08-01-2018 01:27 PM - edited 02-21-2020 08:02 AM
Hi
i am having a problem with my newly configured ZBF I have on my c2811 router - traffic appears to be fine in and out but that's the problem, there firewall only appears to be doing half a job - when i do not apply either a class or policy there is no traffic but when i do for TCP and UDP, my SSH is still working from the outside - any ideas why this might be - I have a port forwarding on 22 for remote access but dont think that is the issue - this is my config which is pretty basic at the moment... :-)
hostname Joels-Router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
memory-size iomem 25
!
dot11 syslog
ip source-route
!
!
ip cef
ip dhcp excluded-address 192.168.0.100
ip dhcp excluded-address 192.168.0.150
ip dhcp excluded-address 192.168.0.101
ip dhcp excluded-address 192.168.0.200
ip dhcp excluded-address 192.168.0.10
ip dhcp excluded-address 192.168.0.15
ip dhcp excluded-address 192.168.0.152
ip dhcp excluded-address 192.168.0.16
ip dhcp excluded-address 192.168.0.21
ip dhcp excluded-address 192.168.0.24
ip dhcp excluded-address 192.168.0.22
ip dhcp excluded-address 192.168.0.23
!
ip dhcp pool DATA
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.150
dns-server 8.8.8.8 8.8.4.4
!
!
!
ip domain name me.com
login block-for 180 attempts 5 within 90
login quiet-mode access-class PERMIT-ACCESS
login on-failure log
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO2811 sn FCZ131570RT
!
username me privilege 15 secret 5
!
redundancy
!
!
ip ssh version 2
!
class-map type inspect match-any ZBF_CM_IN2OUT
match protocol tcp
match protocol udp
class-map type inspect match-any ZBF_CM_OUT2IN
match protocol tcp
match protocol udp
!
!
policy-map type inspect ZBF_PM_IN2OUT
class type inspect ZBF_CM_IN2OUT
inspect
class class-default
drop
policy-map type inspect ZBF_PM_OUT2IN
class type inspect ZBF_CM_OUT2IN
inspect
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN2OUT source INSIDE destination OUTSIDE
service-policy type inspect ZBF_PM_IN2OUT
zone-pair security OUT2IN source OUTSIDE destination INSIDE
service-policy type inspect ZBF_PM_OUT2IN
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.0.150 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
duplex auto
speed auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 101 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.0.15 443 interface FastEthernet0/0 443
ip nat inside source static tcp 192.168.0.15 902 interface FastEthernet0/0 902
ip nat inside source static tcp 192.168.0.150 22 interface FastEthernet0/0 22
ip nat inside source static tcp 192.168.0.150 3074 interface FastEthernet0/0 3074
!
ip access-list standard PERMIT-ACCESS
permit 192.168.0.10
!
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
transport input ssh
!
scheduler allocate 20000 1000
end
Solved! Go to Solution.
08-01-2018 02:30 PM
Not sure if I really understand your problem. But with a zone-pair with correct policy and a class assigned to OUTSIDE to INSIDE, then all TCP/UDP traffic is allowed and inspected. The firewall exactly does what you configured.
08-01-2018 02:30 PM
Not sure if I really understand your problem. But with a zone-pair with correct policy and a class assigned to OUTSIDE to INSIDE, then all TCP/UDP traffic is allowed and inspected. The firewall exactly does what you configured.
08-01-2018 02:36 PM - edited 08-01-2018 02:39 PM
Hi Karsten
I was attempting to block SSH on the OUT2IN Policy but for some reason it remains open for access - Same applies to the ICMP into to my external Interface on fastethernet 0/0 - Neither or which are included in the match protocol list - that seems a little odd to me - im not too concerned about the ICMP pinging on the external interface but i am SSH - i do want SSH to be available which is why i hav a port forward on it but even without that, SSH is still open and not listed as a match protocol SSH option in the OUT2IN policy - appreciate SSH is using TCP but thought i would still be able to block it even with the match protocol tcp option
thank you for your quick reply on this - I've been looking at this for hours!
martin
08-01-2018 08:40 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide