Re: deploying ZBF on my 2801

ciscomoderator · ‎01-05-2011

Hi,

We received this question from our CSC Facebook community.

http://www.facebook.com/CiscoSupportCommunity

Zone based firewall / IPsec VPN Hello, I've remote vpn running on a 2801, now i decide to use ZBF to have some firewall feature on cisco router but, after deploy ZBF on my 2801 box i can connect but no traffic cross my internal lan. Topology: LAN |--------->2801--------->INTERNET ZBF config.: class-map type inspect match-any CHAP-1 match protocol tcp match protocol icmp match protocol udp ! ! policy-map type inspect PMAP-1 class type inspect CHAP-1 inspect police rate 8000 burst 1000 class class-default ! zone security inside zone security outside zone-pair security inside-to-outside source inside destination outside service-policy type inspect PMAP-1 *************************************************************** PLEASE HELP!!

cadet alain · ‎01-05-2011

Hi,

enter this command: ip inspect log drop-pkt then try to connect to lan from outside and post output from log.

Regards.

Alain

Don't forget to rate helpful posts.

tgrundbacher · ‎01-07-2011

Hi Alcides

Something's missing in your configuration for ZFW to work, you need to assign interfaces to zones:

interface
zone-member inside

interface

zone-member outside

Your VPN continues to work because ZFW by default doesn't filter to-the-box traffic, only through-the-box traffic. Keep in mind that you need to define policies in both directions separately if you intend to INITIATE traffic in both directions.

Also, note the following conditions for security-zones in ZFW (taken from the config guide):

An interface cannot be part of a zone and legacy inspect policy at the same time.
An interface can be a member of only one security zone.
When an interface is a member of a security zone, all traffic to and from that interface is blocked unless you configure an explicit interzone policy on a zone pair involving that zone.
Traffic cannot flow between an interface that is a member of a security zone and an interface that is not a member of a security zone because a policy can be applied only between two zones.
For traffic to flow among all the interfaces in a router, all the interfaces must be members of one security zone or another. This is particularly important because after you make an interface a member of a security zone, a policy action (such as inspect or pass) must explicitly allow packets. Otherwise, packets are dropped.
If an interface on a router cannot be part of a security zone or firewall policy, you may have to put that interface in a security zone and configure a "pass all" policy (that is, a "dummy" policy) between that zone and other zones to which a traffic flow is desired.
You cannot apply an access control list (ACL) between security zones or on a zone pair.
An ACL cannot be applied between security zones and zone pairs. Include the ACL configuration in a class map, and use policy maps to drop traffic.
An ACL on an interface that is a zone member should not be restrictive (strict).
All interfaces in a security zone must belong to the same virtual routing and forwarding (VRF) instance.
You can configure policies between security zones whose member interfaces are in separate VRFs. However, traffic may not flow between these VRFs if the configuration does not allow it.
If traffic does not flow between VRFs (because route-leaking between VRFs is not configured), the policy across the VRFs is not executed. This is a misconfiguration on the routing side, not on the policy side.
Traffic between interfaces in the same security zone is not subjected to any policy; the traffic passes freely.
The source and the destination zones in a zone pair must be the type security.
The same zone cannot be defined as both the source and the destination.

Regards

Toni

cadet alain · ‎01-07-2011

Hi Toni,

As long as interfaces are not part of a security zone and there is no other fw setting then the config he posted can't change anything to the router

behaviour.

So if he has another behaviour he has put interfaces into zones.

Regards.

Alain.

Don't forget to rate helpful posts.

tgrundbacher · ‎01-07-2011

Hi Alain

Maybe, maybe not...as long as we don't see the whole and current config of the box and the gentleman himself doesn't participate in this thread, I suspect troubleshooting will get a little difficult.

Anyway, I doubt that you'll see drops with a legacy CBAC command ('ip inspect') for ZFW. In ZFW, logs for drops have to be activated through drop actions assigned to class-maps inside policy-maps. But again, who know's what's running other than ZFW on that box...

Regards

Toni

cadet alain · ‎01-08-2011

Hi,

Anyway, I doubt that you'll see drops with a legacy CBAC command ('ip inspect') for ZFW

this command will work with zbf, give it a try and you will see.

Maybe, maybe not...as long as we don't see the whole and current config of the box and the gentleman himself doesn't participate in this thread, I suspect troubleshooting will get a little difficult.

I repeat what I said above until the interfaces are in a security zone all other zbf commands have no effect at all so he must at least heve put one

interface in a zone to get traffic influenced by zbf.

Regards.

Alain.

Don't forget to rate helpful posts.

tgrundbacher · ‎01-08-2011

You're right, 'ip inspect log drop-pkt' really works with ZFW. Thanks for that hint!

I repeat what I said above until the interfaces are in a security zone all other zbf commands have no effect at all so he must at least heve put one interface in a zone to get traffic influenced by zbf.

Also true, can't argue about that. Happy troubleshooting then...