Solved: Re: ZBF with NAT on IOS XE

paul amaral · ‎01-12-2022

Hi, I have a router with Zone based firewall configured that is not working with nat. I have a natt'ed device at 192.168.168.0.10 that handles SIP/voip. When I setup ZBF I can't get this device to register to the VOIP server. If I removed ZBF it works, FYI NAT is configured correctly and works without ZBF.

below is what is configured now

class-map type inspect match-any CM-inspect-out

match protocol icmp

match protocol router

match protocol dns

match protocol sip

match protocol rtsp

match protocol tcp

match protocol udp

class-map type inspect match-any CM-inspect-in

match protocol icmp

match protocol dns

policy-map type inspect PM-inspect-out

class type inspect CM-inspect-out

inspect

class class-default

drop

policy-map type inspect PM-inspect-in

class type inspect CM-inspect-in

inspect

class class-default

drop

zone security WAN

zone security LAN

zone-pair security LAN-WAN-zone_pair source LAN destination WAN

service-policy type inspect PM-inspect-out

zone-pair security WAN-LAN-zone_pair source WAN destination LAN

service-policy type inspect PM-inspect-in

what should I be doing to allow NAT with ZBF, do I need to add the ACL for nat on the inspect out at the top of the class map

class-map type inspect match-any CM-inspect-out

match access-group 1 <- nat ACL

Or do I add it to the inspect in class map.

class-map type inspect match-any CM-inspect-in

match access-group 1

match protocol icmp

match protocol dns

I assuming I must add it to the inspect in class map

TIA, Paul

paul amaral · ‎02-03-2022

This was solved by adding the NAT ip subnet ACL on the incoming inspection map. Note this is not needed outbound as NAT comes first and is associated with the real routed ip address on the way out to the WAN. Obviously if you have IPSEC you will need to specify that in both directions on the ACL.

class-map type inspect match-any CM-inspect-out
description - inspect connections from inside out - match order matters
match access-group 1
match protocol icmp
match protocol router
match protocol dns
match protocol sip
match protocol rtsp
match protocol smtp
match protocol pop3
match protocol imap
match protocol http
match protocol https
match protocol ftp
match protocol tcp
match protocol udp
match access-group 100

class-map type inspect match-any CM-inspect-in
description - allow connections initiated from outside - match order matters
match protocol icmp
match protocol dns
match access-group 100

Extended IP access list 100

10 permit ip any 192.168.0.0 0.0.0.255

20 permit ip 192.168.0.0 0.0.0.255 any

30 permit ip any host 47.x.x.x

40 permit ip host 47.x.x.x

50 permit esp any any

60 permit udp any any eq isakmp

70 permit udp any any eq 5060

View solution in original post

johnd2310 · ‎01-12-2022

Hi,

Could be that zbf cannot inspect or does not understand the registration traffic. Can you try adding an access-list for that particular registration traffic and add acl to a new class-map. add class-map to policy-map and use pass instead of inspect for that traffic.

Thanks

John

**Please rate posts you find helpful**

paul amaral · ‎01-13-2022

John I don't think that's the issue, I just need to know how to pass NAT through ZBF and still get it inspected.

Paul

johnd2310 · ‎01-13-2022

Hi,

I think the issue is with zbf. The zbf inspects the outgoing traffic and allows return traffic through based on the firewall sessions table. When you look at the zbf table, can you see the outbound sessions being set up?

 show policy-map type inspect zone-pair LAN-WAN-zone_pair session

If you have outbound sessions being attempted and no return traffic (0 bytes), then the return traffic is failing. If you enable logging for the drop traffic, you should get an idea of what is being dropped.

Also, are you using NAT NVI for your nat configuration? NVI does not work well with zbf

Thanks

John

**Please rate posts you find helpful**

paul amaral · ‎01-14-2022

John, I'm just using NAT no NVI. I can't really test this yet but I believe the issues might be that NAT gets translated before the inspect. When the packets go out they go out as the routeable WAN ip. When the come in and get translated back to RFC1918 the fail the check and get drop. I believe the solution is to allow the NAT ip subnet on the incoming inspect policy.

Paul

paul amaral · ‎02-03-2022

This was solved by adding the NAT ip subnet ACL on the incoming inspection map. Note this is not needed outbound as NAT comes first and is associated with the real routed ip address on the way out to the WAN. Obviously if you have IPSEC you will need to specify that in both directions on the ACL.

class-map type inspect match-any CM-inspect-out
description - inspect connections from inside out - match order matters
match access-group 1
match protocol icmp
match protocol router
match protocol dns
match protocol sip
match protocol rtsp
match protocol smtp
match protocol pop3
match protocol imap
match protocol http
match protocol https
match protocol ftp
match protocol tcp
match protocol udp
match access-group 100

class-map type inspect match-any CM-inspect-in
description - allow connections initiated from outside - match order matters
match protocol icmp
match protocol dns
match access-group 100

Extended IP access list 100

10 permit ip any 192.168.0.0 0.0.0.255

20 permit ip 192.168.0.0 0.0.0.255 any

30 permit ip any host 47.x.x.x

40 permit ip host 47.x.x.x

50 permit esp any any

60 permit udp any any eq isakmp

70 permit udp any any eq 5060