TST-RO-001#sh ip nat translations
Pro  Inside global         Inside local          Outside local         Outside global
icmp public_ip:7      public_ip:0      103.140.194.18:0      103.140.194.18:7
udp  public_ip:512    public_ip:123    130.149.17.21:123     130.149.17.21:123
icmp public_ip:4      public_ip:0      130.149.17.21:0       130.149.17.21:4
icmp public_ip:2      public_ip:1      8.8.8.8:1             8.8.8.8:2
icmp public_ip:1      public_ip:0      185.209.0.31:0        185.209.0.31:1
icmp public_ip:5      public_ip:0      185.153.198.196:0     185.153.198.196:5
icmp public_ip:6      public_ip:0      123.30.146.218:0      123.30.146.218:6
Total number of translations: 7

TST-RO-001#ping 8.8.8.8 source vlan 200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.111.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/11/12 ms

TST-RO-001#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  192.168.111.1           -   c4f7.ffff.ffff  ARPA   Vlan200
Internet  192.168.111.11          0   0050.ffff.ffff  ARPA   Vlan200

as you can see connection seems to be fine. However dns is not working at all.

We used to have same issues on old IOS devices but it was solved implementing CBAC with ip inspect commands to bypass our access-lists for internet access.

This command is gone in IOS-XE and replaced with Zone-based policy firewall. We just don't know how to implement it.

editing

Any Updates on that topic?

Hello,

I can see multiple issues with your configuration.

The access list 101, applied to the Vlan 200 interface, is obsolete, since the first line allows everything. Remove that access list from the interface.

The access list 151, applied to the Dialer interface, is very restrictive and apparently only allows access to a few hosts on the Internet. Is that what you want ?

The local NAT pool is obsolete, remove that from the confguration

Attached the revised configuration, stripped to just the basics. Check if you get to the Internet with that (important parts marked in bold):

no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname TST-RO-001
!
boot-start-marker
boot-end-marker
!
logging buffered 16000
enable secret *
!
aaa new-model
!
aaa authentication login vty-con local
aaa authentication login localuser line
aaa authentication login userauthen local
aaa authentication ppp default if-needed local
aaa authorization network groupauthor local
!
aaa session-id common
clock timezone MEZ 1 0
clock summer-time MESZ recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
!
no ip bootp server
ip name-server 8.8.8.8 8.8.4.4
ip domain name TST-001.local
ip dhcp excluded-address 192.168.111.0 192.168.111.10
ip dhcp excluded-address 192.168.111.255
!
ip dhcp pool VRMLAN_TST-001
network 192.168.111.0 255.255.255.0
default-router 192.168.111.1
dns-server 8.8.8.8 8.8.4.4
lease 0 2
!
subscriber templating
!
multilink bundle-name authenticated
vpdn enable
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username tst privilege 15 secret *
redundancy
mode none
!
controller VDSL 0/2/0
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/0/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/1
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/2
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/3
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/4
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/5
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/6
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/7
switchport access vlan 200
spanning-tree portfast
!
interface ATM0/2/0
description *** ADSL-Interface Tel. Nr. 0
no ip address
no ip redirects
no ip unreachables
load-interval 30
no atm ilmi-keepalive
no atm enable-ilmi-trap
pvc 8/35
pppoe-client dial-pool-number 1
!
interface Ethernet0/2/0
description *** VDSL-Interface Tel. Nr. 0
no ip address
no ip redirects
no ip unreachables
load-interval 30
no negotiation auto
pppoe enable group global
pppoe-client dial-pool-number 1
ip virtual-reassembly
!
interface Vlan1
no ip address
!
interface Vlan200
description *** VRMLAN_TST-001
ip address 192.168.111.1 255.255.255.0
no ip redirects
ip directed-broadcast
ip nat inside
ip tcp adjust-mss 1200
hold-queue 100 out
ip virtual-reassembly
!
interface Dialer1
description *** INTERNET
bandwidth 1000
bandwidth receive 40000
ip address negotiated
no ip redirects
no ip unreachables
ip nat outside
encapsulation ppp
dialer pool 1
dialer remote-name *
no cdp enable
ppp authentication chap callin
ppp chap hostname secret
ppp chap password secret
ppp pap refuse
ppp ipcp dns request
ppp ipcp wins request
ip virtual-reassembly
!
ip nat inside source list 180 interface Dialer1 overload
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 127.0.0.0 255.0.0.0 Null0
ip route 169.254.0.0 255.255.0.0 Null0
!
access-list 1 remark *** SSH
access-list 1 permit 10.199.1.0 0.0.0.255
access-list 1 permit 62.204.124.0 0.0.0.15
access-list 1 permit 192.168.111.0 0.0.0.255
access-list 1 permit 212.60.60.224 0.0.0.31
access-list 1 permit 213.221.255.144 0.0.0.15
!
access-list 180 permit ip 192.168.111.0 0.0.0.255 any
!
alias exec b show ip interface brief
alias exec c configure terminal
alias exec v show running-config
alias exec w copy running-config startup-config
no parser cache
!
line con 0
location *** Serial
exec-timeout 30 0
login authentication vty-con
history size 30
transport input none
stopbits 1
line vty 0 4
location *** SSH
access-class 1 in
exec-timeout 30 0
login authentication vty-con
history size 30
transport input ssh
!
sntp server 130.149.17.21
sntp broadcast client
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify

Hi thank you for your answer.

NAT is working now. I've implemented the correct ACL 180.

Now I would like to active Zone Based Firewall but can't get it to work properly. We would only like to allow ICMP, SSH and HTTPS access to the router SELF from OUTSIDE.

Please see below our configuration:

INSIDE:

interface Vlan200
description *** VRMLAN_TST-001
ip address 192.168.111.1 255.255.255.0
no ip redirects
ip directed-broadcast
ip nat inside
zone-member security INSIDE
ip tcp adjust-mss 1200
hold-queue 100 out
ip virtual-reassembly

OUTSIDE:

interface GigabitEthernet0/0/0
ip address dhcp
ip nat outside
zone-member security OUTSIDE
negotiation auto
ip virtual-reassembly

And now the Zone Based Firewall config:

class-map type inspect match-any OUTSIDE_SELF_app
match protocol icmp
match protocol ssh
match protocol https
class-map type inspect match-any Web_app
match protocol tcp
match protocol udp
match protocol ftp
match protocol icmp
class-map type inspect match-all OUTSIDE_SELF
match class-map OUTSIDE_SELF_app
match access-group name OUTSIDE_SELF_acl
class-map type inspect match-all Web
match class-map Web_app
match access-group name Web_acl
!
policy-map type inspect OUTSIDE-SELF-POLICY
class type inspect OUTSIDE_SELF
inspect
class class-default
drop log
policy-map type inspect INSIDE-OUTSIDE-POLICY
class type inspect Web
inspect
class class-default
drop log
!
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone security default
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-OUTSIDE-POLICY
zone-pair security OUTSIDE-SELF source OUTSIDE destination self
service-policy type inspect OUTSIDE-SELF-POLICY

SSH, ICMP and HTTPS access is possible now from OUTSIDE to SELF. However all clients within vlan 200 have no access to the internet anymore. We got pretty stuck with that configuration and can't figure out how to make internet access again.

TST-RO-001#ping 8.8.8.8 source vlan 200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.111.1
.....
Success rate is 0 percent (0/5)

Hello,

post the full running configuration, we need to see the access lists you are matching against...

Here is our full running-config:

no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname TST-RO-001
!
boot-start-marker
boot-end-marker
!
!
logging buffered 16000
enable secret blabla
!
aaa new-model
!
!
aaa authentication login vty-con local
aaa authentication login localuser line
aaa authentication login userauthen local
aaa authentication ppp default if-needed local
aaa authorization network groupauthor local
!
!
!
!
!
!
aaa session-id common
clock timezone MEZ 1 0
clock summer-time MESZ recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
!
no ip bootp server
ip name-server 8.8.8.8 8.8.4.4
ip domain name TST-001.local
ip dhcp excluded-address 192.168.111.0 192.168.111.10
ip dhcp excluded-address 192.168.111.255
!
ip dhcp pool VRMLAN_TST-001
network 192.168.111.0 255.255.255.0
default-router 192.168.111.1
dns-server 192.168.111.1
lease 0 2
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
!
!
multilink bundle-name authenticated
vpdn enable

diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
username admin privilege 15 secret blabla

redundancy
mode none
!
!
!
!
controller VDSL 0/2/0
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-any OUTSIDE_SELF_app
match protocol icmp
match protocol ssh
match protocol https
class-map type inspect match-any Web_app
match protocol tcp
match protocol udp
match protocol ftp
match protocol icmp
class-map type inspect match-all OUTSIDE_SELF
match class-map OUTSIDE_SELF_app
match access-group name OUTSIDE_SELF_acl
class-map type inspect match-all Web
match class-map Web_app
match access-group name Web_acl
!
policy-map type inspect OUTSIDE-SELF-POLICY
class type inspect OUTSIDE_SELF
inspect
class class-default
drop log
policy-map type inspect INSIDE-OUTSIDE-POLICY
class type inspect Web
inspect
class class-default
drop log
!
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone security default
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-OUTSIDE-POLICY
zone-pair security OUTSIDE-SELF source OUTSIDE destination self
service-policy type inspect OUTSIDE-SELF-POLICY
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
ip address dhcp
ip nat outside
zone-member security OUTSIDE
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/1/0
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/1
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/2
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/3
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/4
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/5
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/6
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/7
switchport access vlan 200
spanning-tree portfast
!
interface Vlan1
no ip address
!
interface Vlan200
description *** VRMLAN_TST-001
ip address 192.168.111.1 255.255.255.0
no ip redirects
ip directed-broadcast
ip nat inside
zone-member security INSIDE
ip tcp adjust-mss 1200
hold-queue 100 out
ip virtual-reassembly
!
ip local pool ippool 10.199.1.0 10.199.1.254
ip nat inside source list 180 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip route 127.0.0.0 255.0.0.0 Null0
ip route 169.254.0.0 255.255.0.0 Null0

ip access-list extended OUTSIDE_SELF_acl
permit ip any any
ip access-list extended Web_acl
permit ip any any
!
access-list 1 remark *** SSH
access-list 1 permit 10.199.1.0 0.0.0.255
access-list 1 permit 10.199.2.0 0.0.0.255
access-list 1 permit 192.168.111.0 0.0.0.255
access-list 1 permit 10.199.3.0 0.0.0.255
access-list 1 permit 10.199.4.0 0.0.0.255
access-list 180 permit ip 192.168.111.0 0.0.0.255 any

alias exec b show ip interface brief
alias exec c configure terminal
alias exec v show running-config
alias exec w copy running-config startup-config
no parser cache
!
line con 0
location *** Serial
exec-timeout 30 0
logging synchronous
login authentication vty-con
history size 30
transport input none
stopbits 1
line vty 0 4
location *** SSH
access-class 1 in
exec-timeout 30 0
login authentication vty-con
history size 30
transport input ssh
!
sntp server 130.149.17.21
sntp broadcast client
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end

It looks like you are missing the inside-to-self and self-to-inside parts. Add the below to your configuration:

ip access-list extended SELF_INSIDE_ACL
permit ip any any
!
class-map type inspect INSIDE_SELF_CLASS
match access-group name SELF_INSIDE_ACL
!
policy-map type inspect INSIDE_SELF_POLICY
class INSIDE_SELF_CLASS
inspect
!
policy-map type inspect SELF_INSIDE_POLICY
class INSIDE_SELF_CLASS
inspect
!
zone-pair security SELF_TO_INSIDE source self destination INSIDE
service-policy type inspect SELF_INSIDE_POLICY
zone-pair security INSIDE_TO_SELF source INSIDE destination self
service-policy type inspect INSIDE_SELF_POLICY

Thank you for your answer. I've implemented your configuration. Unfortunately the issue remains the same.

I'm able to ping lets say 8.8.8.8

However DNS resolution is not possible at all with applied Zone Based Firewall:

TST-RO-001#ping google.com
% Unrecognized host or address, or protocol not running.

If I remove the ZBF from the desired interfaces everything is working fine.

It seems like the OUTSIDE_SELF Policy is too restrictive? I only want to allow HTTPS, SSH and ICMP from the OUSIDE_SELF policy from defined Networks. I just can't figure out why DNS is not working at all? pinging IP adresses from VLAN 200 to the OUTSIDE interface is working without issues. Only DNS is blocked.

Hello,

post the current running configuration including the changes you have implemented...

Here is the current running-config:

no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname TST-RO-001
!
boot-start-marker
boot system flash c1100-universalk9_ias.16.09.04.SPA.bin
boot-end-marker
!
!
logging buffered 16000
enable secret blabla
!
aaa new-model
!
!
aaa authentication login vty-con local
aaa authentication login localuser line
aaa authentication login userauthen local
aaa authentication ppp default if-needed local
aaa authorization network groupauthor local 
!
!
!
!
!
!
aaa session-id common
clock timezone MEZ 1 0
clock summer-time MESZ recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
!
no ip bootp server
ip name-server 8.8.8.8 8.8.4.4
ip domain name TST-001.local
ip dhcp excluded-address 192.168.111.0 192.168.111.10
ip dhcp excluded-address 192.168.111.255
!
ip dhcp pool VRMLAN_TST-001
 network 192.168.111.0 255.255.255.0
 default-router 192.168.111.1 
 dns-server 192.168.111.1 
 lease 0 2
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
! 
! 
! 
! 
!
multilink bundle-name authenticated
vpdn enable
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
username admin privilege 15 secret blabla
!
redundancy
 mode none
!
!
!
!
controller VDSL 0/2/0
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-any OUTSIDE_SELF_app
 match protocol https
 match protocol ssh
 match protocol icmp
class-map type inspect match-all INSIDE_SELF_CLASS
 match access-group name SELF_INSIDE_ACL
class-map type inspect match-any Web_app
 match protocol tcp
 match protocol udp
 match protocol ftp
 match protocol icmp
class-map type inspect match-all OUTSIDE_SELF
 match class-map OUTSIDE_SELF_app
 match access-group name OUTSIDE_SELF_acl
class-map type inspect match-all Web
 match class-map Web_app
 match access-group name Web_acl
!
policy-map type inspect INSIDE_SELF_POLICY
 class type inspect INSIDE_SELF_CLASS
  inspect
 class class-default
policy-map type inspect OUTSIDE-SELF-POLICY
 class type inspect OUTSIDE_SELF
  inspect
 class class-default
  drop log
policy-map type inspect INSIDE-OUTSIDE-POLICY
 class type inspect Web
  inspect
 class class-default
  drop log
policy-map type inspect SELF_INSIDE_POLICY
 class type inspect INSIDE_SELF_CLASS
  inspect
 class class-default
!
zone security INSIDE
 description Zone for inside interfaces
zone security OUTSIDE
 description Zone for outside interfaces
zone security default
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
 service-policy type inspect INSIDE-OUTSIDE-POLICY
zone-pair security INSIDE_TO_SELF source INSIDE destination self
 service-policy type inspect INSIDE_SELF_POLICY
zone-pair security OUTSIDE-SELF source OUTSIDE destination self
 service-policy type inspect OUTSIDE-SELF-POLICY
zone-pair security SELF_TO_INSIDE source self destination INSIDE
 service-policy type inspect SELF_INSIDE_POLICY
! 
interface GigabitEthernet0/0/0
 ip address dhcp
 ip nat outside
 zone-member security OUTSIDE
 negotiation auto
 ip virtual-reassembly
!
interface GigabitEthernet0/1/0
 switchport access vlan 200
 spanning-tree portfast
!
interface GigabitEthernet0/1/1
 switchport access vlan 200
 spanning-tree portfast
!
interface GigabitEthernet0/1/2
 switchport access vlan 200
 spanning-tree portfast
!
interface GigabitEthernet0/1/3
 switchport access vlan 200
 spanning-tree portfast
!
interface GigabitEthernet0/1/4
 switchport access vlan 200
 spanning-tree portfast
!
interface GigabitEthernet0/1/5
 switchport access vlan 200
 spanning-tree portfast
!
interface GigabitEthernet0/1/6
 switchport access vlan 200
 spanning-tree portfast
!
interface GigabitEthernet0/1/7
 switchport access vlan 200
 spanning-tree portfast
!
interface Vlan1
 no ip address
!
interface Vlan200
 description *** VRMLAN_TST-001
 ip address 192.168.111.1 255.255.255.0
 no ip redirects
 ip directed-broadcast
 ip nat inside
 zone-member security INSIDE
 ip tcp adjust-mss 1200
 hold-queue 100 out
 ip virtual-reassembly
!
ip local pool ippool 10.199.1.0 10.199.1.254
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source list 180 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip route 127.0.0.0 255.0.0.0 Null0
ip route 169.254.0.0 255.255.0.0 Null0
!
!
ip access-list extended OUTSIDE_SELF_acl
 permit ip any any
ip access-list extended SELF_INSIDE_ACL
 permit ip any any
ip access-list extended Web_acl
 permit ip any any
!
access-list 1 remark *** SSH
access-list 1 permit 10.199.1.0 0.0.0.255
access-list 1 permit 192.168.111.0 0.0.0.255
ip access-list extended 180
 permit ip 192.168.111.0 0.0.0.255 any
!
alias exec b show ip interface brief
alias exec c configure terminal
alias exec v show running-config
alias exec w copy running-config startup-config
no parser cache
!
line con 0
 location *** Serial
 exec-timeout 30 0
 logging synchronous
 login authentication vty-con
 history size 30
 transport input none
 stopbits 1
line vty 0 4
 location *** SSH
 access-class 1 in
 exec-timeout 30 0
 login authentication vty-con
 history size 30
 transport input ssh
!
sntp server 130.149.17.21
sntp broadcast client
!
!
!
!
!
end

Hello,

it looks like you are missing the self to outside. Make the changes/additions marked in bold:

no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname TST-RO-001
!
boot-start-marker
boot system flash c1100-universalk9_ias.16.09.04.SPA.bin
boot-end-marker
!
logging buffered 16000
enable secret blabla
!
aaa new-model
!
aaa authentication login vty-con local
aaa authentication login localuser line
aaa authentication login userauthen local
aaa authentication ppp default if-needed local
aaa authorization network groupauthor local
!
aaa session-id common
clock timezone MEZ 1 0
clock summer-time MESZ recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
!
no ip bootp server
ip name-server 8.8.8.8 8.8.4.4
ip domain name TST-001.local
ip dhcp excluded-address 192.168.111.0 192.168.111.10
ip dhcp excluded-address 192.168.111.255
!
ip dhcp pool VRMLAN_TST-001
network 192.168.111.0 255.255.255.0
default-router 192.168.111.1
dns-server 192.168.111.1
lease 0 2
!
login on-success log
!
subscriber templating
!
multilink bundle-name authenticated
vpdn enable
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username admin privilege 15 secret blabla
!
redundancy
mode none
!
controller VDSL 0/2/0
!
vlan internal allocation policy ascending
!
class-map type inspect match-any OUTSIDE_SELF_CLASS
match protocol https
match protocol ssh
match protocol icmp
class-map type inspect match-any SELF_OUTSIDE_CLASS
match protocol https
match protocol ssh
match protocol icmp
class-map type inspect match-all INSIDE_SELF_CLASS
match access-group name SELF_INSIDE_ACL
class-map type inspect match-any Web_app
match protocol tcp
match protocol udp
match protocol ftp
match protocol icmp
class-map type inspect match-all OUTSIDE_SELF
match class-map OUTSIDE_SELF_app
match access-group name OUTSIDE_SELF_acl
class-map type inspect match-all Web
match class-map Web_app
match access-group name Web_acl
!
policy-map type inspect INSIDE_SELF_POLICY
class type inspect INSIDE_SELF_CLASS
inspect
class class-default
policy-map type inspect OUTSIDE-SELF-POLICY
class OUTSIDE_SELF_CLASS
pass
policy-map type inspect SELF-OUTSIDE-POLICY
class type SELF_OUTSIDE_CLASS
pass
policy-map type inspect INSIDE-OUTSIDE-POLICY
class type inspect Web
inspect
class class-default
drop log
policy-map type inspect SELF_INSIDE_POLICY
class type inspect INSIDE_SELF_CLASS
inspect
class class-default
!
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone security default
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-OUTSIDE-POLICY
zone-pair security INSIDE_TO_SELF source INSIDE destination self
service-policy type inspect INSIDE_SELF_POLICY
zone-pair security OUTSIDE-SELF source OUTSIDE destination self
service-policy type inspect OUTSIDE-SELF-POLICY
zone-pair security SELF-OUTSIDE source self destination OUTSIDE
service-policy type inspect SELF-OUTSIDE-POLICY
zone-pair security SELF_TO_INSIDE source self destination INSIDE
service-policy type inspect SELF_INSIDE_POLICY
!
interface GigabitEthernet0/0/0
ip address dhcp
ip nat outside
zone-member security OUTSIDE
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/1/0
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/1
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/2
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/3
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/4
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/5
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/6
switchport access vlan 200
spanning-tree portfast
!
interface GigabitEthernet0/1/7
switchport access vlan 200
spanning-tree portfast
!
interface Vlan1
no ip address
!
interface Vlan200
description *** VRMLAN_TST-001
ip address 192.168.111.1 255.255.255.0
no ip redirects
ip directed-broadcast
ip nat inside
zone-member security INSIDE
ip tcp adjust-mss 1200
hold-queue 100 out
ip virtual-reassembly
!
ip local pool ippool 10.199.1.0 10.199.1.254
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source list 180 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip route 127.0.0.0 255.0.0.0 Null0
ip route 169.254.0.0 255.255.0.0 Null0
!
ip access-list extended OUTSIDE_SELF_acl
permit ip any any
ip access-list extended SELF_INSIDE_ACL
permit ip any any
ip access-list extended Web_acl
permit ip any any
!
access-list 1 remark *** SSH
access-list 1 permit 10.199.1.0 0.0.0.255
access-list 1 permit 192.168.111.0 0.0.0.255
ip access-list extended 180
permit ip 192.168.111.0 0.0.0.255 any
!
alias exec b show ip interface brief
alias exec c configure terminal
alias exec v show running-config
alias exec w copy running-config startup-config
no parser cache
!
line con 0
location *** Serial
exec-timeout 30 0
logging synchronous
login authentication vty-con
history size 30
transport input none
stopbits 1
line vty 0 4
location *** SSH
access-class 1 in
exec-timeout 30 0
login authentication vty-con
history size 30
transport input ssh
!
sntp server 130.149.17.21
sntp broadcast client
!
end

Still no success with dns

Here are my zone based policies:

class-map type inspect match-all SELF_OUTSIDE
 match access-group name SELF_OUTSIDE_acl
class-map type inspect match-any OUTSIDE_SELF_app
 match protocol https
 match protocol ssh
class-map type inspect match-all INSIDE_SELF
 match access-group name INSIDE_SELF_acl
class-map type inspect match-all SELF_INSIDE
 match access-group name SELF_INSIDE_acl
class-map type inspect match-any Web_app
 match protocol tcp
 match protocol udp
 match protocol ftp
 match protocol icmp
class-map type inspect match-all OUTSIDE_SELF
 match access-group name OUTSIDE_SELF_acl
 match class-map OUTSIDE_SELF_app
class-map type inspect match-all Web
 match class-map Web_app
 match access-group name Web_acl
!
policy-map type inspect INSIDE_SELF_POLICY
 class type inspect INSIDE_SELF
policy-map type inspect INSIDE-SELF-POLICY
 class type inspect INSIDE_SELF
  inspect
 class class-default
  drop log
policy-map type inspect SELF-INSIDE-POLICY
 class type inspect SELF_INSIDE
  inspect
 class class-default
  drop log
policy-map type inspect OUTSIDE-SELF-POLICY
 class type inspect OUTSIDE_SELF
  pass
 class class-default
  drop log
policy-map type inspect INSIDE-OUTSIDE-POLICY
 class type inspect Web
  inspect
 class class-default
  drop log
policy-map type inspect SELF-OUTSIDE-POLICY
 class type inspect SELF_OUTSIDE
  pass
 class class-default
  drop log
!
zone security INSIDE
 description Zone for inside interfaces
zone security OUTSIDE
 description Zone for outside interfaces
zone security default
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
 service-policy type inspect INSIDE-OUTSIDE-POLICY
zone-pair security INSIDE-SELF source INSIDE destination self
 service-policy type inspect INSIDE-SELF-POLICY
zone-pair security OUTSIDE-SELF source OUTSIDE destination self
 service-policy type inspect OUTSIDE-SELF-POLICY
zone-pair security SELF-INSIDE source self destination INSIDE
 service-policy type inspect SELF-INSIDE-POLICY
zone-pair security SELF-OUTSIDE source self destination OUTSIDE
 service-policy type inspect SELF-OUTSIDE-POLICY

Some recently logged entries:

Sep 30 15:43:28: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000000189052446280 %FW-6-DROP_PKT: Dropping udp pkt from GigabitEthernet0/0/0 10.0.1.67:10004 => 255.255.255.255:10004(target:class)-(OUTSIDE-SELF:class-default) due to Policy drop:classify result with ip ident 1643
--More--
*Sep 30 15:43:38: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000000199341393000 %FW-6-LOG_SUMMARY: 7 udp packets were dropped from GigabitEthernet0/0/0 10.0.1.240:1901 => 255.255.255.255:1900 (target:class)-(OUTSIDE-SELF:class-default)
--More--
*Sep 30 15:44:00: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000000221000276560 %FW-6-DROP_PKT: Dropping udp pkt from GigabitEthernet0/0/0 10.0.0.105:55137 => 255.255.255.255:1947(target:class)-(OUTSIDE-SELF:class-default) due to Policy drop:classify result with ip ident 21872
--More--
*Sep 30 15:44:08: %IOSXE-6-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000000229342410160 %FW-6-LOG_SUMMARY: 3 udp packets were dropped from GigabitEthernet0/0/0 10.0.1.172:49978 => 255.255.255.255:1947 (target:class)-(OUTSIDE-SELF:class-default)