Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1340
Views
0
Helpful
4
Replies

Security Zones with multiple inside NAT interfaces.

johnhart
Level 1
Level 1

‎01-15-2012 01:57 PM - edited ‎03-04-2019 02:54 PM

Hi IOS Users,

I am having big problems trying to get what should be a rather simple configuration to work.

I have a Cisco 2901 Router and have setup Zone Based Firewall on this.

The machine has:

1 x EHWIC-4ESG

1 x HWIC-ADSL-M

1 x HWIC-2FE

I have configured it so that I have two private (NAT'ed IP networks)

<IOS>

interface fastethernet X/0

ip address 192.168.1.160 255.255.255.0

nat inside

zone-member security PRIVATE-ZONE

interface gigabitethernet X/0

ip address 192.168.223.1 255.255.255.0

nat inside

zone-member security PRIVATE-ZONE

</IOS>

The outside NAT interfaces are on the ADSL line and 4ESG vlan interface.

I have also set up static routes so that all traffic destined for:

192.168.1.0/24 -> 192.168.1.1

192.168.223.0/24 -> 192.168.223.1

I would have thought that this would be a pretty simple setup as both the 192.168.x.0/24 address spaces are enrolled in the same zone and both are defined as being on the inside of the NAT, so therefore packet from 192.168.223.x machine destined to 192.168.1.x machines should be transparently accessible to each other, as by default if interfaces are in the same zone, than all traffic flows unchecked.

Unfortunately this is not the case....

Traffic from the 192.168.223.x network does not pass through to the 192.168.1.x network.

my traffic appears to disappear down the big bucket...

Interesting I can ping machine on 192.168.223.0/24 network from the 192.168.1.0/24

So the static routes setup on the router on the 192.168.1.0/24 appear to be routing ok.

The problem appears to be related to NAT/ZONE problem... any ideas?

Thanks,

John.

Labels:
0 Helpful
4 Replies 4

cadet alain
VIP Alumni
VIP Alumni

‎01-16-2012 12:19 AM

Hi,

Can you post your sanitized config.

Regards.

Alain

Don't forget to rate helpful posts.
0 Helpful

johnhart
Level 1
Level 1
In response to cadet alain

‎01-16-2012 02:33 AM

Hi Cadet Alain,

here is a cut down version of the config.

As I am using CPP most of the stuff is pretty much bulk standard.

As per prior comments I have put both of the 192.168.x.0/255 address spaces into the PRIVATE-ZONE

As both the GigabitEthernet and FastEthernet interfaces are "inside" NAT and also in the same zone. I would expect all to be ok..

I have also looked the arp entries following doing PINGS and it shows entries for both IP addresses on the 192.168.1.0/24 network and the 192.168.223.0/24 network.

Could it be that the router is not routing the 192.168 address spaces as these are "non-routable" addresses?

Also I an ping 192.168.1.1 device but not the 192.168.1.136 device.

I can also do a "dig @192.168.1.1 www.google.com" and get an anwser, but I cannot do http to 192.168.1.1... so this is really puzzling. The 192.168.1.1 device is a Netgear VPN box, in which I have put static routes for 192.168.223.0/24 network.

!

! Last configuration change at 09:54:58 UTC Mon Jan 16 2012 by admin

!

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname big

!

boot-start-marker

boot-end-marker

!

!

!

!

!

ip dhcp excluded-address XX.XX.XX.1 XX.XX.XX.49

ip dhcp excluded-address XX.XX.XX.71 XX.XX.XX.254

ip dhcp excluded-address XX.XX.XX.71 XX.XX.XX.126

ip dhcp excluded-address 192.168.223.1 192.168.223.99

ip dhcp excluded-address 192.168.223.126 192.168.223.254

!

!

!

no ip bootp server

ip domain name DOG.com

ip name-server 139.XX.XX.XX

ip name-server 203.XX.XX.XX

ip inspect log drop-pkt

ip inspect audit-trail

ip inspect name CCP_MEDIUM appfw CCP_MEDIUM

...

!

multilink bundle-name authenticated

!

!

redundancy

!

!

!

!

ip tcp synwait-time 10

no ip ftp passive

!

...

!

zone security dmz-zone

zone security in-zone

zone security out-zone

zone security PRIVATE-ZONE

interface Null0

no ip unreachables

!

interface GigabitEthernet0/0

description $ETH-LAN$

ip address 203.XX.XX.130 255.255.255.224

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip nat outside

ip virtual-reassembly in

zone-member security in-zone

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1

description $ETH-LAN$

ip address 192.168.223.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

zone-member security PRIVATE-ZONE

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/2/0

description $ETH-LAN$

ip address 192.168.1.160 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

zone-member security PRIVATE-ZONE

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/2/1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

duplex auto

speed auto

no mop enabled

!

interface ATM0/3/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

no atm ilmi-keepalive

!

interface ATM0/3/0.1 point-to-point

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

pvc 8/35

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface GigabitEthernet0/0/0

!

interface GigabitEthernet0/0/1

!

interface GigabitEthernet0/0/2

!

interface GigabitEthernet0/0/3

!

interface Vlan1

description $ETH-4ESG$$INTF-INFO-10/100/1000 Ethernet$$ETH-LAN$FW-DMZ$

ip address 203.XX.XX.1 255.255.255.128

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly in

zone-member security dmz-zone

!

interface Dialer0

description $FW_OUTSIDE$

ip address XX.XX.XX.XX 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly in

zone-member security out-zone

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname XXXXXX

ppp chap password 7 XXXXX

ppp pap sent-username XXXXXX password 7 XXXXXX

service-policy input sdmappfwp2p_CCP_MEDIUM

service-policy output sdmappfwp2p_CCP_MEDIUM

!

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

ip flow-top-talkers

top 200

sort-by bytes

cache-timeout 500

!

ip dns server

ip nat pool NAT-POOL1 203.XX.XX.161 203.XX.XX.189 netmask 255.255.255.224

ip nat inside source route-map SDM_RMAP_1 pool NAT-POOL1

ip route 0.0.0.0 0.0.0.0 165.XXX.XX.1

ip route 192.168.1.0 255.255.255.0 FastEthernet0/2/0 permanent

ip route 192.168.223.0 255.255.255.0 GigabitEthernet0/1 permanent

ip route 203.XX.XX.0 255.255.255.128 Vlan1 permanent

ip route 203.XX.XX.128 255.255.255.224 GigabitEthernet0/0 permanent

ip route 203.XX.XX.160 255.255.255.224 Loopback0 permanent

!

!

logging 203.XX.XX.XX

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.223.0 0.0.0.255

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip XXX.XXX.XXX.0 0.0.0.255 any

access-list 100 permit ip XX.XX.XX.0 0.0.0.255 any

access-list 102 remark CCP_ACL Category=2

access-list 102 permit ip 192.168.223.0 0.0.0.255 any

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

no cdp run

...

!

!

!

route-map SDM_RMAP_1 permit 1

match ip address 102

!

!

!

control-plane

!

...

ntp update-calendar

ntp server 192.189.54.17

ntp server 192.189.54.33

ntp server 203.161.12.165

ntp server 130.102.2.123

end

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to johnhart

‎01-16-2012 03:35 AM

Hi,

if everything is ok before the ZBF then it is not a L3 problem and RFC1918 addresses are not routeable on the internet only.

Is it normal you put your G0/0  interface which is outside NAT  as a member of inside zone ?

Can you add following command and try pinging again and post any log output: ip inspect log drop-pkt

There lacks also the class-maps and policy-maps along with corresponding ACLs for your ZBF config , could you post it please

Regards.

Alain

Don't forget to rate helpful posts.
0 Helpful

johnhart
Level 1
Level 1
In response to johnhart

‎01-16-2012 03:59 AM

Cadet Alain,

luckly I have found the problem... and it was not to do with the CISCO IOS config...

It turned out that most of the machines on the 192.168.1.0/24 network were still configured with an address mask of 255.255.0.0 frrom before seperating the network into 2.

And that this in combination with some broadcast message was resulting on some requests getting forwarded from the machines to the 192.168.1.160 interface and from there it was trying to forward them via NAT, which was resulting in corrupted NAT transations tables....

Glad to have finally got this resolved.

Thanks.

John.

0 Helpful
Customers Also Viewed These Support Documents