Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
654
Views
10
Helpful
2
Replies

Is my ZBFW too permissive?

netmon-27
Level 1
Level 1

‎07-20-2021 05:16 PM - edited ‎07-20-2021 05:17 PM

Hi everyone,

I've just gotten my very own Cisco 2901 ISR for experimenting. The IOS software is updated to 15.7(3) and basic routes are setup and working. I'm at the point now where I'd like to secure it for general use in my LAN. I've gone through a few tutorials to get a basic Zone-Based Firewall setup, and with most protocols matching outbound, it seems to be working alright.

One immediate issue I can see is that my email client, Thunderbird, can no longer connect to outside IMAP servers. The imap protocol is matched in my policies, but when it connects via TCP/TLS, the packets are dropped. As far as I can tell, my only option is to allow all TCP and UDP going outside my network. Is this unreasonable, or is it ok?

Labels:
2 Replies 2

paul driver
VIP
VIP

‎07-21-2021 12:45 AM

Hello

Can you post your ZBFW configuration?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

netmon-27
Level 1
Level 1
In response to paul driver

‎07-21-2021 01:29 PM

Sorry, should've done that to begin with! I originally did some configuration in CP Express (before it stopped working) and that was where I assigned the gigabit ethernet module to Vlan1 (gi0/1/x) but I honestly cannot tell you where, looking at the config, that happens. Maybe ports default to Vlan1?

 

Access lists

ip access-list standard NAT
 permit 192.168.1.0 0.0.0.255
!
ip access-list extended Others_acl
 permit object-group Others_svc object-group Others_src_net object-group Others_dst_net
ip access-list extended Web_acl
 permit object-group Web_svc object-group Web_src_net object-group Web_dst_net
ip access-list extended nat-list
 permit ip object-group local_lan_subnets any
!

Object groups

!
object-group service INTERNAL_UTM_SERVICE
!
object-group network Others_dst_net
any
!
object-group network Others_src_net
any
!
object-group service Others_svc
ip
!
object-group network Web_dst_net
any
!
object-group network Web_src_net
any
!
object-group service Web_svc
ip
!
object-group network local_cws_net
!
object-group network local_lan_subnets
any
!
object-group network vpn_remote_subnets
any
!

Class maps

!
class-map type inspect match-any INTERNAL_DOMAIN_FILTER
 match protocol msnmsgr
 match protocol ymsgr
class-map type inspect match-any Others_app
 match protocol https
 match protocol smtp
 match protocol pop3
 match protocol imap
 match protocol sip
 match protocol ftp
 match protocol dns
 match protocol icmp
! I made the below class b/c I thought I needed it for pings to WAN to work (maybe not?)
class-map type inspect match-any Basic-Input-Class
 match protocol icmp
class-map type inspect match-all LAN-WAN-Class
 match access-group name Others_app
class-map type inspect match-any Web_app
 match protocol http
! Catch-all class I created so traffic can go out
class-map type inspect match-any ALL-MISC
 match protocol tcp
 match protocol udp
class-map type inspect match-all Others
 match class-map Others_app
 match access-group name Others_acl
class-map type inspect match-all Web
 match class-map Web_app
 match access-group name Web_acl
!

Policy maps

!
! Outbound policy that as far as I can tell lets everything go out. Is this bad?
policy-map type inspect LAN-WAN-POLICY
 class type inspect Web
  inspect
 class type inspect Others
  inspect
 class type inspect ALL-MISC
  inspect
 class class-default
  drop log
! Inbound traffic that should only let pings in (basic input class)
policy-map type inspect WAN-LAN-POLICY
 class type inspect Basic-Input-Class
  inspect
 class class-default
  drop log
!

Security zone pairs

!
zone security LAN
zone security WAN
zone security VPN
zone security DMZ
zone-pair security LAN-WAN source LAN destination WAN
 service-policy type inspect LAN-WAN-POLICY
zone-pair security WAN-LAN source WAN destination LAN
 description From WAN to LAN
 service-policy type inspect WAN-LAN-POLICY
!

Interfaces

!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description PrimaryWANDesc_
 ip address dhcp hostname router-cisco
 ip nat outside
 ip virtual-reassembly in
 zone-member security WAN
 duplex auto
 speed auto
 ipv6 address autoconfig
 ipv6 enable
! Old port I had setup for management - no longer used.
interface GigabitEthernet0/1
 ip address 10.0.0.1 255.255.255.248
 duplex auto
 speed auto
! GbE switch module mapped to Vlan1
interface GigabitEthernet0/1/0
 no ip address
!
interface GigabitEthernet0/1/1
 no ip address
!
interface GigabitEthernet0/1/2
 no ip address
!
interface GigabitEthernet0/1/3
 no ip address
!
interface GigabitEthernet0/1/4
 no ip address
!
interface GigabitEthernet0/1/5
 no ip address
!
interface GigabitEthernet0/1/6
 no ip address
!
interface GigabitEthernet0/1/7
 no ip address
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security LAN
 ip tcp adjust-mss 1460
 ipv6 address prefix-from-provider ::100:0:0:0:1/64
 ipv6 enable
!

NAT & Route

!
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip nat inside source list nat-list interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 dhcp
!
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card