Solved: Zone Based on IOS XE

adamgibs7 · ‎07-15-2017

Dear

My Internet was working perfect i thought for going with statefull traffic inspection and i have configured zone based firewall as per the below on my internet router and when i applied the configs my browsing stopped, i don't why ?? and also i don't know what show and debugs commands to enter for troubleshooting,

Below is the commands.

zone security IN
zone security OUT

int gig0/0/0
zone-member security inside

int gig0/0/1
zone-member security outside

do sh zone security

ip access-list extended IN-TO-OUT
permit ip any any

class-map type inspect match-all IN-TO-OUT-CLASS
match access-group name IN-TO-OUT

sh class-map type inspect

policy-map type inspect IN-TO-OUT-POLICY
Class type inspect IN-TO-OUT-CLASS
inspect
exit

do show policy-map type inspect

zone-pair security IN-TO-OUT-ZP source IN destination OUT
service-policy type inspect IN-TO-OUT-POLICY

Thanks

Georg Pauwen · ‎07-16-2017

Hello,

the configured zone securities on your interfaces do not match the actual zones. Try the config below:

zone security private
zone security pubic

int gig0/0/0
zone-member security private

int gig0/0/1
zone-member security public

ip access-list extended IN-TO-OUT
permit ip any any

class-map type inspect match-all IN-TO-OUT-CLASS
match access-group name IN-TO-OUT

policy-map type inspect IN-TO-OUT-POLICY
Class type inspect IN-TO-OUT-CLASS
inspect
class class-default
exit

zone-pair security IN-TO-OUT-ZP source private destination public
service-policy type inspect IN-TO-OUT-POLICY

View solution in original post

Georg Pauwen · ‎07-16-2017

Hello,

the configured zone securities on your interfaces do not match the actual zones. Try the config below:

zone security private
zone security pubic

int gig0/0/0
zone-member security private

int gig0/0/1
zone-member security public

ip access-list extended IN-TO-OUT
permit ip any any

class-map type inspect match-all IN-TO-OUT-CLASS
match access-group name IN-TO-OUT

policy-map type inspect IN-TO-OUT-POLICY
Class type inspect IN-TO-OUT-CLASS
inspect
class class-default
exit

zone-pair security IN-TO-OUT-ZP source private destination public
service-policy type inspect IN-TO-OUT-POLICY

adamgibs7 · ‎07-16-2017

Dears,

Its a typo mistake i have done same according to your configs but no success.

thanks

Georg Pauwen · ‎07-16-2017

Hello,

post the full config...

adamgibs7 · ‎07-18-2017

Dear Georg,

I am sure i have not missed anything,

Please find the attached config

thanks

Georg Pauwen · ‎07-18-2017

Hello,

what is the purpose of access-list 101 on the outside interface ? Also, the IP address of the inside interface, 10.10.64.10 255.255.255.248, allows for only a few hosts. Your NAT statement allows the entire 10.10.64.0/24 network, as well as everything else (0.0.0.0 255.255.255.255). What other network is connected to the inside ?

Also, you have two static routes:

ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 10.10.0.0 255.255.0.0 10.10.64.9

You are sending all traffic to 10.10.0.0/16 out to 10.10.64.9, which I assume is the Core Switch ?

Also, you NAT to a private address. The ADSL router translates as well, so why the double NAT ?

Can you post the original working configuration ?

adamgibs7 · ‎07-18-2017

Dears,

Believe me i have not done apart from the config attached, my concern in my configs were working when i applied zone based configuration Internet access stop for me

what is the purpose of access-list 101 on the outside interface ? Also, the IP address of the inside interface, 10.10.64.10 255.255.255.248, allows for only a few hosts. Your NAT statement allows the entire 10.10.64.0/24 network, as well as everything else (0.0.0.0 255.255.255.255). What other network is connected to the inside ?

i tried to configure zone based but failed to do ,, so to restrict everything from outside i allowed only return traffic

i have a 10.10.64.X/24 which is subnetted to multiple subnets so thats why the

You are sending all traffic to 10.10.0.0/16 out to 10.10.64.9, which I assume is the Core Switch ?

yes i from core switch i can reach to other networks thats why it is 10.10.0.0/16 network.

i m doing double nat becz the ADSL router console is not accessible to add internal routes

Thanks

Georg Pauwen · ‎07-18-2017

Hello,

try and remove access-list 101 from the outside interface. Everything is being inspected by the ZBF anyway. If that still doesn't work...I'll try and lab this in GNS3 (if I can).

adamgibs7 · ‎07-19-2017

Dear

i have tried doing that before by removing access-list becz it is useless when it is in zone based.

one thing i forgot to mentioned in my previous post when i ping to 8.8.8.8 it works but the browsing stop it didnt ??

which show commands will help me why browsing it not working.

thanks

Georg Pauwen · ‎07-19-2017

Hello,

try and configure 'ip name-server 8.8.8.8' on your router.

If you can ping 8.8.8.8, that means you have Internet connectivity.

adamgibs7 · ‎07-21-2017

Dears Georg

Thanks the problem solved, by the same config, i didn't do any change.

thanks

Georg Pauwen · ‎07-21-2017

Adam,

so the original configuration is working now ?

Glad that it is resolved...