Solved: ZBF dropping outbound traffic

DouglasBlack71617 · ‎02-03-2021

Im replacing my existing 1921 with a 4321, however the 4321 uses ZBF and can't use my old inspect config.

I've confirmed all comms work on my test config, all clients can reach external all as expected, however when adding the ZBF, it appears to be dropping all inbound>outbound traffic from clients.

Im aiming for a similar setup as my old inspect rules to drop ALL external>internal initiated traffic, but allow traffic initiated internal>external and their responses to be allowed back through.

My test config below, when none of the ZBF entries are present it all works as I'd expect, but ZBF kills it, and as first time using ZBF I'm sure I've screwed it up so any pointers welcome.

Drops are being logged as below. which I can see is DNS, but I'm expecting as its internal>external to be passed through.

Feb 3 21:24:27.406: %IOSXE-6-PLATFORM: SIP0: cpp_cp: QFP:0.0 Thread:000 TS:00000001205877355095 %FW-6-LOG_SUMMARY: 3 udp packets were dropped from GigabitEthernet0/0/1 10.2.0.21:52194 => 90.207.238.97:53 (target:class)-(internal>external:class

config is:

!
! Last configuration change at 21:22:56 UTC Wed Feb 3 2021
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform hardware throughput level 100000
!
hostname TestNET
!
boot-start-marker
boot system flash bootflash:isr4300-universalk9.03.16.06.S.155-3.S6-ext.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!

ip domain name TestNET
ip dhcp excluded-address 10.1.0.1 10.1.0.20
ip dhcp excluded-address 10.2.0.1 10.2.0.20
!
ip dhcp pool DHCP_GI0/0/0 Address Pool
network 10.1.0.0 255.255.255.0
default-router 10.1.0.1
dns-server 90.207.238.97 90.207.238.99 8.8.8.8 8.8.4.4
domain-name TestNET
lease 7
!
ip dhcp pool DHCP_GI0/0/1 Address Pool
network 10.2.0.0 255.255.255.0
default-router 10.2.0.1
dns-server 90.207.238.97 90.207.238.99 8.8.8.8 8.8.4.4
domain-name TestNET
lease 7
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
license udi pid ISR4321/K9 sn XXX
license accept end user agreement
license boot level appxk9
license boot level uck9
license boot level securityk9
!
spanning-tree extend system-id
!
!
redundancy
mode none
!
!
!
!
controller VDSL 0/2/0
!
!
!
!
class-map type inspect match-all internal>external-class
match access-group name internal>external
class-map type inspect match-all external>internal-class
match access-group name external>internal
!
policy-map type inspect external>internal-policy
class type inspect external>internal-class
pass
class class-default
drop log
policy-map type inspect internal>external-policy
class type inspect internal>external-class
inspect
class class-default
drop log
!
!
zone security outside
zone security inside
zone-pair security external>internal source outside destination inside
service-policy type inspect external>internal-policy
zone-pair security internal>external source inside destination outside
service-policy type inspect internal>external-policy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description TestNET-RTR to TestNET-FBR
ip address 10.1.0.1 255.255.255.0
ip nat inside
zone-member security inside
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
description TestNET-RTR to TestNET-CPR
ip address 10.2.0.1 255.255.255.0
ip nat inside
zone-member security inside
negotiation auto
ip virtual-reassembly
!
interface ATM0/2/0
no ip address
shutdown
no atm enable-ilmi-trap
!
interface Ethernet0/2/0
description VDSL WAN Physical Interface
mac-address 24a7.dc15.1782
no ip address
no negotiation auto
!
interface Ethernet0/2/0.101
description VDSL WAN Virtual Interface
encapsulation dot1Q 101
ip dhcp client client-id hex XXX
ip dhcp client hostname XXX@XXX
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip access-group 101 in
zone-member security outside
ip virtual-reassembly
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
ip nat inside source list 1 interface Ethernet0/2/0.101 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 Ethernet0/2/0.101 dhcp
!
!
access-list 1 permit 10.1.0.0 0.0.0.255
access-list 1 permit 10.2.0.0 0.0.0.255
access-list 101 permit ip any any
!
!
!
control-plane
!
!
!
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
no network-clock synchronization automatic
!
end

Georg Pauwen · ‎02-05-2021

Hello,

you probably have to add an outside to self policy:

policy-map type inspect outside>self-policy
class class-default
drop log
zone-pair security outside>self source outside destination self
service-policy type inspect outside>self-policy

View solution in original post

Georg Pauwen · ‎02-03-2021

Hello,

access lists and ZBF don't work well together. Remove the access list from the outside zone interface:

interface Ethernet0/2/0.101
description VDSL WAN Virtual Interface
encapsulation dot1Q 101
ip dhcp client client-id hex XXX
ip dhcp client hostname XXX@XXX
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
--> no ip access-group 101 in
zone-member security outside
ip virtual-reassembly

Georg Pauwen · ‎02-03-2021

Hello,

also, there are no matching access lists in your configuration:

class-map type inspect match-all internal>external-class
match access-group name internal>external
class-map type inspect match-all external>internal-class
match access-group name external>internal

You need to configure the access lists marked in bold, right now, they don't exist.

Tyson Joachims · ‎02-03-2021

If you haven't already read the Cisco implentation doc, it's super helpful (https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html)

Looking over your config, I noticed that you reference a non-existent ACL internal>external in your class-map internal>external-class

I would recommend creating an access-list as follows:

ip access-list standard internal>external
 permit 10.1.0.0 0.0.0.255
 permit 10.2.0.0 0.0.0.255

This is why you saw the log indicating the drop. You didn't have an access-list defined and so the next line was the default class map which is configured to drop and log.

In your policy-map external>internal-policy, you have set the class-map external>internal-class to pass. I would not recommend this as it allows all inbound traffic from the Internet to come in unrestricted arguably defeating the purpose for having the firewall at all. Having your internal>external-class set to inspect, allows traffic that is initiated from the inside of your network and destined for the outside of the network to go through the router but also allows the return traffic from the outside to the inside. Unless you are running a web server or file server that needs to be accessible from the Internet, you don't actually need the zone-pair external>internal.

DouglasBlack71617 · ‎02-04-2021

Thanks,

So I added in

ip access-list standard internal>external

permit 10.1.0.0 0.0.0.255

permit 10.2.0.0 0.0.0.255

and dropped the external>internal entries as you suggested, which has solved the drops from clients. however it still doesn't appear to drop inbound, so not sure its working at all....

Also, from my understanding, and I'm sure I've misled myself.... (Correct me if I'm wrong), I shouldn't need the NAT'ing with ZBF? However if I remove the entries in my config below with strikethrough, I lose all outbound external connectivity.... PS also updated the IOS as noticed the old one was very old! PPS this is my first working with the ZBF so be gentle with me - I have googled and read the link you posted but I'm still a bit lost. Once I've got this bit nailed down I'm good for replicating my old 1921 and getting everything else set up. For some reason this is just mind boggling me.

Current configuration : 3784 bytes

!

! Last configuration change at 22:23:02 UTC Thu Feb 4 2021

!

version 16.9

service timestamps debug datetime msec

service timestamps log datetime msec

platform qfp utilization monitor load 80

no platform punt-keepalive disable-kernel-core

platform hardware throughput level 100000

!

hostname TestNET

!

boot-start-marker

boot system flash bootflash:isr4300-universalk9.16.09.05.SPA.bin

boot-end-marker

!

vrf definition Mgmt-intf

!

address-family ipv4

exit-address-family

!

address-family ipv6

exit-address-family

!

no aaa new-model

!

ip domain name TestNET

ip dhcp excluded-address 10.1.0.1 10.1.0.20

ip dhcp excluded-address 10.2.0.1 10.2.0.20

!

ip dhcp pool DHCP_GI0/0/0

network 10.1.0.0 255.255.255.0

default-router 10.1.0.1

dns-server 90.207.238.97 90.207.238.99 8.8.8.8 8.8.4.4

domain-name TestNET

lease 7

!

ip dhcp pool DHCP_GI0/0/1

network 10.2.0.0 255.255.255.0

default-router 10.2.0.1

dns-server 90.207.238.97 90.207.238.99 8.8.8.8 8.8.4.4

domain-name TestNET

lease 7

!

login on-success log

!

subscriber templating

!

multilink bundle-name authenticated

!

license udi pid ISR4321/K9 sn XXXXXXX

license accept end user agreement

license boot level appxk9

license boot level uck9

license boot level securityk9

no license smart enable

diagnostic bootup level minimal

!

spanning-tree extend system-id

!

redundancy

mode none

!

controller VDSL 0/2/0

!

class-map type inspect match-any internal>external-class

match access-group name internal>external

!

policy-map type inspect internal>external-policy

class type inspect internal>external-class

inspect

class class-default

drop log

!

zone security outside

zone security inside

zone-pair security internal>external source inside destination outside

service-policy type inspect internal>external-policy

!

interface GigabitEthernet0/0/0

description TestNET-RTR to TestNET-FBR

ip address 10.1.0.1 255.255.255.0

~~ip nat inside~~

zone-member security inside

negotiation auto

ip virtual-reassembly

!

interface GigabitEthernet0/0/1

description TestNET-RTR to TestNET-CPR

ip address 10.2.0.1 255.255.255.0

~~ip nat inside~~

zone-member security inside

negotiation auto

ip virtual-reassembly

!

interface ATM0/2/0

no ip address

shutdown

atm oversubscribe factor 2

no atm enable-ilmi-trap

!

interface Ethernet0/2/0

description VDSL WAN Physical Interface

mac-address XXXX.XXXX.XXXX

no ip address

no negotiation auto

!

interface Ethernet0/2/0.101

description VDSL WAN Virtual Interface

encapsulation dot1Q 101

ip dhcp client client-id hex XXXXXXX

ip dhcp client hostname XXXXXXXX

ip address dhcp

~~ip nat outside~~

no ip redirects

no ip unreachables

no ip proxy-arp

zone-member security outside

ip virtual-reassembly

!

interface GigabitEthernet0

vrf forwarding Mgmt-intf

no ip address

shutdown

negotiation auto

!

ip forward-protocol nd

no ip http server

no ip http secure-server

ip tftp source-interface GigabitEthernet0

~~ip nat inside source list 1 interface Ethernet0/2/0.101 overload~~

ip route 0.0.0.0 0.0.0.0 Ethernet0/2/0.101 dhcp

!

ip access-list standard internal>external

permit 10.1.0.0 0.0.0.255

permit 10.2.0.0 0.0.0.255

~~access-list 1 permit 10.1.0.0 0.0.0.255~~

~~access-list 1 permit 10.2.0.0 0.0.0.255~~

!

control-plane

!

mgcp behavior rsip-range tgcp-only

mgcp behavior comedia-role none

mgcp behavior comedia-check-media-src disable

mgcp behavior comedia-sdp-force disable

!

mgcp profile default

!

line con 0

transport input none

stopbits 1

line aux 0

stopbits 1

line vty 0 4

login

!

end

Georg Pauwen · ‎02-05-2021

Hello,

if you want to block all inbound traffic, simply drop the default class. The below (important parts marked in bold) should allow all traffic outbound and block all traffic inbound.

NAT is independent of the ZBF, so you need that no matter what.

Current configuration : 3784 bytes
!
! Last configuration change at 22:23:02 UTC Thu Feb 4 2021
!
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform hardware throughput level 100000
!
hostname TestNET
!
boot-start-marker
boot system flash bootflash:isr4300-universalk9.16.09.05.SPA.bin
boot-end-marker
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
no aaa new-model
!
ip domain name TestNET
ip dhcp excluded-address 10.1.0.1 10.1.0.20
ip dhcp excluded-address 10.2.0.1 10.2.0.20
!
ip dhcp pool DHCP_GI0/0/0
network 10.1.0.0 255.255.255.0
default-router 10.1.0.1
dns-server 90.207.238.97 90.207.238.99 8.8.8.8 8.8.4.4
domain-name TestNET
lease 7
!
ip dhcp pool DHCP_GI0/0/1
network 10.2.0.0 255.255.255.0
default-router 10.2.0.1
dns-server 90.207.238.97 90.207.238.99 8.8.8.8 8.8.4.4
domain-name TestNET
lease 7
!
login on-success log
!
subscriber templating
!
multilink bundle-name authenticated
!
license udi pid ISR4321/K9 sn XXXXXXX
license accept end user agreement
license boot level appxk
license boot level uck9
license boot level securityk9
no license smart enable
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
redundancy
mode none
!
controller VDSL 0/2/0
!
class-map type inspect match-any internal>external-class
match access-group name internal>external
!
policy-map type inspect internal>external-policy
class type inspect internal>external-class
inspect
class class-default
drop log
!
--> policy-map type inspect external>internal-policy
--> class class-default
--> drop log
!
zone security outside
zone security inside
zone-pair security internal>external source inside destination outside
service-policy type inspect internal>external-policy
--> zone-pair security external>internal source outside destination inside
--> service-policy type inspect external>internal-policy
!
interface GigabitEthernet0/0/0
description TestNET-RTR to TestNET-FBR
ip address 10.1.0.1 255.255.255.0
ip nat inside
zone-member security inside
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
description TestNET-RTR to TestNET-CPR
ip address 10.2.0.1 255.255.255.0
ip nat inside
zone-member security inside
negotiation auto
ip virtual-reassembly
!
interface ATM0/2/0
no ip address
shutdown
atm oversubscribe factor 2
no atm enable-ilmi-trap
!
interface Ethernet0/2/0
description VDSL WAN Physical Interface
mac-address XXXX.XXXX.XXXX
no ip address
no negotiation auto
!
interface Ethernet0/2/0.101
description VDSL WAN Virtual Interface
encapsulation dot1Q 101
ip dhcp client client-id hex XXXXXXX
ip dhcp client hostname XXXXXXXX
ip address dhcp
ip nat outside
no ip redirects
no ip unreachables
no ip proxy-arp
zone-member security outside
ip virtual-reassembly
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
ip nat inside source list 1 interface Ethernet0/2/0.101 overload
ip route 0.0.0.0 0.0.0.0 Ethernet0/2/0.101 dhcp
!
ip access-list standard internal>external
permit 10.1.0.0 0.0.0.255
permit 10.2.0.0 0.0.0.255

!
access-list 1 permit 10.1.0.0 0.0.0.255
access-list 1 permit 10.2.0.0 0.0.0.255
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
end

DouglasBlack71617 · ‎02-05-2021

Thanks, I've just made the suggested changes (and a reload to be sure a clean boot), unfortunately I'm still getting the same result it seems.

When using the 1921 using IP inspect on tcp, udp & icmp - when I use shieldsup https://www.grc.com/x/ne.dll?rh1dkyd2 I see all ports stealthed, no response to any probes.

However when I drop on the 4321 with the above config and suggested addition of the external>internal drop, I'm seeing most ports closed and 23 wide open.

This is the same result as before the suggested changes marked above which is most confusing.....

4321 result:

GRC Port Authority Report created on UTC: 2021-02-05 at 20:50:19 Results from scan of ports: 0-1055 1 Ports Open 982 Ports Closed 73 Ports Stealth --------------------- 1056 Ports Tested The port found to be OPEN was: 23

My aim is to essentially replicate the IP inspect rule and results on my 1921 and be able to replace with the new 4321 and totally drop all originating outbound to inbound, any guidance is welcome!

Georg Pauwen · ‎02-05-2021

Hello,

you probably have to add an outside to self policy:

policy-map type inspect outside>self-policy
class class-default
drop log
zone-pair security outside>self source outside destination self
service-policy type inspect outside>self-policy

Tyson Joachims · ‎02-05-2021

When you say "it still doesn't appear to drop inbound, so not sure its working at all....", is that because you're not seeing any drops? If so, that's because there is no policy to show drops. What I would recommend is trying to ping from outside to inside and you'll notice that the pings are only allowed if initiated from the inside of the network.

You mentioned not needing NAT with ZBF. NAT is used to translate IP addresses while ZBF is used to permit/deny traffic between security zones. The question is if you need to translate the internal addresses or not. Typically when connecting to an ISP, you must translate IPv4 addresses from RFC-1918 private addresses to public addresses. If you fail to do that, the ISP will block the traffic.

DouglasBlack71617 · ‎02-05-2021

That is exactly what I had missed, and literally just fixed and applied about 5 seconds before your reply!

In my book, if I hadn't just sussed it out, you would have been spot on, so many many thanks!