09-03-2010 09:08 AM - edited 03-11-2019 11:34 AM
Hello,
I am tried to understand the zone-base-firewall. I am using it on a cisco 891 with ios c890-universalk9-mz.151-2.T1
With the current configuration, everything is working fin exept the trafic from the private zone to the Internet zone. My vpn tunnel are working, I can ping from the device behind the router on vlan1 to the Internet but traffic like http or dns aren't working and I can't see what could be the issue. Probably I don't understand exacly how the zone base firewall work. My private zone is vlan1 and the Internet is Gi0 and I nat from vlan1 to the Internet. I am separating the protocol in two group, layer 4 and layer 7. In the future I would like to apply only L4 between the private zone to the wan zone and L4 and L7 between the private zone to the Internet but for now I want to concentrate on the problem I have. Any idea what could be the issue?
firewall configuration |
---|
class-map type inspect match-any L4-inspect-class match protocol tcp match protocol udp match protocol icmp class-map type inspect match-any L7-inspect-class match protocol ssh match protocol ftp match protocol pop3 match protocol pop3s match protocol imap match protocol imap3 match protocol imaps match protocol smtp match protocol http match protocol https match protocol dns ! ! policy-map type inspect private-internet-policy class type inspect L7-inspect-class inspect class type inspect L4-inspect-class inspect class class-default drop log ! zone security private zone security internet zone-pair security private-internet source private destination internet service-policy type inspect private-internet-policy ! |
09-03-2010 09:20 AM
Hi,
Please enable logging on the router and also the command "ip inspect log drop". In the syslogs you should now be able to see drops related to zone based firewall. Once this is odne, try accessing internet and see what logs pop up. Also, when trying to access the internet, please get the output of
show policy-map type inspect zone-pair private-internet sessions
Also, do you have a zone-pair for internet to private? what is the config of that policy-map? please paste the output of "show zone security" and "show zone-pair security" along with the above.
Regards,
Prapanch
09-03-2010 09:25 AM
Make sure your zones are configure properly on your interfaces.
Also if you are usinga loopback interface to nat the traffic going out the loopback need to be in the private zone.
I hope it helps.
PK
09-03-2010 10:08 AM
No I don't have a zone-pair from the Internet to private, I think by default the traffic from the Internet zone to the private will be inspected, Am I wrong?
Here is the info I got, I don't see any drop...
seblab001#show policy-map type inspect zone-pair private-internet sessions
policy exists on zp private-internet
Zone-pair: private-internet
Service-policy inspect : private-internet-policy
Class-map: L7-inspect-class (match-any)
Match: protocol ssh
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ftp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol pop3
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol pop3s
7 packets, 224 bytes
30 second rate 0 bps
Match: protocol imap
27 packets, 864 bytes
30 second rate 0 bps
Match: protocol imap3
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol imaps
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol smtp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol http
9 packets, 288 bytes
30 second rate 0 bps
Match: protocol https
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol dns
321 packets, 14736 bytes
30 second rate 0 bps
Inspect
Number of Half-open Sessions = 6
Half-open Sessions
Session 85A7DD00 (192.168.140.74:52838)=>(209.85.225.83:80) http:tcp SIS_OPENING/TCP_SYNSENT
Created 00:00:29, Last heard 00:00:29
Bytes sent (initiator:responder) [0:0]
Session 85A7D600 (192.168.140.74:57640)=>(4.2.2.2:53) dns:udp SIS_OPENING
Created 00:00:10, Last heard 00:00:02
Bytes sent (initiator:responder) [102:0]
Session 85A7C480 (192.168.140.74:57640)=>(4.2.2.3:53) dns:udp SIS_OPENING
Created 00:00:09, Last heard 00:00:02
Bytes sent (initiator:responder) [136:0]
Session 85A7C800 (192.168.140.74:64510)=>(4.2.2.2:53) dns:udp SIS_OPENING
Created 00:00:08, Last heard 00:00:00
Bytes sent (initiator:responder) [99:0]
Session 85A7F580 (192.168.140.74:64510)=>(4.2.2.3:53) dns:udp SIS_OPENING
Created 00:00:07, Last heard 00:00:00
Bytes sent (initiator:responder) [132:0]
Session 85A7E780 (192.168.140.74:64314)=>(4.2.2.2:53) dns:udp SIS_OPENING
Created 00:00:00, Last heard 00:00:00
Bytes sent (initiator:responder) [32:0]
Class-map: L4-inspect-class (match-any)
Match: protocol tcp
1 packets, 32 bytes
30 second rate 0 bps
Match: protocol udp
123 packets, 5343 bytes
30 second rate 0 bps
Match: protocol icmp
22 packets, 880 bytes
30 second rate 0 bps
Match: protocol http
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol dns
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
seblab001#show zone security
zone self
Description: System defined zone
zone private
Member Interfaces:
Vlan1
zone internet
Member Interfaces:
GigabitEthernet0
zone wan
seblab001#show zone-pair security
Zone-pair name private-internet
Source-Zone private Destination-Zone internet
service-policy private-internet-policy
09-03-2010 01:22 PM
Since you are Inspecting the traffic then yes the return traffic will be allowed. Im seeing that you have the private security zone associated with VLAN1 could you associate the private zone to a physical interface insteat.. just for testing.
09-03-2010 01:24 PM
Please enable logging
IP INSPECT LOG DROP-PKT
Check the logs they will tell you who is blocking what.
09-03-2010 01:28 PM
WHat happens if you remove the zone-member of the interfaces? If you still have the problem after removing them, then it's not the ZBF it something else
09-03-2010 05:14 PM
Hi,
Based on the output, i can see a number of sessions being created for DNS and one HTTP (Google's IP address):
Session 85A7DD00 (192.168.140.74:52838)=>(209.85.225.83:80) http:tcp SIS_OPENING/TCP_SYNSENT
Created 00:00:29, Last heard 00:00:29
Bytes sent (initiator:responder) [0:0]
Session 85A7D600 (192.168.140.74:57640)=>(4.2.2.2:53) dns:udp SIS_OPENING
Created 00:00:10, Last heard 00:00:02
Bytes sent (initiator:responder) [102:0]
Session 85A7C480 (192.168.140.74:57640)=>(4.2.2.3:53) dns:udp SIS_OPENING
Created 00:00:09, Last heard 00:00:02
Bytes sent (initiator:responder) [136:0]
Alaso, it can be seen from the bytes sent that we do not see anything from the server back. Well i am not blaming that the ISP is blocking something but i have seen before that if we have a zone-pair from inside to internet but no zone-pair from internet private, even though we inspect packets from provate to internet, traffic does not pass through.
To check what's going on, please enable logging and also "ip inspect log drop-pkt" and we can see logs.
Also, plese try creating just a zone-pair from internet-private and see if it make any difference.
Let me know how it goes!!
Thanks and Regards,
Prapanch
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: