Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1206
Views
0
Helpful
1
Replies

Problem With Zone Based Firewall config in cisco 4331

ranjit123
Level 3
Level 3

ā€Ž06-26-2017 02:23 AM - edited ā€Ž03-05-2019 08:45 AM

Hello All,

Earlier we had the below IP INSPECT config on our non IOS XE cisco series routers

========================================================

ip inspect name cbac2 tcp audit-trail off router-traffic
ip inspect name cbac2 udp audit-trail off router-traffic
ip inspect name cbac2 telnet audit-trail off
ip inspect name cbac2 http audit-trail off
ip inspect name cbac2 https audit-trail off
ip inspect name cbac2 icmp audit-trail off router-traffic

on WAN Interface

 ip inspect cbac2 out <------------ *****

ip access-group WAN-IN <-----------For security purpose

==========================================================

Now we are installing 4XXX series routers with IOS XE... on which IP-INSPECT config does not work so we have made the below ZBFW config

as below

========================================================================================================

class-map type inspect match-any SELF2OUT
match access-group name SELF2OUT
class-map type inspect match-any OUT2SELF
match access-group name OUT2SELF
class-map type inspect match-any IN2OUT
match protocol http
match protocol https
match protocol icmp
match protocol ftp
match protocol tcp
match protocol udp
!
policy-map type inspect IN2OUT
class type inspect IN2OUT
inspect
class class-default
policy-map type inspect OUT2SELF
class type inspect OUT2SELF
pass
class class-default
!

policy-map type inspect SELF2OUT
class type inspect SELF2OUT
pass
class class-default
!
zone security INSIDE
description TRUSTED
zone security OUTSIDE
description Internet Untrusted
zone-pair security INSIDE2OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect IN2OUT
zone-pair security OUTSIDE2SELF source OUTSIDE destination self
service-policy type inspect OUT2SELF
zone-pair security SELF2OUTSIDE source self destination OUTSIDE
service-policy type inspect SELF2OUT

and have applied it accordingly under LAN and WAN interface

int gi0/0/0

ip nat inside

zone-member security INSIDE

int gi0/0/1

ip nat outside

zone-member security OUTSIDE

But we also have a vlan 100 SVI which is part of a VRF and used from guest LAN segment traffic to communicate with the internet...

We only have 1 WAN interface which is part of global VRF..

when i try to apply the zone member security inside config to this VLAN which is in VRF i am getting the below error

in vlan 100

ip vrf forwarding guests
ip address <X.X.X.X X.X.X.X?
ip nat inside

zone-member security INSIDE

%VRF mismatch. All interfaces in a zone must be in the same VRF

=========================================================================================================

How can i make one more policy for this VRF and apply it as my WAN interface is already part of other "zone-member security"

Regards,

Ranjit

Labels:
0 Helpful
1 Reply 1
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card