06-26-2017 02:23 AM - edited 03-05-2019 08:45 AM
Hello All,
Earlier we had the below IP INSPECT config on our non IOS XE cisco series routers
========================================================
ip inspect name cbac2 tcp audit-trail off router-traffic
ip inspect name cbac2 udp audit-trail off router-traffic
ip inspect name cbac2 telnet audit-trail off
ip inspect name cbac2 http audit-trail off
ip inspect name cbac2 https audit-trail off
ip inspect name cbac2 icmp audit-trail off router-traffic
on WAN Interface
ip inspect cbac2 out <------------ *****
ip access-group WAN-IN <-----------For security purpose
==========================================================
Now we are installing 4XXX series routers with IOS XE... on which IP-INSPECT config does not work so we have made the below ZBFW config
as below
========================================================================================================
class-map type inspect match-any SELF2OUT
match access-group name SELF2OUT
class-map type inspect match-any OUT2SELF
match access-group name OUT2SELF
class-map type inspect match-any IN2OUT
match protocol http
match protocol https
match protocol icmp
match protocol ftp
match protocol tcp
match protocol udp
!
policy-map type inspect IN2OUT
class type inspect IN2OUT
inspect
class class-default
policy-map type inspect OUT2SELF
class type inspect OUT2SELF
pass
class class-default
!
policy-map type inspect SELF2OUT
class type inspect SELF2OUT
pass
class class-default
!
zone security INSIDE
description TRUSTED
zone security OUTSIDE
description Internet Untrusted
zone-pair security INSIDE2OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect IN2OUT
zone-pair security OUTSIDE2SELF source OUTSIDE destination self
service-policy type inspect OUT2SELF
zone-pair security SELF2OUTSIDE source self destination OUTSIDE
service-policy type inspect SELF2OUT
and have applied it accordingly under LAN and WAN interface
int gi0/0/0
ip nat inside
zone-member security INSIDE
int gi0/0/1
ip nat outside
zone-member security OUTSIDE
But we also have a vlan 100 SVI which is part of a VRF and used from guest LAN segment traffic to communicate with the internet...
We only have 1 WAN interface which is part of global VRF..
when i try to apply the zone member security inside config to this VLAN which is in VRF i am getting the below error
in vlan 100
ip vrf forwarding guests
ip address <X.X.X.X X.X.X.X?
ip nat inside
zone-member security INSIDE
%VRF mismatch. All interfaces in a zone must be in the same VRF
=========================================================================================================
How can i make one more policy for this VRF and apply it as my WAN interface is already part of other "zone-member security"
Regards,
Ranjit
06-26-2017 10:22 PM
I don't think zone based firewall supports going between VRF's.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide