07-20-2021 05:16 PM - edited 07-20-2021 05:17 PM
Hi everyone,
I've just gotten my very own Cisco 2901 ISR for experimenting. The IOS software is updated to 15.7(3) and basic routes are setup and working. I'm at the point now where I'd like to secure it for general use in my LAN. I've gone through a few tutorials to get a basic Zone-Based Firewall setup, and with most protocols matching outbound, it seems to be working alright.
One immediate issue I can see is that my email client, Thunderbird, can no longer connect to outside IMAP servers. The imap protocol is matched in my policies, but when it connects via TCP/TLS, the packets are dropped. As far as I can tell, my only option is to allow all TCP and UDP going outside my network. Is this unreasonable, or is it ok?
07-21-2021 12:45 AM
Hello
Can you post your ZBFW configuration?
07-21-2021 01:29 PM
Sorry, should've done that to begin with! I originally did some configuration in CP Express (before it stopped working) and that was where I assigned the gigabit ethernet module to Vlan1 (gi0/1/x) but I honestly cannot tell you where, looking at the config, that happens. Maybe ports default to Vlan1?
Access lists
ip access-list standard NAT permit 192.168.1.0 0.0.0.255 ! ip access-list extended Others_acl permit object-group Others_svc object-group Others_src_net object-group Others_dst_net ip access-list extended Web_acl permit object-group Web_svc object-group Web_src_net object-group Web_dst_net ip access-list extended nat-list permit ip object-group local_lan_subnets any !
Object groups
! object-group service INTERNAL_UTM_SERVICE ! object-group network Others_dst_net any ! object-group network Others_src_net any ! object-group service Others_svc ip ! object-group network Web_dst_net any ! object-group network Web_src_net any ! object-group service Web_svc ip ! object-group network local_cws_net ! object-group network local_lan_subnets any ! object-group network vpn_remote_subnets any !
Class maps
! class-map type inspect match-any INTERNAL_DOMAIN_FILTER match protocol msnmsgr match protocol ymsgr class-map type inspect match-any Others_app match protocol https match protocol smtp match protocol pop3 match protocol imap match protocol sip match protocol ftp match protocol dns match protocol icmp ! I made the below class b/c I thought I needed it for pings to WAN to work (maybe not?) class-map type inspect match-any Basic-Input-Class match protocol icmp class-map type inspect match-all LAN-WAN-Class match access-group name Others_app class-map type inspect match-any Web_app match protocol http ! Catch-all class I created so traffic can go out class-map type inspect match-any ALL-MISC match protocol tcp match protocol udp class-map type inspect match-all Others match class-map Others_app match access-group name Others_acl class-map type inspect match-all Web match class-map Web_app match access-group name Web_acl !
Policy maps
! ! Outbound policy that as far as I can tell lets everything go out. Is this bad? policy-map type inspect LAN-WAN-POLICY class type inspect Web inspect class type inspect Others inspect class type inspect ALL-MISC inspect class class-default drop log ! Inbound traffic that should only let pings in (basic input class) policy-map type inspect WAN-LAN-POLICY class type inspect Basic-Input-Class inspect class class-default drop log !
Security zone pairs
! zone security LAN zone security WAN zone security VPN zone security DMZ zone-pair security LAN-WAN source LAN destination WAN service-policy type inspect LAN-WAN-POLICY zone-pair security WAN-LAN source WAN destination LAN description From WAN to LAN service-policy type inspect WAN-LAN-POLICY !
Interfaces
! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 description PrimaryWANDesc_ ip address dhcp hostname router-cisco ip nat outside ip virtual-reassembly in zone-member security WAN duplex auto speed auto ipv6 address autoconfig ipv6 enable ! Old port I had setup for management - no longer used. interface GigabitEthernet0/1 ip address 10.0.0.1 255.255.255.248 duplex auto speed auto ! GbE switch module mapped to Vlan1 interface GigabitEthernet0/1/0 no ip address ! interface GigabitEthernet0/1/1 no ip address ! interface GigabitEthernet0/1/2 no ip address ! interface GigabitEthernet0/1/3 no ip address ! interface GigabitEthernet0/1/4 no ip address ! interface GigabitEthernet0/1/5 no ip address ! interface GigabitEthernet0/1/6 no ip address ! interface GigabitEthernet0/1/7 no ip address ! interface Vlan1 ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security LAN ip tcp adjust-mss 1460 ipv6 address prefix-from-provider ::100:0:0:0:1/64 ipv6 enable !
NAT & Route
! ip nat inside source list NAT interface GigabitEthernet0/0 overload ip nat inside source list nat-list interface GigabitEthernet0/0 overload ip route 0.0.0.0 0.0.0.0 dhcp !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide