Solved: ISR C891F Trouble setting up zone based firewall

nbaker011 · ‎02-08-2017

Hello, I'm trying to convert over from using ACL/CBAC rules to Zone Based. I've looked a several examples and to just get the basics going seems simple enough, but I can't quite get things to work. I suspect there is some hangover from the CBAC configuration that is interfering?

The network is simple.

AT&T DSL Modem/Gateway: Static IPs assigned 10.10.10.248-10.10.10.254 (Gateway is at 10.10.10.254, Firewall disabled)

C891F:

- Gi8 connected to Modem with Static WAN mapping 10.10.10.251

- Gi0-7 connected to LAN

- 1 VLAN for LAN 192.168.100.0, Router at 192.168.100.1

The devices on the LAN can communicate with each other. nslookup accesses the Gateway 10.10.10.254 which I can ping as well. However, I can't reach anything beyond the Gateway. E.g. ping to www.google.com resolves the DNS ok, but ping fails. The result is the same when ssh into the Router.

Below is full config. Please let me know if there is anything obvious.

Thanks,

Nick.

Building configuration...

Current configuration : 7669 bytes
!
! Last configuration change at 18:54:59 UTC Wed Feb 8 2017
version 15.3
service config
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname C891F-2
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable secret 5 <snip>
enable password 7 <snip>
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
!
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-1341393301
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1341393301
revocation-check none
rsakeypair TP-self-signed-1341393301
!
!
crypto pki certificate chain TP-self-signed-1341393301
certificate self-signed 01
<snip>
quit
no ip source-route
no ip gratuitous-arps
!
!
!
!
!
ip dhcp excluded-address 192.168.100.1 192.168.100.99
!
ip dhcp pool vlan 100
import all
network 192.168.100.0 255.255.255.0
domain-name mydomain.org
dns-server 10.10.10.254
default-router 192.168.100.1
!
ip dhcp pool nuc2pool_vlan100
host 192.168.100.80 255.255.255.0
client-identifier 01b8.aeed.73d2.ed
default-router 192.168.100.1
domain-name mydomain.org
dns-server 10.10.10.254
!
!
!
no ip bootp server
ip domain name mydomain.org
ip name-server 10.10.10.254
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip cef
login block-for 5 attempts 3 within 5
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C891F-K9 sn FGL203823UC
!
!
username admin password 7 <snip>
!
!
!
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh pubkey-chain
username admin
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop log
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
inspect
class class-default
drop log
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!
!
!
!
!
!
!
!
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
shutdown
isdn termination multidrop
isdn point-to-point-setup
!
interface FastEthernet0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
description PrimaryWANDesc_
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
ip verify unicast source reachable-via rx allow-default 100
zone-member security OUTSIDE
duplex auto
speed auto
no cdp enable
!
interface Vlan1
ip address 192.168.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
!
interface Async3
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
ip forward-protocol nd
no ip http server
ip http access-class 20
ip http secure-server
ip http secure-port 8444
!
!
ip dns server
ip nat inside source static tcp 192.168.100.80 80 interface GigabitEthernet8 80
ip nat inside source static tcp 192.168.100.80 3389 interface GigabitEthernet8 3389
ip nat inside source static tcp 192.168.100.80 21 interface GigabitEthernet8 21
ip nat inside source route-map OUTSIDE-POOL interface GigabitEthernet8 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet8
ip route 192.168.100.0 255.255.255.0 GigabitEthernet8 dhcp
!
ip access-list extended INSIDE-TO-OUTSIDE
permit ip 192.168.100.0 0.0.0.255 any
ip access-list extended NAT-TO-OUTSIDE
permit ip 192.168.100.0 0.0.0.255 any
ip access-list extended OUTSIDE-TO-INSIDE
permit tcp any any eq echo
permit tcp any any eq www
permit tcp 10.10.10.248 0.0.0.7 any eq 3389
permit udp any any eq domain
permit udp any eq domain any
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any packet-too-big
permit icmp any any traceroute
permit icmp any any unreachable
!
logging trap debugging
logging facility local2
dialer-list 1 protocol ip permit
no cdp run
!
route-map OUTSIDE-POOL permit 10
match ip address NAT-TO-OUTSIDE
match interface GigabitEthernet8
!
snmp-server community public RO
access-list 2 permit 192.168.100.0 0.0.0.255
access-list 20 permit 192.168.100.0 0.0.0.255
access-list 20 remark HTTP Interface
access-list 100 permit udp any any eq bootpc
access-list 100 remark UNICAST SOURCE VERIFY
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
login authentication local_auth
no modem enable
transport output telnet
line aux 0
exec-timeout 15 0
login authentication local_auth
transport output telnet
line 3
exec-timeout 15 0
login authentication local_auth
modem InOut
speed 115200
flowcontrol hardware
line vty 0 4
password 7 <snip>
login authentication local_auth
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

Philip D'Ath · ‎02-08-2017

This isn't really right. Please remove:

no ip route 0.0.0.0 0.0.0.0 GigabitEthernet8
no ip route 192.168.100.0 255.255.255.0 GigabitEthernet8 dhcp

And add:

ip route 0.0.0.0 0.0.0.0 dhcp

Also check out my config wizard for the 897 which will generate a lot of the config for you.

http://www.ifm.net.nz/cookbooks/890-isr-wizard.html

View solution in original post

Philip D'Ath · ‎02-08-2017