09-02-2019 01:00 AM
Dear Community
We have just setup a new C1113-8P Router in our Testlab and are trying to get internet access without success. Here is our running-config:
no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime service timestamps log datetime localtime service password-encryption platform qfp utilization monitor load 80 no platform punt-keepalive disable-kernel-core ! hostname TST-RO-001 ! boot-start-marker boot-end-marker ! ! logging buffered 16000 enable secret * ! aaa new-model ! ! aaa authentication login vty-con local aaa authentication login localuser line aaa authentication login userauthen local aaa authentication ppp default if-needed local aaa authorization network groupauthor local ! ! ! ! ! ! aaa session-id common clock timezone MEZ 1 0 clock summer-time MESZ recurring last Sun Mar 2:00 last Sun Oct 3:00 no ip source-route ! no ip bootp server ip name-server 8.8.8.8 8.8.4.4 ip domain name TST-001.local ip dhcp excluded-address 192.168.111.0 192.168.111.10 ip dhcp excluded-address 192.168.111.255 ! ip dhcp pool VRMLAN_TST-001 network 192.168.111.0 255.255.255.0 default-router 192.168.111.1 dns-server 192.168.111.1 lease 0 2 ! subscriber templating ! multilink bundle-name authenticated vpdn enable ! diagnostic bootup level minimal ! spanning-tree extend system-id ! ! username tst privilege 15 secret * redundancy mode none ! ! ! ! controller VDSL 0/2/0 ! ! vlan internal allocation policy ascending ! interface GigabitEthernet0/0/0 no ip address shutdown negotiation auto ! interface GigabitEthernet0/1/0 switchport access vlan 200 spanning-tree portfast ! interface GigabitEthernet0/1/1 switchport access vlan 200 spanning-tree portfast ! interface GigabitEthernet0/1/2 switchport access vlan 200 spanning-tree portfast ! interface GigabitEthernet0/1/3 switchport access vlan 200 spanning-tree portfast ! interface GigabitEthernet0/1/4 switchport access vlan 200 spanning-tree portfast ! interface GigabitEthernet0/1/5 switchport access vlan 200 spanning-tree portfast ! interface GigabitEthernet0/1/6 switchport access vlan 200 spanning-tree portfast ! interface GigabitEthernet0/1/7 switchport access vlan 200 spanning-tree portfast ! interface ATM0/2/0 description *** ADSL-Interface Tel. Nr. 0 no ip address no ip redirects no ip unreachables load-interval 30 no atm ilmi-keepalive no atm enable-ilmi-trap pvc 8/35 pppoe-client dial-pool-number 1 ! ! interface Ethernet0/2/0 description *** VDSL-Interface Tel. Nr. 0 no ip address no ip redirects no ip unreachables load-interval 30 no negotiation auto pppoe enable group global pppoe-client dial-pool-number 1 ip virtual-reassembly ! interface Vlan1 no ip address ! interface Vlan200 description *** VRMLAN_TST-001 ip address 192.168.111.1 255.255.255.0 no ip redirects ip directed-broadcast ip nat inside ip access-group 101 in ip tcp adjust-mss 1200 hold-queue 100 out ip virtual-reassembly ! interface Dialer1 description *** INTERNET bandwidth 1000 bandwidth receive 40000 ip address negotiated no ip redirects no ip unreachables ip nat outside ip access-group 151 in encapsulation ppp dialer pool 1 dialer remote-name * no cdp enable ppp authentication chap callin ppp chap hostname secret ppp chap password secret ppp pap refuse ppp ipcp dns request ppp ipcp wins request ip virtual-reassembly ! ip local pool ippool 10.199.1.0 10.199.1.254 ip nat inside source list 180 interface Dialer1 overload ip forward-protocol nd no ip http server ip http authentication local no ip http secure-server ip route 0.0.0.0 0.0.0.0 Dialer1 ip route 127.0.0.0 255.0.0.0 Null0 ip route 169.254.0.0 255.255.0.0 Null0 ! access-list 1 remark *** SSH access-list 1 permit 10.199.1.0 0.0.0.255 access-list 1 permit 62.204.124.0 0.0.0.15 access-list 1 permit 192.168.111.0 0.0.0.255 access-list 1 permit 212.60.60.224 0.0.0.31 access-list 1 permit 213.221.255.144 0.0.0.15 access-list 101 permit ip any any access-list 101 permit tcp host 192.168.111.100 host 194.138.37.194 eq 443 access-list 151 permit esp any host public ip access-list 151 permit udp any host public ip eq isakmp access-list 151 permit udp any host public ip eq non500-isakmp access-list 151 remark *** IPSEC -> LAN access-list 151 permit ip 10.199.1.0 0.0.0.255 192.168.111.0 0.0.0.255 access-list 151 remark *** NTP access-list 151 permit udp host 8.8.4.4 eq domain any access-list 151 permit udp host 8.8.8.8 eq domain any access-list 151 permit udp host 130.149.17.21 eq ntp any eq ntp access-list 151 remark *** ICMP access-list 151 permit icmp any any echo-reply access-list 151 permit icmp 62.204.124.0 0.0.0.15 any administratively-prohibited access-list 151 permit icmp 62.204.124.0 0.0.0.15 any echo access-list 151 permit icmp 62.204.124.0 0.0.0.15 any packet-too-big access-list 151 permit icmp 62.204.124.0 0.0.0.15 any time-exceeded access-list 151 permit icmp 62.204.124.0 0.0.0.15 any traceroute access-list 151 permit icmp 62.204.124.0 0.0.0.15 any unreachable access-list 151 permit tcp 62.204.124.0 0.0.0.15 host public ip eq 22 access-list 151 permit tcp 62.204.124.0 0.0.0.15 host public ip eq 443 access-list 151 permit tcp 62.204.124.0 0.0.0.15 host public ip eq www access-list 151 permit icmp 212.60.60.224 0.0.0.31 any administratively-prohibited access-list 151 permit icmp 212.60.60.224 0.0.0.31 any echo access-list 151 permit icmp 212.60.60.224 0.0.0.31 any packet-too-big access-list 151 permit icmp 212.60.60.224 0.0.0.31 any time-exceeded access-list 151 permit icmp 212.60.60.224 0.0.0.31 any traceroute access-list 151 permit icmp 212.60.60.224 0.0.0.31 any unreachable access-list 151 permit tcp 212.60.60.224 0.0.0.31 host public ip eq 22 access-list 151 permit icmp 213.221.255.144 0.0.0.15 any administratively-prohibited access-list 151 permit icmp 213.221.255.144 0.0.0.15 any echo access-list 151 permit icmp 213.221.255.144 0.0.0.15 any packet-too-big access-list 151 permit icmp 213.221.255.144 0.0.0.15 any time-exceeded access-list 151 permit icmp 213.221.255.144 0.0.0.15 any traceroute access-list 151 permit icmp 213.221.255.144 0.0.0.15 any unreachable access-list 151 permit tcp 213.221.255.144 0.0.0.15 host public ip eq 22 access-list 151 deny ip any any log access-list 180 remark *** NAT (inside source translation) access-list 180 deny ip 192.168.111.0 0.0.0.255 10.199.1.0 0.0.0.255 access-list 180 deny ip 192.168.111.0 0.0.0.255 10.0.5.0 0.0.0.255 access-list 180 deny ip 192.168.111.0 0.0.0.255 10.0.6.0 0.0.0.255 access-list 180 deny ip 192.168.111.0 0.0.0.255 10.6.0.0 0.0.255.255 access-list 180 deny ip 192.168.111.0 0.0.0.255 10.0.10.0 0.0.1.255 access-list 180 deny ip 192.168.111.0 0.0.0.255 192.168.96.0 0.0.7.255 access-list 180 deny ip 192.168.111.0 0.0.0.255 172.18.0.0 0.0.255.255 access-list 180 permit ip any any access-list 180 permit ip 192.168.111.0 0.0.0.255 any access-list 190 remark *** IPsec VPN Client access-list 190 permit ip 192.168.111.0 0.0.0.255 10.199.1.0 0.0.0.255 access-list 191 permit ip 192.168.111.0 0.0.0.255 10.0.5.0 0.0.0.255 access-list 191 permit ip 192.168.111.0 0.0.0.255 10.0.6.0 0.0.0.255 access-list 191 permit ip 192.168.111.0 0.0.0.255 10.6.0.0 0.0.255.255 access-list 191 permit ip 192.168.111.0 0.0.0.255 10.0.10.0 0.0.1.255 access-list 192 permit ip 192.168.111.0 0.0.0.255 192.168.96.0 0.0.7.255 access-list 192 permit ip 192.168.111.0 0.0.0.255 172.18.0.0 0.0.255.255 ! alias exec b show ip interface brief alias exec c configure terminal alias exec v show running-config alias exec w copy running-config startup-config no parser cache ! line con 0 location *** Serial exec-timeout 30 0 login authentication vty-con history size 30 transport input none stopbits 1 line vty 0 4 location *** SSH access-class 1 in exec-timeout 30 0 login authentication vty-con history size 30 transport input ssh ! sntp server 130.149.17.21 sntp broadcast client wsma agent exec ! wsma agent config ! wsma agent filesys ! wsma agent notify ! ! end
The Wan Link is a VDSL Subscriber Line.
The command show ip int brief validates that the VDSL Ethernet0 interface is up and the Dialer1 interface is connected to our ISP.
However we are not able to ping, use http/https or even dns.
On the old IOS systems we used to have the ip inspect command CBAC (Context-Based Access Control)
on IOS-XE this command is not available anymore. Is there any easy way to get internet access on IOS-XE routers?
thank you for your assistance.
09-02-2019 02:14 AM
09-02-2019 02:40 AM
TST-RO-001#sh ip nat translations Pro Inside global Inside local Outside local Outside global icmp public_ip:7 public_ip:0 103.140.194.18:0 103.140.194.18:7 udp public_ip:512 public_ip:123 130.149.17.21:123 130.149.17.21:123 icmp public_ip:4 public_ip:0 130.149.17.21:0 130.149.17.21:4 icmp public_ip:2 public_ip:1 8.8.8.8:1 8.8.8.8:2 icmp public_ip:1 public_ip:0 185.209.0.31:0 185.209.0.31:1 icmp public_ip:5 public_ip:0 185.153.198.196:0 185.153.198.196:5 icmp public_ip:6 public_ip:0 123.30.146.218:0 123.30.146.218:6 Total number of translations: 7
TST-RO-001#ping 8.8.8.8 source vlan 200 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds: Packet sent with a source address of 192.168.111.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/11/12 ms
TST-RO-001#sh arp Protocol Address Age (min) Hardware Addr Type Interface Internet 192.168.111.1 - c4f7.ffff.ffff ARPA Vlan200 Internet 192.168.111.11 0 0050.ffff.ffff ARPA Vlan200
as you can see connection seems to be fine. However dns is not working at all.
We used to have same issues on old IOS devices but it was solved implementing CBAC with ip inspect commands to bypass our access-lists for internet access.
This command is gone in IOS-XE and replaced with Zone-based policy firewall. We just don't know how to implement it.
09-02-2019 03:14 AM - edited 09-02-2019 03:15 AM
editing
09-04-2019 01:08 AM
Any Updates on that topic?
09-04-2019 02:09 AM
Hello,
I can see multiple issues with your configuration.
The access list 101, applied to the Vlan 200 interface, is obsolete, since the first line allows everything. Remove that access list from the interface.
The access list 151, applied to the Dialer interface, is very restrictive and apparently only allows access to a few hosts on the Internet. Is that what you want ?
The local NAT pool is obsolete, remove that from the confguration
Attached the revised configuration, stripped to just the basics. Check if you get to the Internet with that (important parts marked in bold):
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname TST-RO-001
!
boot-start-marker
boot-end-marker
!
logging buffered 16000
enable secret *
!
aaa new-model
!
aaa authentication login vty-con local
aaa authentication login localuser line
aaa authentication login userauthen local
aaa authentication ppp default if-needed local
aaa authorization network groupauthor local
!
aaa session-id common
clock timezone MEZ 1 0
clock summer-time MESZ recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
!
no ip bootp server
ip name-server 8.8.8.8 8.8.4.4
ip domain name TST-001.local
ip dhcp excluded-address 192.168.111.0 192.168.111.10
ip dhcp excluded-address 192.168.111.255
!
ip dhcp pool VRMLAN_TST-001
network 192.168.111.0 255.255.255.0
default-router 192.168.111.1
dns-server 8.8.8.8 8.8.4.4
lease 0 2
!
subscriber templating
!
multilink bundle-name authenticated
vpdn enable
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username tst privilege 15 secret *
redundancy
mode none
!
controller VDSL 0/2/0
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/0/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/1
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/2
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/3
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/4
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/5
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/6
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/7
switchport access vlan 200
spanning-tree portfast
!
interface ATM0/2/0
description *** ADSL-Interface Tel. Nr. 0
no ip address
no ip redirects
no ip unreachables
load-interval 30
no atm ilmi-keepalive
no atm enable-ilmi-trap
pvc 8/35
pppoe-client dial-pool-number 1
!
interface Ethernet0/2/0
description *** VDSL-Interface Tel. Nr. 0
no ip address
no ip redirects
no ip unreachables
load-interval 30
no negotiation auto
pppoe enable group global
pppoe-client dial-pool-number 1
ip virtual-reassembly
!
interface Vlan1
no ip address
!
interface Vlan200
description *** VRMLAN_TST-001
ip address 192.168.111.1 255.255.255.0
no ip redirects
ip directed-broadcast
ip nat inside
ip tcp adjust-mss 1200
hold-queue 100 out
ip virtual-reassembly
!
interface Dialer1
description *** INTERNET
bandwidth 1000
bandwidth receive 40000
ip address negotiated
no ip redirects
no ip unreachables
ip nat outside
encapsulation ppp
dialer pool 1
dialer remote-name *
no cdp enable
ppp authentication chap callin
ppp chap hostname secret
ppp chap password secret
ppp pap refuse
ppp ipcp dns request
ppp ipcp wins request
ip virtual-reassembly
!
ip nat inside source list 180 interface Dialer1 overload
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 127.0.0.0 255.0.0.0 Null0
ip route 169.254.0.0 255.255.0.0 Null0
!
access-list 1 remark *** SSH
access-list 1 permit 10.199.1.0 0.0.0.255
access-list 1 permit 62.204.124.0 0.0.0.15
access-list 1 permit 192.168.111.0 0.0.0.255
access-list 1 permit 212.60.60.224 0.0.0.31
access-list 1 permit 213.221.255.144 0.0.0.15
!
access-list 180 permit ip 192.168.111.0 0.0.0.255 any
!
alias exec b show ip interface brief
alias exec c configure terminal
alias exec v show running-config
alias exec w copy running-config startup-config
no parser cache
!
line con 0
location *** Serial
exec-timeout 30 0
login authentication vty-con
history size 30
transport input none
stopbits 1
line vty 0 4
location *** SSH
access-class 1 in
exec-timeout 30 0
login authentication vty-con
history size 30
transport input ssh
!
sntp server 130.149.17.21
sntp broadcast client
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
09-27-2019 12:59 AM
Hi thank you for your answer.
NAT is working now. I've implemented the correct ACL 180.
Now I would like to active Zone Based Firewall but can't get it to work properly. We would only like to allow ICMP, SSH and HTTPS access to the router SELF from OUTSIDE.
Please see below our configuration:
INSIDE:
interface Vlan200
description *** VRMLAN_TST-001
ip address 192.168.111.1 255.255.255.0
no ip redirects
ip directed-broadcast
ip nat inside
zone-member security INSIDE
ip tcp adjust-mss 1200
hold-queue 100 out
ip virtual-reassembly
OUTSIDE:
interface GigabitEthernet0/0/0
ip address dhcp
ip nat outside
zone-member security OUTSIDE
negotiation auto
ip virtual-reassembly
And now the Zone Based Firewall config:
class-map type inspect match-any OUTSIDE_SELF_app
match protocol icmp
match protocol ssh
match protocol https
class-map type inspect match-any Web_app
match protocol tcp
match protocol udp
match protocol ftp
match protocol icmp
class-map type inspect match-all OUTSIDE_SELF
match class-map OUTSIDE_SELF_app
match access-group name OUTSIDE_SELF_acl
class-map type inspect match-all Web
match class-map Web_app
match access-group name Web_acl
!
policy-map type inspect OUTSIDE-SELF-POLICY
class type inspect OUTSIDE_SELF
inspect
class class-default
drop log
policy-map type inspect INSIDE-OUTSIDE-POLICY
class type inspect Web
inspect
class class-default
drop log
!
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone security default
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-OUTSIDE-POLICY
zone-pair security OUTSIDE-SELF source OUTSIDE destination self
service-policy type inspect OUTSIDE-SELF-POLICY
SSH, ICMP and HTTPS access is possible now from OUTSIDE to SELF. However all clients within vlan 200 have no access to the internet anymore. We got pretty stuck with that configuration and can't figure out how to make internet access again.
TST-RO-001#ping 8.8.8.8 source vlan 200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.111.1
.....
Success rate is 0 percent (0/5)
09-27-2019 01:41 AM
Hello,
post the full running configuration, we need to see the access lists you are matching against...
09-27-2019 02:05 AM - edited 09-27-2019 02:11 AM
Here is our full running-config:
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname TST-RO-001
!
boot-start-marker
boot-end-marker
!
!
logging buffered 16000
enable secret blabla
!
aaa new-model
!
!
aaa authentication login vty-con local
aaa authentication login localuser line
aaa authentication login userauthen local
aaa authentication ppp default if-needed local
aaa authorization network groupauthor local
!
!
!
!
!
!
aaa session-id common
clock timezone MEZ 1 0
clock summer-time MESZ recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
!
no ip bootp server
ip name-server 8.8.8.8 8.8.4.4
ip domain name TST-001.local
ip dhcp excluded-address 192.168.111.0 192.168.111.10
ip dhcp excluded-address 192.168.111.255
!
ip dhcp pool VRMLAN_TST-001
network 192.168.111.0 255.255.255.0
default-router 192.168.111.1
dns-server 192.168.111.1
lease 0 2
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
!
multilink bundle-name authenticated
vpdn enable
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
username admin privilege 15 secret blabla
redundancy
mode none
!
!
!
!
controller VDSL 0/2/0
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-any OUTSIDE_SELF_app
match protocol icmp
match protocol ssh
match protocol https
class-map type inspect match-any Web_app
match protocol tcp
match protocol udp
match protocol ftp
match protocol icmp
class-map type inspect match-all OUTSIDE_SELF
match class-map OUTSIDE_SELF_app
match access-group name OUTSIDE_SELF_acl
class-map type inspect match-all Web
match class-map Web_app
match access-group name Web_acl
!
policy-map type inspect OUTSIDE-SELF-POLICY
class type inspect OUTSIDE_SELF
inspect
class class-default
drop log
policy-map type inspect INSIDE-OUTSIDE-POLICY
class type inspect Web
inspect
class class-default
drop log
!
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone security default
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-OUTSIDE-POLICY
zone-pair security OUTSIDE-SELF source OUTSIDE destination self
service-policy type inspect OUTSIDE-SELF-POLICY
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
ip address dhcp
ip nat outside
zone-member security OUTSIDE
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/1/0
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/1
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/2
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/3
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/4
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/5
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/6
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/7
switchport access vlan 200
spanning-tree portfast
!
interface Vlan1
no ip address
!
interface Vlan200
description *** VRMLAN_TST-001
ip address 192.168.111.1 255.255.255.0
no ip redirects
ip directed-broadcast
ip nat inside
zone-member security INSIDE
ip tcp adjust-mss 1200
hold-queue 100 out
ip virtual-reassembly
!
ip local pool ippool 10.199.1.0 10.199.1.254
ip nat inside source list 180 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip route 127.0.0.0 255.0.0.0 Null0
ip route 169.254.0.0 255.255.0.0 Null0
ip access-list extended OUTSIDE_SELF_acl
permit ip any any
ip access-list extended Web_acl
permit ip any any
!
access-list 1 remark *** SSH
access-list 1 permit 10.199.1.0 0.0.0.255
access-list 1 permit 10.199.2.0 0.0.0.255
access-list 1 permit 192.168.111.0 0.0.0.255
access-list 1 permit 10.199.3.0 0.0.0.255
access-list 1 permit 10.199.4.0 0.0.0.255
access-list 180 permit ip 192.168.111.0 0.0.0.255 any
alias exec b show ip interface brief
alias exec c configure terminal
alias exec v show running-config
alias exec w copy running-config startup-config
no parser cache
!
line con 0
location *** Serial
exec-timeout 30 0
logging synchronous
login authentication vty-con
history size 30
transport input none
stopbits 1
line vty 0 4
location *** SSH
access-class 1 in
exec-timeout 30 0
login authentication vty-con
history size 30
transport input ssh
!
sntp server 130.149.17.21
sntp broadcast client
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end
09-27-2019 02:01 AM
It looks like you are missing the inside-to-self and self-to-inside parts. Add the below to your configuration:
ip access-list extended SELF_INSIDE_ACL
permit ip any any
!
class-map type inspect INSIDE_SELF_CLASS
match access-group name SELF_INSIDE_ACL
!
policy-map type inspect INSIDE_SELF_POLICY
class INSIDE_SELF_CLASS
inspect
!
policy-map type inspect SELF_INSIDE_POLICY
class INSIDE_SELF_CLASS
inspect
!
zone-pair security SELF_TO_INSIDE source self destination INSIDE
service-policy type inspect SELF_INSIDE_POLICY
zone-pair security INSIDE_TO_SELF source INSIDE destination self
service-policy type inspect INSIDE_SELF_POLICY
09-30-2019 12:48 AM
Thank you for your answer. I've implemented your configuration. Unfortunately the issue remains the same.
I'm able to ping lets say 8.8.8.8
However DNS resolution is not possible at all with applied Zone Based Firewall:
TST-RO-001#ping google.com
% Unrecognized host or address, or protocol not running.
If I remove the ZBF from the desired interfaces everything is working fine.
It seems like the OUTSIDE_SELF Policy is too restrictive? I only want to allow HTTPS, SSH and ICMP from the OUSIDE_SELF policy from defined Networks. I just can't figure out why DNS is not working at all? pinging IP adresses from VLAN 200 to the OUTSIDE interface is working without issues. Only DNS is blocked.
09-30-2019 12:56 AM
Hello,
post the current running configuration including the changes you have implemented...
09-30-2019 01:37 AM - edited 09-30-2019 01:39 AM
Here is the current running-config:
no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime service timestamps log datetime localtime service password-encryption platform qfp utilization monitor load 80 no platform punt-keepalive disable-kernel-core ! hostname TST-RO-001 ! boot-start-marker boot system flash c1100-universalk9_ias.16.09.04.SPA.bin boot-end-marker ! ! logging buffered 16000 enable secret blabla ! aaa new-model ! ! aaa authentication login vty-con local aaa authentication login localuser line aaa authentication login userauthen local aaa authentication ppp default if-needed local aaa authorization network groupauthor local ! ! ! ! ! ! aaa session-id common clock timezone MEZ 1 0 clock summer-time MESZ recurring last Sun Mar 2:00 last Sun Oct 3:00 no ip source-route ! no ip bootp server ip name-server 8.8.8.8 8.8.4.4 ip domain name TST-001.local ip dhcp excluded-address 192.168.111.0 192.168.111.10 ip dhcp excluded-address 192.168.111.255 ! ip dhcp pool VRMLAN_TST-001 network 192.168.111.0 255.255.255.0 default-router 192.168.111.1 dns-server 192.168.111.1 lease 0 2 ! ! ! login on-success log ! ! ! ! ! ! ! subscriber templating ! ! ! ! ! multilink bundle-name authenticated vpdn enable ! diagnostic bootup level minimal ! spanning-tree extend system-id ! ! username admin privilege 15 secret blabla ! redundancy mode none ! ! ! ! controller VDSL 0/2/0 ! ! vlan internal allocation policy ascending ! ! class-map type inspect match-any OUTSIDE_SELF_app match protocol https match protocol ssh match protocol icmp class-map type inspect match-all INSIDE_SELF_CLASS match access-group name SELF_INSIDE_ACL class-map type inspect match-any Web_app match protocol tcp match protocol udp match protocol ftp match protocol icmp class-map type inspect match-all OUTSIDE_SELF match class-map OUTSIDE_SELF_app match access-group name OUTSIDE_SELF_acl class-map type inspect match-all Web match class-map Web_app match access-group name Web_acl ! policy-map type inspect INSIDE_SELF_POLICY class type inspect INSIDE_SELF_CLASS inspect class class-default policy-map type inspect OUTSIDE-SELF-POLICY class type inspect OUTSIDE_SELF inspect class class-default drop log policy-map type inspect INSIDE-OUTSIDE-POLICY class type inspect Web inspect class class-default drop log policy-map type inspect SELF_INSIDE_POLICY class type inspect INSIDE_SELF_CLASS inspect class class-default ! zone security INSIDE description Zone for inside interfaces zone security OUTSIDE description Zone for outside interfaces zone security default zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE service-policy type inspect INSIDE-OUTSIDE-POLICY zone-pair security INSIDE_TO_SELF source INSIDE destination self service-policy type inspect INSIDE_SELF_POLICY zone-pair security OUTSIDE-SELF source OUTSIDE destination self service-policy type inspect OUTSIDE-SELF-POLICY zone-pair security SELF_TO_INSIDE source self destination INSIDE service-policy type inspect SELF_INSIDE_POLICY ! interface GigabitEthernet0/0/0 ip address dhcp ip nat outside zone-member security OUTSIDE negotiation auto ip virtual-reassembly ! interface GigabitEthernet0/1/0 switchport access vlan 200 spanning-tree portfast ! interface GigabitEthernet0/1/1 switchport access vlan 200 spanning-tree portfast ! interface GigabitEthernet0/1/2 switchport access vlan 200 spanning-tree portfast ! interface GigabitEthernet0/1/3 switchport access vlan 200 spanning-tree portfast ! interface GigabitEthernet0/1/4 switchport access vlan 200 spanning-tree portfast ! interface GigabitEthernet0/1/5 switchport access vlan 200 spanning-tree portfast ! interface GigabitEthernet0/1/6 switchport access vlan 200 spanning-tree portfast ! interface GigabitEthernet0/1/7 switchport access vlan 200 spanning-tree portfast ! interface Vlan1 no ip address ! interface Vlan200 description *** VRMLAN_TST-001 ip address 192.168.111.1 255.255.255.0 no ip redirects ip directed-broadcast ip nat inside zone-member security INSIDE ip tcp adjust-mss 1200 hold-queue 100 out ip virtual-reassembly ! ip local pool ippool 10.199.1.0 10.199.1.254 ip forward-protocol nd ip http server ip http authentication local ip http secure-server ip dns server ip nat inside source list 180 interface GigabitEthernet0/0/0 overload ip route 0.0.0.0 0.0.0.0 10.0.0.1 ip route 127.0.0.0 255.0.0.0 Null0 ip route 169.254.0.0 255.255.0.0 Null0 ! ! ip access-list extended OUTSIDE_SELF_acl permit ip any any ip access-list extended SELF_INSIDE_ACL permit ip any any ip access-list extended Web_acl permit ip any any ! access-list 1 remark *** SSH access-list 1 permit 10.199.1.0 0.0.0.255 access-list 1 permit 192.168.111.0 0.0.0.255 ip access-list extended 180 permit ip 192.168.111.0 0.0.0.255 any ! alias exec b show ip interface brief alias exec c configure terminal alias exec v show running-config alias exec w copy running-config startup-config no parser cache ! line con 0 location *** Serial exec-timeout 30 0 logging synchronous login authentication vty-con history size 30 transport input none stopbits 1 line vty 0 4 location *** SSH access-class 1 in exec-timeout 30 0 login authentication vty-con history size 30 transport input ssh ! sntp server 130.149.17.21 sntp broadcast client ! ! ! ! ! end
09-30-2019 02:09 AM
Hello,
it looks like you are missing the self to outside. Make the changes/additions marked in bold:
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname TST-RO-001
!
boot-start-marker
boot system flash c1100-universalk9_ias.16.09.04.SPA.bin
boot-end-marker
!
logging buffered 16000
enable secret blabla
!
aaa new-model
!
aaa authentication login vty-con local
aaa authentication login localuser line
aaa authentication login userauthen local
aaa authentication ppp default if-needed local
aaa authorization network groupauthor local
!
aaa session-id common
clock timezone MEZ 1 0
clock summer-time MESZ recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
!
no ip bootp server
ip name-server 8.8.8.8 8.8.4.4
ip domain name TST-001.local
ip dhcp excluded-address 192.168.111.0 192.168.111.10
ip dhcp excluded-address 192.168.111.255
!
ip dhcp pool VRMLAN_TST-001
network 192.168.111.0 255.255.255.0
default-router 192.168.111.1
dns-server 192.168.111.1
lease 0 2
!
login on-success log
!
subscriber templating
!
multilink bundle-name authenticated
vpdn enable
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username admin privilege 15 secret blabla
!
redundancy
mode none
!
controller VDSL 0/2/0
!
vlan internal allocation policy ascending
!
class-map type inspect match-any OUTSIDE_SELF_CLASS
match protocol https
match protocol ssh
match protocol icmp
class-map type inspect match-any SELF_OUTSIDE_CLASS
match protocol https
match protocol ssh
match protocol icmp
class-map type inspect match-all INSIDE_SELF_CLASS
match access-group name SELF_INSIDE_ACL
class-map type inspect match-any Web_app
match protocol tcp
match protocol udp
match protocol ftp
match protocol icmp
class-map type inspect match-all OUTSIDE_SELF
match class-map OUTSIDE_SELF_app
match access-group name OUTSIDE_SELF_acl
class-map type inspect match-all Web
match class-map Web_app
match access-group name Web_acl
!
policy-map type inspect INSIDE_SELF_POLICY
class type inspect INSIDE_SELF_CLASS
inspect
class class-default
policy-map type inspect OUTSIDE-SELF-POLICY
class OUTSIDE_SELF_CLASS
pass
policy-map type inspect SELF-OUTSIDE-POLICY
class type SELF_OUTSIDE_CLASS
pass
policy-map type inspect INSIDE-OUTSIDE-POLICY
class type inspect Web
inspect
class class-default
drop log
policy-map type inspect SELF_INSIDE_POLICY
class type inspect INSIDE_SELF_CLASS
inspect
class class-default
!
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone security default
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-OUTSIDE-POLICY
zone-pair security INSIDE_TO_SELF source INSIDE destination self
service-policy type inspect INSIDE_SELF_POLICY
zone-pair security OUTSIDE-SELF source OUTSIDE destination self
service-policy type inspect OUTSIDE-SELF-POLICY
zone-pair security SELF-OUTSIDE source self destination OUTSIDE
service-policy type inspect SELF-OUTSIDE-POLICY
zone-pair security SELF_TO_INSIDE source self destination INSIDE
service-policy type inspect SELF_INSIDE_POLICY
!
interface GigabitEthernet0/0/0
ip address dhcp
ip nat outside
zone-member security OUTSIDE
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/1/0
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/1
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/2
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/3
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/4
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/5
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/6
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/7
switchport access vlan 200
spanning-tree portfast
!
interface Vlan1
no ip address
!
interface Vlan200
description *** VRMLAN_TST-001
ip address 192.168.111.1 255.255.255.0
no ip redirects
ip directed-broadcast
ip nat inside
zone-member security INSIDE
ip tcp adjust-mss 1200
hold-queue 100 out
ip virtual-reassembly
!
ip local pool ippool 10.199.1.0 10.199.1.254
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source list 180 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip route 127.0.0.0 255.0.0.0 Null0
ip route 169.254.0.0 255.255.0.0 Null0
!
ip access-list extended OUTSIDE_SELF_acl
permit ip any any
ip access-list extended SELF_INSIDE_ACL
permit ip any any
ip access-list extended Web_acl
permit ip any any
!
access-list 1 remark *** SSH
access-list 1 permit 10.199.1.0 0.0.0.255
access-list 1 permit 192.168.111.0 0.0.0.255
ip access-list extended 180
permit ip 192.168.111.0 0.0.0.255 any
!
alias exec b show ip interface brief
alias exec c configure terminal
alias exec v show running-config
alias exec w copy running-config startup-config
no parser cache
!
line con 0
location *** Serial
exec-timeout 30 0
logging synchronous
login authentication vty-con
history size 30
transport input none
stopbits 1
line vty 0 4
location *** SSH
access-class 1 in
exec-timeout 30 0
login authentication vty-con
history size 30
transport input ssh
!
sntp server 130.149.17.21
sntp broadcast client
!
end
09-30-2019 06:47 AM
Still no success with dns
Here are my zone based policies:
class-map type inspect match-all SELF_OUTSIDE match access-group name SELF_OUTSIDE_acl class-map type inspect match-any OUTSIDE_SELF_app match protocol https match protocol ssh class-map type inspect match-all INSIDE_SELF match access-group name INSIDE_SELF_acl class-map type inspect match-all SELF_INSIDE match access-group name SELF_INSIDE_acl class-map type inspect match-any Web_app match protocol tcp match protocol udp match protocol ftp match protocol icmp class-map type inspect match-all OUTSIDE_SELF match access-group name OUTSIDE_SELF_acl match class-map OUTSIDE_SELF_app class-map type inspect match-all Web match class-map Web_app match access-group name Web_acl ! policy-map type inspect INSIDE_SELF_POLICY class type inspect INSIDE_SELF policy-map type inspect INSIDE-SELF-POLICY class type inspect INSIDE_SELF inspect class class-default drop log policy-map type inspect SELF-INSIDE-POLICY class type inspect SELF_INSIDE inspect class class-default drop log policy-map type inspect OUTSIDE-SELF-POLICY class type inspect OUTSIDE_SELF pass class class-default drop log policy-map type inspect INSIDE-OUTSIDE-POLICY class type inspect Web inspect class class-default drop log policy-map type inspect SELF-OUTSIDE-POLICY class type inspect SELF_OUTSIDE pass class class-default drop log ! zone security INSIDE description Zone for inside interfaces zone security OUTSIDE description Zone for outside interfaces zone security default zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE service-policy type inspect INSIDE-OUTSIDE-POLICY zone-pair security INSIDE-SELF source INSIDE destination self service-policy type inspect INSIDE-SELF-POLICY zone-pair security OUTSIDE-SELF source OUTSIDE destination self service-policy type inspect OUTSIDE-SELF-POLICY zone-pair security SELF-INSIDE source self destination INSIDE service-policy type inspect SELF-INSIDE-POLICY zone-pair security SELF-OUTSIDE source self destination OUTSIDE service-policy type inspect SELF-OUTSIDE-POLICY
Some recently logged entries:
Sep 30 15:43:28: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000000189052446280 %FW-6-DROP_PKT: Dropping udp pkt from GigabitEthernet0/0/0 10.0.1.67:10004 => 255.255.255.255:10004(target:class)-(OUTSIDE-SELF:class-default) due to Policy drop:classify result with ip ident 1643
--More--
*Sep 30 15:43:38: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000000199341393000 %FW-6-LOG_SUMMARY: 7 udp packets were dropped from GigabitEthernet0/0/0 10.0.1.240:1901 => 255.255.255.255:1900 (target:class)-(OUTSIDE-SELF:class-default)
--More--
*Sep 30 15:44:00: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000000221000276560 %FW-6-DROP_PKT: Dropping udp pkt from GigabitEthernet0/0/0 10.0.0.105:55137 => 255.255.255.255:1947(target:class)-(OUTSIDE-SELF:class-default) due to Policy drop:classify result with ip ident 21872
--More--
*Sep 30 15:44:08: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000000229342410160 %FW-6-LOG_SUMMARY: 3 udp packets were dropped from GigabitEthernet0/0/0 10.0.1.172:49978 => 255.255.255.255:1947 (target:class)-(OUTSIDE-SELF:class-default)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide