cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
814
Views
5
Helpful
15
Replies

Issue accessing router running ZBFW and PAT

carl_townshend
Spotlight
Spotlight

Hi All

I have a router running zone based firewall, it is also using PAT on the outside interface.

 

The firewall has been configured, from OUTSIDE to SELF and permits my management IPs, this seems to work OK.

However when I attach the NAT to the outside interface I can no longer SSH to the router.

However ping still works OK

Any ideas what this could be ?

cheers

15 Replies 15

Hi Carl,

I run a similar configuration, if you attach your running-config I can have a look for you.

 

 

Hi

I found that the router was Natting the return traffic for some reason, I put a no nat statement by using a deny from the routers public ip to any, this has stopped the NAT

Is this what you did ?

 

No i didn't not on my config, without seeing your config I couldn't be sure we had the same initial setup.

Were you doing global nat? I.e to the outside interface ?

Hello

I guess that works for the ZBFW rtr itself as your able to ssh on to its public facing interface, but if you need to remote access to internal hosts from the internet with NAT then you'll probably need a static nat and a  zone-paring from internet to lan for ssh.

 

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi

Basically on this router, we have a BGP session to the ISP.

If I remove the NO nat ACL from the statement it breaks the BGP session.

What could this be?

The BGP session is too and from the router, I am not sure why doing an nat overload on the same interface is bringing this down.

Do you have any idea why this is?

how have you done it?

cheers

Hello

So it the bgp session peering in a nine Netted address ?

Res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi

No the bgp peering is between the outside interface IP and the ISP, We are doing a PAT from internal networks to the same outside IP for internet access

Any ideas?

Hello
Okay I think the reason is the nat order for legacy nat

>From an outside perspective translation occurs before route lookup hence when you negate it from the nat acl it works

You could try domianless nat (nvi) and as my understanding is route lookup is perform before and after nat translation

Res
Paul



Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi Paul

I have just done a test using GNS3 and it seemed to work OK.

So whats wrong with my router?

One thing I am using in ZBFW, but I allowed tcp/udp/icmp both ways.

could it be this?

I will need to do more testing tmrw

 

Hello
Interesting you are allowing tcp/udp both way - I would say this defeats having zbfw active and probably why it seems to work - Are also doing this on your he production rtr ?

Can you confirm how many zones in the zbfw setup you have , the bewlo example uses two.
Note -Without any self zone policy's bgp and nat should work with just the LAN-Internet policy

LAN-Internet
zone security LAN
zone security Internet

class-map type inspect match-any LAN_cm
match protocol tcp
match protocol udp
match protocol icmp

 

policy-map type inspect LAN
class type inspect ZBFW_cm
inspect

 

zone-pair security Lan-Internet source LAN destination Internet
service-policy type inspect LAN

 

 

Default Nat
ip nat inside source list 110 interface xx overload
access-list 110 permit ip x.x.x.x 0.0.0.255 any

To-From RTR self zone
( rtr host is 10.1.17.1)
class-map type inspect match-any RTR-Self_cm
match protocol tcp
match protocol icmp
match protocol udp

class-map type inspect match-all From-Self_cm
match class-map RTR-Self_cm

policy-map type inspect From-Self_pm
class type inspect From-Self_cm
inspect
 


access-list 100 permit icmp 10.1.17.0 0.0.0.255 any
access-list 100 permit icmp any host 10.1.17.1 echo <---icmp
access-list 100 deny   icmp any any
access-list 100 permit tcp any host 10.1.17.1 eq 22  <---allowing ssh
access-list 100 permit tcp any host 10.1.17.1 eq telnet <---Allowing telnet

class-map type inspect match-all Towards-Self_cm
match class-map RTR-Self_cm
match access-group 100

policy-map type inspect Towards-Self_pm
class type inspect Towards-Self_cm
inspect

zone-pair security LAN-Self source LAN destination self
service-policy type inspect Towards-Self_pm

zone-pair security Internet-Self source Internet destination self
service-policy type inspect Towards-Self_pm

zone-pair security Self-LAN source self destination LAN
service-policy type inspect From-Self_pm

zone-pair security Self-Internet source self destination Internet
service-policy type inspect From-Self_pm

int x/x
description LAN
zone member security LAN
ip nat inside

int x/x
description WAN
zone member security Internet
ip nat outside


Lastly can you post readout of your current ZBFW / NAT configuration

res
Paul





Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi Paul

I will get the config tmrw as im away from the office now

I noticed you didn't put a self to outside zone, would we not need this for the BGP? or would the outside in one cover that?

I will try the NVI nat also to see if that fixes it.

I cannot see a reason why its not working at the min without the no nat from the router as it worked in gns3, this is with the firewall disabled also.

If not I will try an IOS upgrade on the router also

Hello Carl

Your absolutely correct - apologies i did the initial config from my iphone so I missed it out.-

I have edited now for your review.

 

 

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi Paul

FYI, I upgraded the code to the latest Denali image, still did not fix the issue

The Firewall was working fine, it was the PAT causing the issue

Each time the router initiated a TCP session to the ISP on port 179 for BGP, you could see a translation appearing in the table, I have had to leave the NO NAT rule in.

Also it would not let me use the nat enable command, looks like it may have been depreciated.

Many thanks

Carl

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco