Zone based Firewall --DMZ

Answered Question

Hi all,

I am very new to Cisco, and routing/ firewalls in general.
I brought my self a Cisco 1812. Its connected via Fe/0 to an ADSL modem in pure bridge mode. So the 1812 is doing all the PPP auth.
I've been following this guide Zone-Based Policy Firewall Design and Application Guide . So far I've got everything set up. PPP works, F/W works I have a single port forward working and I've port scanned the router to ensure that only the ports I've allowed are open.
I am quite stuck now. I have created a DMZ zone. I have allowed SSH and HTTPS from my LAN-zone into my DMZ-zone. This works with out a hitch. The dmz is on a diffrent subnet. and hangs off Fa/6.
Where I am suck is I want full access from the WAN-zone into the DMZ-zone. I can't seem to get this to work.
Each host in the DMZ hsa there own firewall so I don't want the Cisco to do anything.

I have attached my current runnign config.

Thanks

Attachment: 
I have this problem too.
0 votes
Correct Answer by Jitendriya Athavale about 6 years 4 months ago

you do not have ip nat inside on vlan 90

and also include this network in 101 acl

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jitendriya Athavale Sat, 07/17/2010 - 07:19

i havent read the config, but i think one option is putting both the wan and dmz in the same zone, so the firewall wont do anything to block the traffic as traffic is permitted between interfaces belonging to same zone

Jitendriya Athavale Sat, 07/17/2010 - 23:37

pretty much the same way as u placed other interfaces in zones

for  eg

u must have done the following

int fe0/0

zone-member security public

now all u need to do is

int fe0/6

zone-member security public

hoping that both of these are L3 interfaces

Still a little confused.

I've used vlans, hopfully this won't make much of a diffrance.

The below listing only has Security zones, all other info I sniped out.

So :-
!

interface Dialer0

zone-member security WAN
!
interface Vlan90
zone-member security DMZ

!

interface Vlan10
  zone-member security LAN

!

Are you saying I need to change Vlan90 to WAn, rahter then DMZ. If so how do I set up access from some internal hosts to the "dmz" hosts that will be in the WAN zone?

Thanks,

Jitendriya Athavale Sun, 07/18/2010 - 00:26

i would say that it is definately worth a shot,

you can out it in wan

now to permit your dmz networks to access your lan you can use access-list

or if you do not want to do this

setup a zone-pair between wan and dmz and permit everything using access-list

if its still confusing you can paste the snippet which has class-map, policy-map and zone-pair config, i can look it up and advise suitably

I'll give it a shot.

I still don't quite understand thoug
I currently have a zone pair for LAN-DMZ access, this works fine

!
zone-pair security LAN-to-DMZ source LAN destination DMZ
service-policy type inspect LAN-to-DMZ-policy
!
policy-map type inspect LAN-to-DMZ-policy
class type inspect L7-inspect-class
  inspect
!
class-map type inspect match-any L7-inspect-class
match protocol ssh
match protocol http
match protocol https

!

I also set up a policy map to match an ACL for the DMZ to WAN

!

class-map type inspect match-any DMZ-class
match access-group 130

!
policy-map type inspect WAN-to-DMZ-policy
class type inspect DMZ-class
  pass
class class-default
!
access-list 130 remark DMZ access all
access-list 130 permit ip any any
!

I don't quite understand why this is not working. I know SSH,HTTP and HTTPS work from LAN to DMZ, but why can DMZ to WAn any to any work?

If i was to change teh DMZ zone of Vlan90 to WAN, I would need to change my LAN-DMZ  policy to LAN to WAN ?

Thanks

Mohamed Sobair Sun, 07/18/2010 - 07:18

Hi,

When Zone based Firewall configurec, traffic between different Zone members are blocked by default, I suggest you configure another Zone pair allowing traffic from WAN to DMZ as bellow:

zone-pair security WAN-to-DMZ source WAN destination DMZ
service-policy type inspect WAN-to-DMZ-policy



class-map type inspect match-any DMZ-class
match access-group 130


policy-map type inspect WAN-to-DMZ-policy
class type inspect DMZ-class

inspect

access-list 130 remark DMZ access all
access-list 130 permit ip any any

With the above config, traffic from WAN to DMZ are also allowed just as it was setup from the LAN to DMZ.

HTH

Mohamed


Jitendriya Athavale Sun, 07/18/2010 - 09:45

wht mohamed says is correct

but just please keep in mind if you want the traffic to be initiated from dmz to wan you will need another zone-pair with source as dmz and destination as wan

Thanks Mohamed,

I think this is right?

!

zone-pair security WAN-DMZ source WAN destination DMZ
service-policy type inspect WAN-to-DMZ-policy
zone-pair security DMZ-WAN source DMZ destination WAN
service-policy type inspect WAN-to-DMZ-policy
!

policy-map type inspect WAN-to-DMZ-policy
class type inspect DMZ-class
  pass
class class-default
!

class-map type inspect match-any DMZ-class
match access-group 130
!
access-list 130 remark DMZ access all
access-list 130 permit ip any any
!

If thats right... Then i must have something else wrong as my machine in the DMZ still cna't access any services on the internet.

Quick question, the default gateway on machines on the Vlan90 should be 192.168.90.254 (fe/6) or should it be 192.168.0.254 (fe/1)?

Thanks

Jitendriya Athavale Sun, 07/18/2010 - 21:29

as i said before for dmz to internet you will need one more zone-pair with source as dmz and destination as wan and the rest can be same, as in you can permit everything and inspect traffic

Jitendriya Athavale Sun, 07/18/2010 - 21:34

i see you already have it

so what you can do is you can enale this command and it will show you if the firewall is dropping any packet

ip inspect log drop-pkt

eneter this command and see the logs

as far as the default gateway is concerned it will be the interface in vlan 90

Jitendriya Athavale Sun, 07/18/2010 - 22:29

just to clarify, these hosts were able to access internet before implementing the firewall right???

so if its an dns issue you should be able to ping to anything in internet using ip address, or you should be able to access websites using their ip address

74.125.19.103, 74.125.19.147, 74.125.19.104, 74.125.19.99

my nslookup for google gave me the following ip, can you try the following from browser

http://74.125.19.103

jathaval,

The host used to be on the Vlan 10, Ping,dns ect all worked fine as they do for any host on the Vlan10.

Vlan10 is firewalled. I need this host to be in the DMZ. So i moved this host into Vlan90.

Now it can not communicat with any hosts on the internet.

If I try ping 74.125.19.103 from the host on Vlan90, I get nothing. Nothing in the logs, Nothing happens on the host.

Thanks

Jitendriya Athavale Sun, 07/18/2010 - 22:57

will it be possible for you to attach the config, so that we can look at the whole config

to isolate the issue further you can disable firewall on wan and dmz for a min by removing the zone security command and try to get to internet from dmz hosts, but be careful as you will end up disturbing traffic from lan to wan

so wht u can do is for a min you can remove zone security commands from all interfaces and test dmz-wan connectivity

i understand tihs might not be possible, so if its ok with you could you please attach the config so that we can take a look at everything

Mohamed Sobair Mon, 07/19/2010 - 03:33

Brendan,

Glad its solved, Just a quick answer to your previous example:

You wrote:

Thanks Mohamed,

I think this is right?

!
zone-pair security WAN-DMZ source WAN destination DMZ
service-policy type inspect WAN-to-DMZ-policy
zone-pair security DMZ-WAN source DMZ destination WAN
service-policy type inspect WAN-to-DMZ-policy
!
policy-map type inspect WAN-to-DMZ-policy
class type inspect DMZ-class
  pass
class class-default
!
class-map type inspect match-any DMZ-class
match access-group 130
!
access-list 130 remark DMZ access all
access-list 130 permit ip any any
!

If thats right... Then i must have something else wrong as my machine in the DMZ still cna't access any services on the internet.
Quick question, the default gateway on machines on the Vlan90 should be 192.168.90.254 (fe/6) or should it be 192.168.0.254 (fe/1)?

If you set the pass action on the policy map , then you have to create another pair and policy that permits the return traffic from DMZ to WAN. otherwise, my example should solve your problem if you need WAN Access to DMZ which will inspect the traffic and will permit the return traffic as its stateful.

HTH

Mohamed

Actions

This Discussion

Related Content