Solved: Access lists and zone based security on Cisco 891F

ofer1 · ‎01-11-2022

Hi all,

I have been trying to configure a Cisco 891F router to connect some test vlans using zone based security.

I have created 4 zones:

out-zone - where my ISP router is located

user-zone - should have access to the internet

test-zone - should only have access within the zone

prod-zone - should have access to to the test zone and the internet

I managed to get all the internal communication working as expected, but am having difficulty getting the other zones to connect to the out-zone. Note that I am not using NAT for the out zone, as my ISP router already has NAT in place.

From the router itself, I can ping the ISP router (the default route) and also addresses on the internet, but I cannot access them from the other VLANs. From this I understand that this must be some misconfiguration of the access lists, but I can't find exactly what that is and why the same configuration that works for me between VLAN 1 and VLAN 3 does not work for the connection between VLAN 1 and VLAN 5.

I have attached the router configuration file here and would appreciate any help.

Thanks.

Georg Pauwen · ‎01-11-2022

Hello,

I am just thinking: can the ISP router ping the individual hosts on your Vlans ?

View solution in original post

Flavio Miranda · ‎01-11-2022

Hi

You have a drop on your "policy-map". Take a look on the option you have.

policy-map type inspect user-policy
class type inspect user-traffic-class
inspect
class class-default
drop
policy-map type inspect user-prod-policy
class type inspect user-prod-traffic-class
inspect
class class-default
drop
policy-map type inspect prod-policy
class type inspect prod-traffic-class
inspect
class class-default
drop

Georg Pauwen · ‎01-11-2022

Hello,

I am going to lab this up. In the meantime, get rid of all the redundant stuff marked in bold:

version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname test-router
!
boot-start-marker
boot-end-marker
!
aaa new-model
!
aaa session-id common
!
ip domain name test-router.example.com
ip name-server 192.168.0.11
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
class-map type inspect match-all user-traffic-class
match access-group name user-access
class-map type inspect match-all user-prod-traffic-class
match access-group name user-prod-access
class-map type inspect match-all prod-traffic-class
match access-group name prod-access
!
policy-map type inspect user-policy
class type inspect user-traffic-class
inspect 
class class-default
drop
policy-map type inspect user-prod-policy
class type inspect user-prod-traffic-class
inspect 
class class-default
drop
policy-map type inspect prod-policy
class type inspect prod-traffic-class
inspect 
class class-default
drop
!
zone security user-zone
zone security prod-zone
zone security out-zone
zone security test-zone
zone-pair security prod-test source prod-zone destination test-zone
service-policy type inspect prod-policy
zone-pair security prod-out source prod-zone destination out-zone
service-policy type inspect prod-policy
zone-pair security user-out source user-zone destination out-zone
service-policy type inspect user-policy
zone-pair security user-prod source user-zone destination prod-zone
service-policy type inspect user-prod-policy
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
switchport access vlan 3
no ip address
!
interface GigabitEthernet2
switchport access vlan 4
no ip address
!
interface GigabitEthernet3
switchport access vlan 6
no ip address
!
interface GigabitEthernet4
no ip address
shutdown
!
interface GigabitEthernet5
no ip address
shutdown
!
interface GigabitEthernet6
no ip address
shutdown
!
interface GigabitEthernet7
switchport access vlan 5
no ip address
!
interface GigabitEthernet8
no ip address
shutdown
duplex auto
speed auto
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
--> no ip nat inside
ip virtual-reassembly in
zone-member security prod-zone
!
interface Vlan3
ip address 10.0.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
--> no ip nat inside
ip virtual-reassembly in
zone-member security test-zone
!
interface Vlan4
ip address 10.0.3.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
--> no ip nat inside
ip virtual-reassembly in
zone-member security test-zone
!
interface Vlan5
ip address 172.24.0.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
--> no ip nat inside
ip virtual-reassembly in
zone-member security out-zone
!
interface Vlan6
ip address 172.16.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
--> no ip nat inside
ip virtual-reassembly in
zone-member security user-zone
!
interface Async3
no ip address
encapsulation slip
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
ip dns server
ip route 0.0.0.0 0.0.0.0 172.24.0.1 permanent
--> no ip route 10.0.2.0 255.255.255.0 Vlan3 permanent
--> no ip route 10.0.3.0 255.255.255.0 Vlan4 permanent
--> no ip route 172.16.0.0 255.255.255.0 Vlan6 permanent
--> no ip route 172.24.0.0 255.255.255.0 Vlan5 permanent
--> no ip route 192.168.0.0 255.255.255.0 Vlan1 permanent
!
ip ssh time-out 50
ip ssh authentication-retries 4
ip ssh version 2
!
ip access-list extended prod-access
permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended user-access
permit ip 172.16.0.0 0.0.0.255 any
ip access-list extended user-prod-access
permit ip 172.16.0.0 0.0.0.255 host 192.168.0.11
!
--> no access-list 10 permit 192.168.0.0 0.0.0.255
--> no access-list 10 permit 172.16.0.0 0.0.0.255
--> no access-list 10 permit 10.0.2.0 0.0.0.255
--> no access-list 10 permit 10.0.3.0 0.0.0.255
--> no access-list 10 permit 172.24.0.0 0.0.0.255
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
vstack
!
line con 0
no modem enable
line aux 0
line 3
modem InOut
speed 115200
flowcontrol hardware
line vty 0 4
logging synchronous
transport input ssh
!
scheduler allocate 20000 1000
!
end

ofer1 · ‎01-11-2022

Ok thanks, I have removed all the statements in bold.

Currently still seeing the same behavior

Georg Pauwen · ‎01-11-2022

Hello,

I recreated your config in the lab:

prod zone (192.168.0.0/24) and user zone 172.16.0.0/24 can access the Internet. prod zone can access test zone. I am using the exact same configuration as you do.

Turn on debugging:

debug policy-firewall detail

and send a ping from a host in the 192.168.0.0/24 and the 172.16.0.0/24 network to e.g. 8.8.8.8, and post the output of that debug.

ofer1 · ‎01-11-2022

I turned on debugging and sent a ping to 8.8.8.8 and this is what I saw in the log:

Here is a ping to 8.8.8.8:

.Jan 11 15:30:59.498: FIREWALL*: NEW PAK F956D94 (0:192.168.0.7) (0:8.8.8.8) icmp
.Jan 11 15:30:59.498: FIREWALL*: FSO feature object 0x3A247A0 found
.Jan 11 15:30:59.498: FIREWALL* sis 3A247A0: SIS_OPENING
.Jan 11 15:30:59.498: FIREWALL* sis 3A247A0: Pak 0xF956D94 IP: s=192.168.0.7 (Vlan1), d=8.8.8.8 (Vlan5), len 40, proto=icmp
.Jan 11 15:30:59.498: FIREWALL* sis 3A247A0: L4 result: PASS packet 0xF956D94 (192.168.0.7:0) (8.8.8.8:0) bytes 40
.Jan 11 15:30:59.498: FIREWALL* sis 3A247A0: L4 inspection ret_val = 3l4_result->fw_dp_insp_err_code = 0session->appl_insp_flags = 0
.Jan 11 15:30:59.498: FIREWALL* sis 3A247A0: L4 inspection returned 3




And here is a UDP DNS packet:

.Jan 11 14:21:07.218: FIREWALL*: NEW PAK F956D94 (0:192.168.0.17:59654) (0:8.8.8.8:53) udp
.Jan 11 14:21:07.218: FIREWALL*: FSO feature object 0x11B1FF00 found
.Jan 11 14:21:07.218: FIREWALL* sis 11B1FF00: SIS_OPENING
.Jan 11 14:21:07.218: FIREWALL* sis 11B1FF00: Pak 0xF956D94 IP: s=192.168.0.17 (Vlan1), d=8.8.8.8 (Vlan5), len 43, proto=udp
.Jan 11 14:21:07.218: FIREWALL* sis 11B1FF00: Total estab sessions 414
.Jan 11 14:21:07.218: FIREWALL* sis 11B1FF00: max_sessions 2147483647; current sessions 176
.Jan 11 14:21:07.218: FIREWALL* sis 11B1FF00: L4 result: PASS packet 0xF956D94 (192.168.0.17:59654) (8.8.8.8:53) bytes 43
.Jan 11 14:21:07.218: FIREWALL* sis 11B1FF00: L4 inspection ret_val = 3l4_result->fw_dp_insp_err_code = 0session->appl_insp_flags = 0
.Jan 11 14:21:07.218: FIREWALL* sis 11B1FF00: L4 inspection returned 3
.Jan 11 14:21:07.222: FIREWALL*: ret_val 0 is not PASS_PAK

Georg Pauwen · ‎01-11-2022

Hello,

I am just thinking: can the ISP router ping the individual hosts on your Vlans ?

ofer1 · ‎01-11-2022

That might be the issue, maybe the ping response isn't getting through...

I'm not sure if it can ping hosts on the network and since I don't have access to the ISP router so I can't check from it directly.

I can try to check it with the ISP, or I can try and connect something else on that VLAN and try that way.

Thanks for the idea, I will get back to this tomorrow or Thursday...

ofer1 · ‎01-13-2022

So I got my ISP on the line to check the settings in their router, and it turns out that they had the 192.168.0.X subnet already defined on one of the other interfaces on their router. This caused their router to send the response back through the wrong interface and ignore the routing rule they had in place.

I managed to work it out with them, and now everything is working as expected.

Thanks for your help!