external - internal firewall problem

Answered Question
Aug 17th, 2010
User Badges:

hi,


i facing a problem that outside user cannot access to my webmail application. (https://mail.xxx.com)


fact:
1. Error message show at the broswer is "The server at mail.xxx.com is taking too long to respond."

2. from outside still manage ping to the mail server external IP.

3. From internal LAN access the webmail service is ok.


my question:
i just wanna ensure the border router newly running on IOS ZWF is it causing any conflict between the external firewall and internal firewall design


showing with network topology.


So, Traffic traverse from internet into the LAN / DMZ must go through border router.
currently, border router just implement IOS zone-pair firewall, where zone-pair shown as below:


1. zone-pair security ccp-zp-in-out source in-zone destination out-zone
2.policy inspect on the class-map of  ccp-insp-traffic
    match protocol http and match protocol https
3. border router's routing will pass the traffic reach the ASA FW as the threshole either doing NAT to get into private network or traverse between DMZ servers.
4. mail server IP is 202.168.14.40 / 28, which is same subnet with ASA FW


Did i miss anything? should i built another policy for out-zone -> in-zone?
ACL is it should permit any 202.168.11.32 0.0.0.16 , with allow protocol on domain, 443, 80, smtp ?
(i try but no go)


hints and idea needed to solve out this myth, thank you


thanks

Correct Answer by praprama about 6 years 9 months ago

Hi,


> Did i miss anything? should i built another policy for out-zone ->  in-zone?


yes we will need another zone pair created from out-zone to in-zone and explicitly allow traffic to the mail server's Ip address (202.168.14.40) on TCP ports 80 and 443.


Another thing that you can do to check if the Border router is forwarding packets to the ASA is to apply captures on the ASA's outside interface.


Below is a useful document for ZBF which can you use for reference:


https://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml


All the best!


Regards,

Prapanch

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
praprama Tue, 08/17/2010 - 19:22
User Badges:
  • Cisco Employee,

Hi,


> Did i miss anything? should i built another policy for out-zone ->  in-zone?


yes we will need another zone pair created from out-zone to in-zone and explicitly allow traffic to the mail server's Ip address (202.168.14.40) on TCP ports 80 and 443.


Another thing that you can do to check if the Border router is forwarding packets to the ASA is to apply captures on the ASA's outside interface.


Below is a useful document for ZBF which can you use for reference:


https://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml


All the best!


Regards,

Prapanch

yong khang NG Tue, 08/17/2010 - 21:11
User Badges:

sir, bingo !!! you hit it !!!


allow me to ask 2 additional question for these IOS FW


(1) let say if i have other services server (say web server ) reside at the DMZ, meaning to say i need to explicitly create the ACL permit any to host x.x.x.x eq 80.


so is it possible if i just permit any 202.168.14.32 0.0.0.16 eq 80, will it also produce the same result?


(2) what if i have a tunnel interface at my edge router,


interface Tunnel1
ip address 210.xx.x.xxx 255.255.255.254
keepalive 10 3
tunnel source Serial2/1/0:0
tunnel destination 2xx.xx.x.160
!

edge router serial 2/1/0 is connecting to the border router


now i see there's a log at the border router


003116: Aug 18 12:09:25.358 PCTime: %FW-6-DROP_PKT: Dropping Unknown-l4 session 202.1xx.xx.2:0 2xx.xx.x.160:0 on zone-pair ccp-zp-in-out class class-default due to  DROP action found in policy-map with ip ident 0


what does this mean?



anyway, thanks for helping solve the previous problem, thank you

praprama Tue, 08/17/2010 - 22:10
User Badges:
  • Cisco Employee,

Hi,


(1) Yes we can either have an ACL to the specific host on port 80 or we can have it for the entire subnet. Both should have the same effect (only that in the 2nd case we will be opening up port 80 for an entire subnet).


(2) The log that you see is due to the packet being dropped by the ZBF config on the border router. the packet being dropped is being sourced from the source IP to the destination IP you see in the log. Also, we see it is being dropped by the "class-default" which has an action drop for it.


If you think it's legitimate traffic, then you might want to allow on the zone pair for in-zone to out-zone.


All the best!!


Regards,

Prapanch

yong khang NG Wed, 08/18/2010 - 20:01
User Badges:

hi sir, it's another round of follow-up qustion , again on this IOS ZWF problem.


after i put the policy for out -> in zone, my webmail services can go. but after reload the router, private subnet (which is in-zone) cannot get online.


last effort i need to take the zone-member secuirty away from interface, then everything seems fine again


the class-map, policy-map , zone-pair goes like this


class-map type inspect match-any outzone-inzone
match protocol http
match protocol https
match access-group 110


class-map type inspect match-any ccp-cls-insp-traffic
match protocol http
match protocol https
match protocol dns
match protocol icmp
!
policy-map type inspect ccp-inspect
class type inspect ccp-cls-insp-traffic
  inspect
class class-default
  drop
!
policy-map type inspect out-in
class type inspect outzone-inzone
  inspect
class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security zp-out-to-in source out-zone destination in-zone
service-policy type inspect out-in
zone-pair security zp-in-to-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
!

access-list 110 permit tcp any host 202.168.14.40 eq www
access-list 110 permit tcp any host 202.168.14.40 eq 443


any magic hints again? thanks


Noel

praprama Wed, 08/18/2010 - 20:36
User Badges:
  • Cisco Employee,

Hi,


Well from the configuration i do not see any problem. Did you notice any logs when the internet access was not working? That would help us to guess where exactly the problem was?


Regards,

Prapanch

Actions

This Discussion