cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1013
Views
0
Helpful
6
Replies

Zone Base Firewall

Andy Guley
Level 1
Level 1

I am migrating from 2911's to 4331's at my remote sites.  My 2911's are running CBAC.  I am having some issues getting the zone based firewall working on the 4331's.  I can ping and trace-route to the internet.  I am also resolving google DNS.  I am not able to browse the internet.  I have an ACL on the outside interface that is allowing ssh connections for remote access if there is a MPLS outage.  If I edit the ACL to say ip any any I am able to browse the internet.  My understanding of the zone based firewall is if traffic is initiated from the inside interface it should all the traffic back in. 

Here is a copy of the configuration:

class-map type inspect match-any ALLOWED-PROTOCOLS
 match protocol tcp
 match protocol udp
 match protocol icmp
 match protocol http
 match protocol https
 match protocol ftp


zone security INTERNET
zone security INSIDE
zone-pair security ZP-INSIDE-TO-OUTSIDE source INSIDE destination INTERNET
 service-policy type inspect INSIDE-TO-OUTSIDE-POLICY



interface GigabitEthernet0/0/0
 ip address dhcp
 ip nat outside
 ip access-group OUTSIDE_ACCESS_IN in
 zone-member security INTERNET
 media-type rj45
 negotiation auto
 ip virtual-reassembly



interface Vlan93
 description Management
 ip address 10.x.x.x 255.255.255.0
 ip nat inside
 zone-member security INSIDE
 ip virtual-reassembly


ip nat inside source route-map nonat interface GigabitEthernet0/0/0 overload



ip access-list extended OUTSIDE_ACCESS_IN
 permit icmp any host x.x.x.x (outside ip)
 permit tcp host x.x.x.x any eq 22
 permit tcp host x.x.x.x any eq 22
 permit udp any any eq bootpc
 permit udp any any eq bootps

1 Accepted Solution

Accepted Solutions

Hello,

indeed the ACL shouldn't be on the outside interface, or on any interface. You control traffic exclusively by applying security zones.

View solution in original post

6 Replies 6

Hello,

can you post the full config ? I cannot see the policy map configurations, such as e.g.:

policy-map type inspect ZP-INSIDE-TO-OUTSIDE
class ALLOWED-PROTOCOLS
pass

I don't have the entire configuration in front of me right now.  I was just some more reading and it appears that you cant have the ACL on the outside interface?  Would you agree with that?

policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
 class type inspect ALLOWED-PROTOCOLS
  inspect

Hi,

With zone based firewall, the ACL on the outside interface cannot be too restrictive. Try removing the outside ACL and apply those rules to the INTERNET-SELF zone pair.

Thanks

John

**Please rate posts you find helpful**

Hello,

indeed the ACL shouldn't be on the outside interface, or on any interface. You control traffic exclusively by applying security zones.

Here is the full ACL I usually run on my outside interface at my remote sites:

Extended IP access list OUTSIDE_ACCESS_IN
 
    11 permit udp any host x.x.x.x eq non500-isakmp (DMVPN)
    12 permit udp any host x.x.x.x  eq isakmp  (DMVPN)
    13 permit esp any host x.x.x.x (DMVPN)
    16 permit icmp any any echo
    17 permit icmp any any echo-reply
    18 permit icmp any any time-exceeded
    19 permit icmp any any unreachable
    30 permit tcp host x.x.x.x any eq 22
    40 permit tcp host x.x.x.x any eq 22

Would I create a class map with this ACL then apply to Self zone?

Exactly, create the class map with this ACL and apply it to the self and another zone.

Review Cisco Networking for a $25 gift card