cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2535
Views
0
Helpful
7
Replies

Zone-base-firewall configuration

slauzon
Level 1
Level 1

Hello,

I am tried to understand the zone-base-firewall. I am using it on a cisco 891 with ios c890-universalk9-mz.151-2.T1

With the current configuration, everything is working fin exept the trafic from the private zone to the Internet zone. My vpn tunnel are working, I can ping from the device behind the router on vlan1 to the Internet but traffic like http or dns aren't working and I can't see what could be the issue. Probably I don't understand exacly how the zone base firewall work. My private zone is vlan1 and the Internet is Gi0 and I nat from vlan1 to the Internet. I am separating the protocol in two group, layer 4 and layer 7. In the future I would like to apply only L4 between the private zone to the wan zone and L4 and L7 between the private zone to the Internet but for now I want to concentrate on the problem I have. Any idea what could be the issue?

firewall configuration
class-map type inspect match-any L4-inspect-class
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-any L7-inspect-class
match protocol ssh
match protocol ftp
match protocol pop3
match protocol pop3s
match protocol imap
match protocol imap3
match protocol imaps
match protocol smtp
match protocol http
match protocol https
match protocol dns
!
!
policy-map type inspect private-internet-policy
class type inspect L7-inspect-class
  inspect
class type inspect L4-inspect-class
  inspect
class class-default
  drop log
!
zone security private
zone security internet
zone-pair security private-internet source private destination internet
service-policy type inspect private-internet-policy
!

7 Replies 7

praprama
Cisco Employee
Cisco Employee

Hi,

Please enable logging on the router and also the command "ip inspect log drop". In the syslogs you should now be able to see drops related to zone based firewall. Once this is odne, try accessing internet and see what logs pop up. Also, when trying to access the internet, please get the output of

show policy-map type inspect zone-pair private-internet sessions

Also, do you have a zone-pair for internet to private? what is the config of that policy-map? please paste the output of "show zone security" and "show zone-pair security" along with the above.

Regards,

Prapanch

Make sure your zones are configure properly on your interfaces.

Also if you are usinga  loopback interface to nat the traffic going out the loopback need to be in the private zone.

I hope it helps.

PK

No I don't have a zone-pair from the Internet to private, I think by default the traffic from the Internet zone to the private will be inspected, Am I wrong?

Here is the info I got, I don't see any drop...


seblab001#show policy-map type inspect zone-pair private-internet sessions

policy exists on zp private-internet
Zone-pair: private-internet

  Service-policy inspect : private-internet-policy

    Class-map: L7-inspect-class (match-any)
      Match: protocol ssh
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol ftp
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol pop3
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol pop3s
        7 packets, 224 bytes
        30 second rate 0 bps
      Match: protocol imap
        27 packets, 864 bytes
        30 second rate 0 bps
      Match: protocol imap3
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol imaps
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol smtp
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol http
        9 packets, 288 bytes
        30 second rate 0 bps
      Match: protocol https
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol dns
        321 packets, 14736 bytes
        30 second rate 0 bps

   Inspect

      Number of Half-open Sessions = 6
      Half-open Sessions
        Session 85A7DD00 (192.168.140.74:52838)=>(209.85.225.83:80) http:tcp SIS_OPENING/TCP_SYNSENT
          Created 00:00:29, Last heard 00:00:29
          Bytes sent (initiator:responder) [0:0]
        Session 85A7D600 (192.168.140.74:57640)=>(4.2.2.2:53) dns:udp SIS_OPENING
          Created 00:00:10, Last heard 00:00:02
          Bytes sent (initiator:responder) [102:0]
        Session 85A7C480 (192.168.140.74:57640)=>(4.2.2.3:53) dns:udp SIS_OPENING
          Created 00:00:09, Last heard 00:00:02
          Bytes sent (initiator:responder) [136:0]
        Session 85A7C800 (192.168.140.74:64510)=>(4.2.2.2:53) dns:udp SIS_OPENING
          Created 00:00:08, Last heard 00:00:00
          Bytes sent (initiator:responder) [99:0]
        Session 85A7F580 (192.168.140.74:64510)=>(4.2.2.3:53) dns:udp SIS_OPENING
          Created 00:00:07, Last heard 00:00:00
          Bytes sent (initiator:responder) [132:0]
        Session 85A7E780 (192.168.140.74:64314)=>(4.2.2.2:53) dns:udp SIS_OPENING
          Created 00:00:00, Last heard 00:00:00
          Bytes sent (initiator:responder) [32:0]


    Class-map: L4-inspect-class (match-any)
      Match: protocol tcp
        1 packets, 32 bytes
        30 second rate 0 bps
      Match: protocol udp
        123 packets, 5343 bytes
        30 second rate 0 bps
      Match: protocol icmp
        22 packets, 880 bytes
        30 second rate 0 bps
      Match: protocol http
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol dns
        0 packets, 0 bytes
        30 second rate 0 bps

   Inspect

    Class-map: class-default (match-any)
      Match: any
      Drop
        0 packets, 0 bytes

seblab001#show zone security
zone self
  Description: System defined zone


zone private
  Member Interfaces:
    Vlan1


zone internet
  Member Interfaces:
    GigabitEthernet0


zone wan


seblab001#show zone-pair security
Zone-pair name private-internet
    Source-Zone private  Destination-Zone internet
    service-policy private-internet-policy

Since you are Inspecting the traffic then yes the return traffic will be allowed. Im seeing that you have the private security zone associated with VLAN1 could you associate the private  zone to a physical interface insteat.. just for testing.

Please enable logging

IP INSPECT LOG DROP-PKT

Check the logs they will tell you who is blocking what.

WHat happens if you remove the zone-member of the interfaces? If you still have the problem after removing them, then it's not the ZBF it something else

Hi,

Based on the output, i can see a number of sessions being created for DNS and one HTTP (Google's IP address):

Session 85A7DD00 (192.168.140.74:52838)=>(209.85.225.83:80) http:tcp  SIS_OPENING/TCP_SYNSENT
          Created 00:00:29, Last heard  00:00:29
          Bytes sent (initiator:responder) [0:0]
         Session 85A7D600 (192.168.140.74:57640)=>(4.2.2.2:53) dns:udp  SIS_OPENING
          Created 00:00:10, Last heard 00:00:02
           Bytes sent (initiator:responder) [102:0]
        Session 85A7C480  (192.168.140.74:57640)=>(4.2.2.3:53) dns:udp SIS_OPENING
           Created 00:00:09, Last heard 00:00:02
          Bytes sent  (initiator:responder) [136:0]

Alaso, it can be seen from the bytes sent that we do not see anything from the server back. Well i am not blaming that the ISP is blocking something but i have seen before that if we have a zone-pair from inside to internet but no zone-pair from internet private, even though we inspect packets from provate to internet, traffic does not pass through.

To check what's going on, please enable logging and also "ip inspect log drop-pkt" and we can see logs.

Also, plese try creating just a zone-pair from internet-private and see if it make any difference.

Let me know how it goes!!

Thanks and Regards,

Prapanch

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: