08-12-2019 01:03 PM - edited 08-12-2019 01:16 PM
Hi Everybody
I have some problems with new ISR devices (like 4221, 4451 etc), bunch of old routers use same configuration with simple CBAC (ip inspect xxx) and incoming ACL on external interface (permit SSH from specific network, anti-spoofing, VPN and deny any), very simple.
But this configuration doesnt work with ISRs, i created Zone FW, assigned zones, but my old ACL blocks all HTTP traffic (maybe something else, but very easy to see it in HTTP). When i removed it, everything works fine, but i cannot open SSH only for specific addresses, dont know why but it doesnt work with ZBF.
Not sure, ZBF sitting before or after NAT.. maybe this is a issue
thanks
Solved! Go to Solution.
08-12-2019 03:46 PM
Thanks RJI. looks like problem was in SELF zone. but right now opposite problem, SSH locked from outside :)
in your example, when i change PASS to INSPECT, SSH is available
policy-map type inspect PMAP_EXTERNAL-TO-SELF
class type inspect CMAP_EXTERNAL-TO-SELF-IPSEC
pass
class type inspect CMAP_EXTERNAL-TO-SELF-MGMT
pass - (i changed to INSPECT)
class class-default
drop log
--------------------------------------------------
PASS really confused me it doesnt work in any Policy-map... everywhere change to INSPECT...
thanks
08-12-2019 01:26 PM
08-12-2019 01:45 PM
Yes sure! this is my config... i think part of it is wrong, just tried to play with zones...
and last part is my access list, when i add it to interface Cell 0/1/0, http traffic blocks... i tried to use it in the Class-map, but in this case it doesnt work at all
class-map type inspect match-any All_Protocols
match protocol tcp
match protocol udp
match protocol icmp
match protocol router
!
policy-map type inspect Trusted_to_Internet
class type inspect All_Protocols
inspect
class class-default
drop
policy-map type inspect OUTSIDE_IN_POLICY
class type inspect OUTSIDE_IN_CLASS
drop
class class-default
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect Trusted_to_Internet
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE_IN_POLICY
--------------------------------
interface Cellular0/1/0
description TELUS-LTE
ip address negotiated
ip nat outside
ip access-group OUTSIDE_IN in
zone-member security OUTSIDE
dialer in-band
dialer-group 1
pulse-time 1
------------------------------
interface GigabitEthernet0/0/1
description INTERNAL
ip address 10.1.1.1 255.255.255.0
ip nat inside
zone-member security INSIDE
negotiation auto
--------------------------------
ip access-list extended INTERNET_IN
permit icmp any any echo
permit udp host 8.8.8.8 eq domain any
permit udp any any eq ntp
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit tcp (my network) 0.0.0.7 any eq 22 443
deny ip any any
08-12-2019 02:04 PM
Hi,
You shouldn't really mix and match using ZBFW for some zones and then an ACL on the Cell0/1/0 interface. You should make a zone pair from self to outside and another for outside to self. When using zones with the self interface they can only be "pass" not inspect".
Example (outside to self):-
ip access-list extended ACL_EXTERNAL-TO-SELF-IPSEC
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
ip access-list extended ACL_EXTERNAL-TO-SELF-MGMT
permit icmp any any echo
permit icmp any any echo-reply
permit tcp any any eq telnet
permit tcp any any eq 22
class-map type inspect match-any CMAP_EXTERNAL-TO-SELF-IPSEC
match access-group name ACL_EXTERNAL-TO-SELF-IPSEC
class-map type inspect match-any CMAP_EXTERNAL-TO-SELF-MGMT
match access-group name ACL_EXTERNAL-TO-SELF-MGMT
policy-map type inspect PMAP_EXTERNAL-TO-SELF
class type inspect CMAP_EXTERNAL-TO-SELF-IPSEC
pass
class type inspect CMAP_EXTERNAL-TO-SELF-MGMT
pass
class class-default
drop log
zone-pair security EXTERNAL-TO-SELF source OUTSIDE destination self
service-policy type inspect PMAP_EXTERNAL-TO-SELF
Example (self to outside):-
class-map type inspect match-any CMAP_SELF-OUT-ICMP
match protocol icmp
class-map type inspect match-any CMAP_SELF-OUT-ISAKMP
match protocol isakmp
policy-map type inspect PMAP_SELF-OUT
class type inspect CMAP_SELF-OUT-ISAKMP
pass
class type inspect CMAP_SELF-OUT-ICMP
pass
class class-default
drop
zone-pair security self-ext source self destination OUTSIDE
service-policy type inspect PMAP_SELF-OUT
Also you've not included the class-map for OUTSIDE_IN_CLASS, so I can't tell what thats doing.
For testing purposes define a class-default that is last in the policy, that drops and logs traffic, so you can get some hits and determine what is not matching.
HTH
08-12-2019 02:25 PM
Thanks! trying now.
and here i can change ANY to network, correct? and allow SSH only from specific address?
ip access-list extended ACL_EXTERNAL-TO-SELF-MGMT
permit icmp any any echo
permit icmp any any echo-reply
permit tcp any any eq telnet
permit tcp any any eq 22
08-12-2019 02:34 PM
08-12-2019 03:46 PM
Thanks RJI. looks like problem was in SELF zone. but right now opposite problem, SSH locked from outside :)
in your example, when i change PASS to INSPECT, SSH is available
policy-map type inspect PMAP_EXTERNAL-TO-SELF
class type inspect CMAP_EXTERNAL-TO-SELF-IPSEC
pass
class type inspect CMAP_EXTERNAL-TO-SELF-MGMT
pass - (i changed to INSPECT)
class class-default
drop log
--------------------------------------------------
PASS really confused me it doesnt work in any Policy-map... everywhere change to INSPECT...
thanks
08-13-2019 09:31 AM
Understood!
we need pairs for router itself and for internal zone!!!!
thanks guys!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide