMZ
  inspect
 class class-default
  drop
policy-map type inspect POLICY-INTERNAL-DMZ
 class type inspect CLASS-INTERNAL-DMZ
  inspect
 class class-default
  drop
!
zone security INTERNAL
 description Firewall Zone for Internal Users
zone security DMZ
 description Firewall Zone for DMZ Systems
zone security GUEST
 description Firewall Zone for Guest Wireless Users
zone security INTERNET
 description Firewall Zone for ISP
zone-pair security INTERNAL-INTERNET source INTERNAL destination INTERNET
 service-policy type inspect INTERNET-POLICY
zone-pair security DMZ-INTERNET source DMZ destination INTERNET
 service-policy type inspect INTERNET-POLICY
zone-pair security GUEST-INTERNET source GUEST destination INTERNET
 service-policy type inspect INTERNET-POLICY
zone-pair security INTERNAL-DMZ source INTERNAL destination DMZ
 service-policy type inspect POLICY-INTERNAL-DMZ
zone-pair security INTERNET-DMZ source INTERNET destination DMZ
 service-policy type inspect POLICY-INTERNET-DMZ

 

The problem still exists, the internet host cannot ping the DMZ host. What am I missing?

 

Thank You,

 

David

I have no idea what is going on but I have done some more testing with WireShark running. The system on the internal network sends out pings to the system in the DMZ. The system in the DMZ seems to see the ping since WireShark on that system show the echo request. However, neither system gets an echo reply. Now I am not sure if my problem is the ZBF or something else. I have attached my complete configuration. Can anyone help me understand what I am missing?

Thank You,

David

Hello David,

Please try this

Conf t

!

ip access-list extended INTERNET-TO-DMZ

permit icmp any any

permit tcp any any

permit udp any any

!

class-map type inspect match-any CLASS-INTERNET-DMZ
no match protocol icmp
no match protocol udp
no match protocol tcp

match access-group name INTERNET-TO-DMZ

 

Please try this and also the same with the class-map "INTERNET-CLASS"

 


 

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Bilal,

Just to clarify, how would the changes to the Internet to DMZ affect the Internal to DMZ communications? Or do you mean to make these changes to the Internal to DMZ configurations?

Thank You,

David

Hello David, Your reply 2 days ago suggested you were having problems with internet to DMZ " internet host cannot ping the DMZ host."

Anyway, lets do this then (if the problem is internal to DMZ)

ip access-list extended 100
 permit ip 192.168.42.0 0.0.0.255 10.0.42.0 0.0.0.255
class-map type inspect match-any CLASS-INTERNAL-DMZ
 no match access-group name INSIDE-TO-DMZ <------------ make it a numbered ACL

match access-group 100

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Bilal,

I cannot believe what the problem is. It seems to be in the Windows 7 host I was testing with. I have replaced that host with two different Linux hosts and both work with my original configuration. Which means I have a better understanding of ZBF what I felt I did. Even though I still cannot ping the original Windows 7 hosts, I can ping both the Linux hosts as well as FTP and SSH to both of them. Thank you for your help and I am sorry I was not able to discover this issue sooner.

David

Hello David, that is good news! glad you worked it out in the end. The reason I asked to change to a numbered ACL, just in case we ever come across a problem with ZBFW, in some code the IOS does not behave with named ACLs.

That's okay, as long as you got there in the end, and your post will no doubt help someone else in the future with a similar scenario.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
Review Cisco Networking for a $25 gift card