01-12-2022 01:27 PM
Hi, I have a router with Zone based firewall configured that is not working with nat. I have a natt'ed device at 192.168.168.0.10 that handles SIP/voip. When I setup ZBF I can't get this device to register to the VOIP server. If I removed ZBF it works, FYI NAT is configured correctly and works without ZBF.
below is what is configured now
class-map type inspect match-any CM-inspect-out
match protocol icmp
match protocol router
match protocol dns
match protocol sip
match protocol rtsp
match protocol tcp
match protocol udp
class-map type inspect match-any CM-inspect-in
match protocol icmp
match protocol dns
policy-map type inspect PM-inspect-out
class type inspect CM-inspect-out
inspect
class class-default
drop
policy-map type inspect PM-inspect-in
class type inspect CM-inspect-in
inspect
class class-default
drop
zone security WAN
zone security LAN
zone-pair security LAN-WAN-zone_pair source LAN destination WAN
service-policy type inspect PM-inspect-out
zone-pair security WAN-LAN-zone_pair source WAN destination LAN
service-policy type inspect PM-inspect-in
what should I be doing to allow NAT with ZBF, do I need to add the ACL for nat on the inspect out at the top of the class map
class-map type inspect match-any CM-inspect-out
match access-group 1 <- nat ACL
Or do I add it to the inspect in class map.
class-map type inspect match-any CM-inspect-in
match access-group 1
match protocol icmp
match protocol dns
I assuming I must add it to the inspect in class map
TIA, Paul
Solved! Go to Solution.
02-03-2022 10:25 AM
This was solved by adding the NAT ip subnet ACL on the incoming inspection map. Note this is not needed outbound as NAT comes first and is associated with the real routed ip address on the way out to the WAN. Obviously if you have IPSEC you will need to specify that in both directions on the ACL.
class-map type inspect match-any CM-inspect-out
description - inspect connections from inside out - match order matters
match access-group 1
match protocol icmp
match protocol router
match protocol dns
match protocol sip
match protocol rtsp
match protocol smtp
match protocol pop3
match protocol imap
match protocol http
match protocol https
match protocol ftp
match protocol tcp
match protocol udp
match access-group 100
class-map type inspect match-any CM-inspect-in
description - allow connections initiated from outside - match order matters
match protocol icmp
match protocol dns
match access-group 100
Extended IP access list 100
10 permit ip any 192.168.0.0 0.0.0.255
20 permit ip 192.168.0.0 0.0.0.255 any
30 permit ip any host 47.x.x.x
40 permit ip host 47.x.x.x
50 permit esp any any
60 permit udp any any eq isakmp
70 permit udp any any eq 5060
01-12-2022 10:48 PM
Hi,
Could be that zbf cannot inspect or does not understand the registration traffic. Can you try adding an access-list for that particular registration traffic and add acl to a new class-map. add class-map to policy-map and use pass instead of inspect for that traffic.
Thanks
John
01-13-2022 09:24 AM
John I don't think that's the issue, I just need to know how to pass NAT through ZBF and still get it inspected.
Paul
01-13-2022 09:44 PM
Hi,
I think the issue is with zbf. The zbf inspects the outgoing traffic and allows return traffic through based on the firewall sessions table. When you look at the zbf table, can you see the outbound sessions being set up?
show policy-map type inspect zone-pair LAN-WAN-zone_pair session
If you have outbound sessions being attempted and no return traffic (0 bytes), then the return traffic is failing. If you enable logging for the drop traffic, you should get an idea of what is being dropped.
Also, are you using NAT NVI for your nat configuration? NVI does not work well with zbf
Thanks
John
01-14-2022 08:02 AM
John, I'm just using NAT no NVI. I can't really test this yet but I believe the issues might be that NAT gets translated before the inspect. When the packets go out they go out as the routeable WAN ip. When the come in and get translated back to RFC1918 the fail the check and get drop. I believe the solution is to allow the NAT ip subnet on the incoming inspect policy.
Paul
02-03-2022 10:25 AM
This was solved by adding the NAT ip subnet ACL on the incoming inspection map. Note this is not needed outbound as NAT comes first and is associated with the real routed ip address on the way out to the WAN. Obviously if you have IPSEC you will need to specify that in both directions on the ACL.
class-map type inspect match-any CM-inspect-out
description - inspect connections from inside out - match order matters
match access-group 1
match protocol icmp
match protocol router
match protocol dns
match protocol sip
match protocol rtsp
match protocol smtp
match protocol pop3
match protocol imap
match protocol http
match protocol https
match protocol ftp
match protocol tcp
match protocol udp
match access-group 100
class-map type inspect match-any CM-inspect-in
description - allow connections initiated from outside - match order matters
match protocol icmp
match protocol dns
match access-group 100
Extended IP access list 100
10 permit ip any 192.168.0.0 0.0.0.255
20 permit ip 192.168.0.0 0.0.0.255 any
30 permit ip any host 47.x.x.x
40 permit ip host 47.x.x.x
50 permit esp any any
60 permit udp any any eq isakmp
70 permit udp any any eq 5060
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide