1841 Zone based Policy - but i don't see me next step

mauric · ‎11-01-2016

Hello Everyone
Hello Cisco Pro People!

I try here to install me 1841 Router for me 3 Client's here in house(Trust, Zone LAN), in the mean time i have read a lot of news paper, but now i dont see me next Step.

- If connect "ZONE Policy Security Internet" to Fa0/0 i can't ping nothing outside me untrust Zone.

- If disconnect "ZONE Policy Security Internet" from Fa0/0" so i can and have possibilities to Ping from CLI everything in Untrust Zone.

I will create with me 1841 a little "FW" that i can Need to secure me Untrust-Side, so i have think this with the Zone Based Firewall are a good Choice, so Logical Point are that me Zone Policy running any big mistake, thats me Point now..... but i dont see this.......please how are me mistake?

Please are here possible to give me here any possible help?

I made a little design of what i think from Structured Lan Topology (Untrust/Trust) and put me Run file from me Router.

Thanks for any Mesaage taht i can become!

Best regards

Mauri

Georg Pauwen · ‎11-01-2016

Hello,

at first glance, I think you forgot to add 'inspect' to your policy map:

policy-map type inspect LAN2INTERNET
class type inspect LAN2INTERNET

--> inspect

class class-default
drop

mauric · ‎11-02-2016

Hello gpauwen

Thanks for your quick feedback, after reading your help and modify this i
also see any mistake with ZonePair Security with "Service Policy"

policy-map type inspect LAN2INTERNET
class type inspect LAN2INTERNET
--> inspect

Thanks alot to your help
Adding also this to Zone-Pair
zone-pair security LAN2INTERNET source LAN destination INTERNET
--> service-policy type inspect LAN2INTERNET

but now me Interface FA0/0 don't become any IP from the ISP

Router# release dhcp fa0/0
Router# renew dhcp fa0/0
Not in Bound state.

Router# sh ip int brief
Interface                  IP-Address         OK? Method Status                Protocol
FastEthernet0/0      unassigned        YES DHCP     up                    up
FastEthernet0/1      192.168.1.254     YES NVRAM up                    up

if delete the "zone-member security INTERNET" from Fa0/0 i will become the IP from ISP
I think i have any other trubles with me Zones's or the Policy settings

i have add now the new Run file to this post.

thanks for any possible Help!

Best regards
Mauri

Georg Pauwen · ‎11-02-2016

Hello,

try and add the following:

class-map type inspect match-all ICMP
match protocol icmp
class-map type inspect match-all SSH
match access-group 100
class-map type inspect match-any LAN2INTERNET
match protocol icmp
match protocol http
match protocol https
match protocol bootpc
match protocol bootps

mauric · ‎11-03-2016

Hello Together

Now on FA0/0 i have the IP from ISP

And on FA0/1 the Clients from "LAN" become the assigned IP-Range.

but Tracert from Client to Internet arn't possible

Ping from Cisco Console running

Ping from Client not running

Router#sh zone-pair security
Zone-pair name LAN2INTERNET
    Source-Zone LAN Destination-Zone INTERNET
    service-policy not configured
Zone-pair name INTERNET2SELF
    Source-Zone INTERNET Destination-Zone self
    service-policy not configured
Zone-pair name LAN2SELF
    Source-Zone LAN Destination-Zone self
    service-policy not configured

Router#sh policy-map type inspect
Policy Map type inspect INTERNET2SELF
    Class ICMP
      Inspect
    Class class-default

Policy Map type inspect LAN2INTERNET
    Class LAN2INTERNET
      Inspect
    Class class-default

Policy Map type inspect LAN2SELF
    Class SSH
      Inspect
    Class class-default

Thanks to all for any possible help!

Regards

mauric · ‎11-02-2016

Hello Together

Now on FA0/0 i have the IP from ISP

And on FA0/1 the Clients from "LAN" become the assigned IP-Range.

but Tracert from Client to Internet arn't possible

Ping from Cisco Console running

Ping from Client not running

Router#sh zone-pair security
Zone-pair name LAN2INTERNET
    Source-Zone LAN Destination-Zone INTERNET
    service-policy not configured
Zone-pair name INTERNET2SELF
    Source-Zone INTERNET Destination-Zone self
    service-policy not configured
Zone-pair name LAN2SELF
    Source-Zone LAN Destination-Zone self
    service-policy not configured

Router#sh policy-map type inspect
Policy Map type inspect INTERNET2SELF
    Class ICMP
      Inspect
    Class class-default

Policy Map type inspect LAN2INTERNET
    Class LAN2INTERNET
      Inspect
    Class class-default

Policy Map type inspect LAN2SELF
    Class SSH
      Inspect
    Class class-default

Thanks to all for any possible help!

Regards

Georg Pauwen · ‎11-03-2016

The problem is that your zone pair INTERNET2SELF has 'self' as the destination. 'Self' is the router and nothing else. Change it to:

Zone-pair name INTERNET2SELF
Source-Zone INTERNET Destination-Zone LAN

and check if traceroute and ping from the clients work after that configuration change.

mauric · ‎11-03-2016

Hello gpauwen

after change the Settings the Client PC's arn't possible to Ping 8.8.8.8

from router Cli here are possible to ping and tracert to internet.

Thanks for your Help and best regards

Mauri

Georg Pauwen · ‎11-03-2016

Hello,

you don't have any service policies configured for your zone pairs.This is what the zone pairs should look like:

zone-pair security LAN2INTERNET source LAN destination INTERNET
service-policy type inspect LAN2INTERNET
zone-pair security INTERNET2SELF source INTERNET destination LAN
service-policy type inspect INTERNET2SELF
zone-pair security LAN2SELF source LAN destination SELF
service-policy type inspect LAN2SELF

mauric · ‎11-03-2016

Georg Pauwen · ‎11-03-2016

Hello,

keep in mind that a zone must be configured before interfaces can be assigned to the zone.

I would start from scratch:

1. remove all security zone configuration from the interfaces

2. make sure the security zone configuration and security policy assignments are in place

3. reassign the security zones to the interfaces