Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
697
Views
0
Helpful
2
Replies

Zone based FW blocking some eigrp routes

Mike Buyarski
Level 3
Level 3

‎06-18-2015 08:59 AM - edited ‎03-11-2019 11:09 PM

with the new ZBFW now getting setup on a couple of our new routers i am finding a new issue. It appears with the ZBFW setup i have, the FW is only allowing EIGRP to build the routing table to a certain point and is missing a large number of routes this is what i have for the FW

class-map type inspect match-any SECURITY
 match access-group name SECURITY
class-map type inspect match-any self-map
 match protocol tcp
 match protocol udp
 match protocol icmp
class-map type inspect match-any FIREOUT
 match protocol http
 match protocol https
 match protocol ftp
 match protocol tftp
 match protocol tcp
 match protocol udp
 match protocol icmp
class-map type inspect match-all from-self
 match class-map self-map
class-map type inspect match-all to-self
 match class-map self-map
 match access-group name ACCESS
!
policy-map type inspect INTERNET-POLICY
 class type inspect FIREOUT
  inspect
 class class-default
  drop
policy-map type inspect to-self-pmap
 class type inspect to-self
  inspect
 class class-default
  drop
policy-map type inspect SEC-Policy
 class type inspect SECURITY
  pass
 class class-default
  drop
policy-map type inspect from-self-pmap
 class type inspect from-self
  inspect
 class class-default
  drop
!
zone security inside
 description Bay Network
zone security outside
 description Internet
zone-pair security BAY source inside destination outside
 service-policy type inspect INTERNET-POLICY
zone-pair security SEC-Zone source outside destination inside
 service-policy type inspect SEC-Policy

zone-pair security self-out source self destination outside
 service-policy type inspect from-self-pmap
zone-pair security out-self source outside destination self
 service-policy type inspect to-self-pmap
!

ip access-list extended ACCESS
 permit udp any eq bootps any
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any traceroute
 permit icmp any any unreachable
 permit icmp any any time-exceeded
 permit tcp "xxx.xxx.xxx.xxx 0.0.0.0.xxx any eq 22
 permit tcp "yyy.yyy.yyy.yyy 0.0.0.yyy any eq 22
 deny   ip any any
ip access-list extended SECURITY
 permit gre any any
 permit tcp any any eq 443
 permit tcp any any eq 1723
 permit tcp any eq 1723 any
 permit esp any any
 permit ahp any any
 permit udp any eq isakmp any eq isakmp
 permit udp any any eq 1701
 permit udp any eq 1701 any eq 1701
 permit udp any any eq isakmp
 permit udp any eq non500-isakmp any
 permit udp any any eq non500-isakmp
 deny   ip any any
!

 

If i remove the lines"

zone-pair security self-out source self destination outside
 service-policy type inspect from-self-pmap
zone-pair security out-self source outside destination self
 service-policy type inspect to-self-pmap

i will get all the eigrp routers but i open the router up to any one in the work being able to try and SSH into it.

 

What am i missing to make sure i get all the eigrp routes?

 

the routes i get are all the routes from the corp office but no routes from the other remote location subnets

Labels:
0 Helpful
2 Replies 2

Henrik Grankvist
Level 4
Level 4

‎06-18-2015 09:14 AM

Hi

I'm pretty sure you need to "pass" the traffic instead of using "inspect" to and from the self zone. At least you had to do that before.

Edit:

You haven't allowed EIGRP to the self zone. EIGRP is neither UDP or TCP.

acess-list EIGRP extended permit eigrp any any
0 Helpful

Mike Buyarski
Level 3
Level 3
In response to Henrik Grankvist

‎06-18-2015 09:46 AM

that not seem to work i added the permit to the acl

ip access-list extended ACCESS
 permit eigrp any any
 permit udp any eq bootps any
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any traceroute
 permit icmp any any unreachable
 permit icmp any any time-exceeded
 permit tcp xxx.xxx.xxx.xxx 0.0.0.xxx any eq 22
 permit tcp yyy.yyy.yyy 0.0.0.yyy any eq 22

but had no change in behavior even after i clear eigrp and it rebuilt. i then set the policy map to pass

policy-map type inspect to-self-pmap
 class type inspect to-self
  pass
 class class-default
  drop

 

that did not affect eigrp routing table but did block me from accessing the router from the external IP good thing i could still get to it via the inside IP and the VPN did not drop.

EDIT:

Ignore everything below this i tried copying parts and its did not work, and when i try to edit i see nothing below this line.

policy-map type inspect to-self-pmap
 class type inspect to-self
  inspect
 class class-default
  drop - See more at: https://supportforums.cisco.com/discussion/12537016/zone-based-fw-blocking-some-eigrp-routes#sthash.qD6nVnxe.dpuf
policy-map type inspect to-self-pmap
 class type inspect to-self
  inspect
 class class-default
  drop - See more at: https://supportforums.cisco.com/discussion/12537016/zone-based-fw-blocking-some-eigrp-routes#sthash.qD6nVnxe.dpuf
policy-map type inspect to-self-pmap
 class type inspect to-self
  inspect
 class class-default
  drop - See more at: https://supportforums.cisco.com/discussion/12537016/zone-based-fw-blocking-some-eigrp-routes#sthash.qD6nVnxe.dpuf
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card