881W NAT and Firewall

Answered Question
May 7th, 2012

Hello all,

I recently configured my 881W for dual SSID, and NATing to separate the VLAN traffic.  Afterwards, I used Cisco Configuration Professional to configure the firewall for medium security, and then I tested it by connecting it to my U-Verse residential gateway in DMZplus mode.  I was able to get a DHCP address from my IP to the 881W, but I can't resolve DNS, or get to any outside internet sites.  Based on my configuration below, does anyone have any insight into what could be wrong?

R1-881W#show run

Building configuration...

Current configuration : 14484 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname R1-881W

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging message-counter syslog

logging buffered 51200

logging console critical

enable secret 5 xxxxxxxxxxxxxx

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

!

aaa session-id common

service-module wlan-ap 0 bootimage autonomous

!

crypto pki trustpoint TP-self-signed-1234567890

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1234567890

revocation-check none

rsakeypair TP-self-signed-1392450818

!

!

crypto pki certificate chain TP-self-signed-1234567890

certificate self-signed 01

  <some cert>

        quit

no ip source-route

!

!

ip dhcp excluded-address 172.16.1.1 172.16.1.200

ip dhcp excluded-address 192.168.12.200 192.168.12.254

!

ip dhcp pool Private

   import all

   network 172.16.1.0 255.255.255.0

   default-router 172.16.1.1

   dns-server 172.16.1.1 255.255.255.0

!

ip dhcp pool Guest

   network 192.168.12.0 255.255.255.0

   default-router 192.168.12.1

   dns-server 192.168.12.1 255.255.255.0

!

!

ip cef

no ip bootp server

ip domain name somedomain.local

ip name-server 68.94.156.1

ip name-server 68.94.157.1

ip name-server 8.8.8.8

login block-for 120 attempts 5 within 60

login delay 3

!

no ipv6 cef

!

multilink bundle-name authenticated

parameter-map type regex ccp-regex-nonascii

pattern [^\x00-\x80]

parameter-map type protocol-info yahoo-servers

server name scs.msg.yahoo.com

server name scsa.msg.yahoo.com

server name scsb.msg.yahoo.com

server name scsc.msg.yahoo.com

server name scsd.msg.yahoo.com

server name cs16.msg.dcn.yahoo.com

server name cs19.msg.dcn.yahoo.com

server name cs42.msg.dcn.yahoo.com

server name cs53.msg.dcn.yahoo.com

server name cs54.msg.dcn.yahoo.com

server name ads1.vip.scd.yahoo.com

server name radio1.launch.vip.dal.yahoo.com

server name in1.msg.vip.re2.yahoo.com

server name data1.my.vip.sc5.yahoo.com

server name address1.pim.vip.mud.yahoo.com

server name edit.messenger.yahoo.com

server name messenger.yahoo.com

server name http.pager.yahoo.com

server name privacy.yahoo.com

server name csa.yahoo.com

server name csb.yahoo.com

server name csc.yahoo.com

parameter-map type protocol-info aol-servers

server name login.oscar.aol.com

server name toc.oscar.aol.com

server name oam-d09a.blue.aol.com

parameter-map type protocol-info msn-servers

server name messenger.hotmail.com

server name gateway.messenger.hotmail.com

server name webmessenger.msn.com

!

!

username someuser privilege 15 secret 5 xxxxxxxxxxxxxx

!

!

!

archive

log config

  hidekeys

!

!

ip tcp synwait-time 10

ip ssh version 2

!

class-map type inspect match-any SDM_BOOTPC

match access-group name SDM_BOOTPC

class-map type inspect imap match-any ccp-app-imap

match  invalid-command

class-map type inspect match-any ccp-cls-protocol-p2p

match protocol edonkey signature

match protocol gnutella signature

match protocol kazaa2 signature

match protocol fasttrack signature

match protocol bittorrent signature

class-map type inspect match-any SDM_DHCP_CLIENT_PT

match class-map SDM_BOOTPC

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any sdm-cls-bootps

match protocol bootps

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect gnutella match-any ccp-app-gnutella

match  file-transfer

class-map type inspect msnmsgr match-any ccp-app-msn-otherservices

match  service any

class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices

match  service any

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-cls-protocol-im

match protocol ymsgr yahoo-servers

match protocol msnmsgr msn-servers

match protocol aol aol-servers

class-map type inspect aol match-any ccp-app-aol-otherservices

match  service any

class-map type inspect match-all ccp-protocol-pop3

match protocol pop3

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect pop3 match-any ccp-app-pop3

match  invalid-command

class-map type inspect kazaa2 match-any ccp-app-kazaa2

match  file-transfer

class-map type inspect match-all ccp-protocol-p2p

match class-map ccp-cls-protocol-p2p

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect msnmsgr match-any ccp-app-msn

match  service text-chat

class-map type inspect ymsgr match-any ccp-app-yahoo

match  service text-chat

class-map type inspect match-all ccp-protocol-im

match class-map ccp-cls-protocol-im

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-invalid-src

match access-group 101

class-map type inspect http match-any ccp-app-httpmethods

match  request method bcopy

match  request method bdelete

match  request method bmove

match  request method bpropfind

match  request method bproppatch

match  request method connect

match  request method copy

match  request method delete

match  request method edit

match  request method getattribute

match  request method getattributenames

match  request method getproperties

match  request method index

match  request method lock

match  request method mkcol

match  request method mkdir

match  request method move

match  request method notify

match  request method options

match  request method poll

match  request method propfind

match  request method proppatch

match  request method put

match  request method revadd

match  request method revlabel

match  request method revlog

match  request method revnum

match  request method save

match  request method search

match  request method setattribute

match  request method startrev

match  request method stoprev

match  request method subscribe

match  request method trace

match  request method unedit

match  request method unlock

match  request method unsubscribe

class-map type inspect edonkey match-any ccp-app-edonkey

match  file-transfer

match  text-chat

match  search-file-name

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect http match-any ccp-http-blockparam

match  request port-misuse im

match  request port-misuse p2p

match  req-resp protocol-violation

class-map type inspect edonkey match-any ccp-app-edonkeydownload

match  file-transfer

class-map type inspect match-all ccp-protocol-imap

match protocol imap

class-map type inspect aol match-any ccp-app-aol

match  service text-chat

class-map type inspect edonkey match-any ccp-app-edonkeychat

match  search-file-name

match  text-chat

class-map type inspect fasttrack match-any ccp-app-fasttrack

match  file-transfer

class-map type inspect http match-any ccp-http-allowparam

match  request port-misuse tunneling

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect p2p ccp-action-app-p2p

class type inspect edonkey ccp-app-edonkeychat

  log

  allow

class type inspect edonkey ccp-app-edonkeydownload

  log

  allow

class type inspect fasttrack ccp-app-fasttrack

  log

  allow

class type inspect gnutella ccp-app-gnutella

  log

  allow

class type inspect kazaa2 ccp-app-kazaa2

  log

  allow

policy-map type inspect im ccp-action-app-im

class type inspect aol ccp-app-aol

  log

  allow

class type inspect msnmsgr ccp-app-msn

  log

  allow

class type inspect ymsgr ccp-app-yahoo

  log

  allow

class type inspect aol ccp-app-aol-otherservices

  log

  reset

class type inspect msnmsgr ccp-app-msn-otherservices

  log

  reset

class type inspect ymsgr ccp-app-yahoo-otherservices

  log

  reset

policy-map type inspect http ccp-action-app-http

class type inspect http ccp-http-blockparam

  log

  reset

class type inspect http ccp-app-httpmethods

  log

  reset

class type inspect http ccp-http-allowparam

  log

  allow

policy-map type inspect imap ccp-action-imap

class type inspect imap ccp-app-imap

  log

policy-map type inspect pop3 ccp-action-pop3

class type inspect pop3 ccp-app-pop3

  log

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

  service-policy http ccp-action-app-http

class type inspect ccp-protocol-imap

  inspect

  service-policy imap ccp-action-imap

class type inspect ccp-protocol-pop3

  inspect

  service-policy pop3 ccp-action-pop3

class type inspect ccp-protocol-p2p

  inspect

  service-policy p2p ccp-action-app-p2p

class type inspect ccp-protocol-im

  inspect

  service-policy im ccp-action-app-im

class type inspect ccp-insp-traffic

  inspect

class type inspect ccp-sip-inspect

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h323annexe-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class type inspect ccp-h323nxg-inspect

  inspect

class type inspect ccp-skinny-inspect

  inspect

class class-default

  drop

policy-map type inspect ccp-permit

class class-default

  drop

!

zone security out-zone

zone security in-zone

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-self-out source self destination out-zone

!

!

!

interface Null0

no ip unreachables

!

interface FastEthernet0

switchport access vlan 11

!

interface FastEthernet1

!

interface FastEthernet2

switchport access vlan 11

!

interface FastEthernet3

!

interface FastEthernet4

description ISP Connection$FW_OUTSIDE$

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

zone-member security out-zone

shutdown

duplex auto

speed auto

no cdp enable

!

interface wlan-ap0

description Service module to manage the enbedded AP

ip unnumbered Vlan1

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

arp timeout 0

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

switchport mode trunk

!

interface Vlan1

description $FW_INSIDE$

ip address 172.16.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip tcp adjust-mss 1452

!

interface Vlan11

description $FW_INSIDE$

ip address 10.10.10.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

!

interface Vlan12

description Guest Vlan$FW_INSIDE$

ip address 192.168.12.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 dhcp

no ip http server

ip http authentication local

ip http secure-server

!

!

ip dns server

ip nat inside source list 100 interface FastEthernet4 overload

!

ip access-list extended SDM_BOOTPC

remark CCP_ACL Category=0

permit udp any any eq bootpc

!

logging trap debugging

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 172.16.1.0 0.0.0.255 any

access-list 101 remark CCP_ACL Category=128

access-list 101 permit ip host 255.255.255.255 any

access-list 101 permit ip 127.0.0.0 0.255.255.255 any

no cdp run

!

!

!

!

!

control-plane

!

banner login ^CWarning!  Authorized Access Only!^C

!

line con 0

password 7 xxxxxxxxxxxxxx

logging synchronous

no modem enable

transport output telnet

line aux 0

transport output telnet

line 2

no activation-character

no exec

transport preferred none

transport input all

line vty 0 4

password 7 xxxxxxxxxxxxxx

transport input telnet ssh

transport output telnet

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

I have this problem too.
0 votes
Correct Answer by h.grankvist about 1 year 11 months ago

There is a line missing in the policy map:

policy-map type inspect GUEST-TO-OUTSIDE_PMAP

class type inspect GUEST-TO-OUTSIDE_CMAP

  inspect

Copy-past that.

Are you still using static dns-server on the clients btw?

Correct Answer by h.grankvist about 1 year 11 months ago

That config looks good.

This config will make the guest-zone only allowed to ping and get an IP-address of the router:

class-map type inspect match-any GUEST-TO-SELF_CMAP

match access-group name SDM_BOOTPC

match protocol icmp

policy-map type inspect GUEST-TO-SELF_PMAP

class type inspect GUEST-TO-SELF_CMAP

zone-pair security GUEST-TO-SELF source guest-zone dest self

service-policy type inspect GUEST-TO-SELF_PMAP

------------------------

I though the CCNA Security was a really great, it's hard to understand all the new config for CBAC, ZFW and then IPS at first, but with a little hands on configuration the pieces falls together.

This youtube-video is really helpfull for understanding:

http://www.youtube.com/watch?v=cTxyM_ZCceI

And this cisco-document contains everything you need to know about ZFW.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

Correct Answer by h.grankvist about 1 year 11 months ago

Yes, the removal of the old access-list and to add the new one was just to clean up the config. But it's important to know that "GUEST-TO-OUTSIDE_ACL" has nothing to do with NAT in this configuration. You need an additional access-list that has both your local networks in it (just like the one i showed you).

About the pings. The zone-based firewall works by configuring zones, like the out-zone and guest-zone. But there is also a default zone, and that is the self zone and that zone includes the routers own IP-addresses. So when you ping 172.16.1.1 you are pinging the self zone.

If you wan't I can help you to configure a policy for the self zone so the guest-zone can't telnet to the router, but still be able to get an IP-address through DHCP.

Correct Answer by h.grankvist about 1 year 11 months ago

Can't find anything wrong the firewall, but I think it's the NAT - again(?). You said erlier that you added the 192.168.12.0 network to the allowed NAT:ing list but in this config it is still just the 172.16.1.0 network.

I will suggest removing the old access-lists and make a new one:

no ip nat inside source list 100 interface FastEthernet4 overload

no access-list 99 remark CCP_ACL Category=16

no access-list 99 permit 192.168.12.0 0.0.0.255

no access-list 100 remark CCP_ACL Category=130

no access-list 100 permit ip host 255.255.255.255 any

no access-list 100 permit ip 127.0.0.0 0.255.255.255 any

no access-list 100 permit ip 172.16.1.0 0.0.0.255 any

ip nat inside source list NAT interface FastEthernet4 overload

ip access-list extended NAT

remark These networks are allowed to be NAT:ed

permit ip 172.16.1.0 0.0.0.255 any

permit ip 192.168.12.0 0.0.0.255 any

Correct Answer by h.grankvist about 1 year 11 months ago

Hi!

Is it the router or the client connected to the router that can't resolv domain-names?

If it's the client and you manually set the DNS-server to 8.8.8.8 (or something simple), can you resolv domain-names then?

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (5 ratings)
Correct Answer
h.grankvist Mon, 05/07/2012 - 10:11

Hi!

Is it the router or the client connected to the router that can't resolv domain-names?

If it's the client and you manually set the DNS-server to 8.8.8.8 (or something simple), can you resolv domain-names then?

PatrickWare Mon, 05/07/2012 - 16:47

It looks like I cannot resolve any hostnames from the router's CLI, but it appears when I specify a DNS server on the host connected to the router, I can resolve and get out to the net...

Shouldn't the router be hanling DNS resolution according to my configuration?

h.grankvist Mon, 05/07/2012 - 23:31

I haven't configured the router as a DNS on a router connected to the internet, so i don't really know. Maybe someone else knows...

PatrickWare Tue, 05/08/2012 - 10:13

Henrick,

Thank you for your help.  I have one more issue.  My latest problem is that I can't ping, or get out from the WLAN SSID attached to vlan12 (network 192.168.12.0 255.255.255.0).  I can associate, and get an IP address just fine on the AP, but I can't ping, or go to any websites (yes, dns servers are specified on the host).  Am I missing something in the firewall rules, or NAT?

PatrickWare Tue, 05/08/2012 - 11:05

Looks like I was able to get conectivity by adding the following:

access-list 99 permit 192.168.12.0 0.0.0.255

ip nat inside source list 99 interface FastEthernet4 overload

PatrickWare Tue, 05/08/2012 - 11:44

Ok, after some more testing it looks like that vlan 12 can reach destinations on vlan 1.  I want vlan 12 (network 192.168.12.0 255.255.255.0) to only have access to the internet WAN (FastEthernet4) interface.  Any ideas how to do this?  I thought about adding a deny statement, but then processing would stop there...

h.grankvist Tue, 05/08/2012 - 12:58

Yes, it's really simple with the zone-based firewall.

You will need to put vlan12 it its own zone and then create a policy for that zone-pair.

I created the configuration you need here. Vlan12 will be able to reach the internet, but it can't communicate with any other vlan.

zone security GUEST-ZONE

ip access-list extended GUEST-TO-OUTSIDE_ACL

permit ip 192.168.12.0 0.0.0.255 any

class-map  type inspect GUEST-TO-OUTSIDE_CMAP

match access-group name GUEST-TO-OUTSIDE_ACL

policy-map type inspect GUEST-TO-OUTSIDE_PMAP

class type inspect GUEST-TO-OUTSIDE_CMAP

  inspect

zone-pair security GUEST-TO-OUTSIDE source GUEST-ZONE dest out-zone

service-policy type inspect GUEST-TO-OUTSIDE_PMAP

interface vlan 12

zone member GUEST-ZONE

** I haven't verified that all commands are correct, I just wrote it right here.

If this works, I can help you (if you want) with a policy for the guest-zone for reaching the router itself, so they can't telnet/ssh to the router etc.

PatrickWare Tue, 05/08/2012 - 14:20

Henrik,

I tried what you asked, and I get no connectivity on vlan 12 to the internet.  Here is my latest config with changes in BOLD:

R1-881W#show run

Building configuration...

Current configuration : 9055 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname R1-881W

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging message-counter syslog

logging buffered 51200

logging console critical

enable secret 5 xxxxxxxxxxxxxxx

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

!

aaa session-id common

service-module wlan-ap 0 bootimage autonomous

!

crypto pki trustpoint TP-self-signed-1234567890

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1234567890

revocation-check none

rsakeypair TP-self-signed-1234567890

!

!

crypto pki certificate chain TP-self-signed-1234567890

certificate self-signed 01

 

        quit

no ip source-route

!

!

ip dhcp excluded-address 172.16.1.1 172.16.1.200

ip dhcp excluded-address 192.168.12.200 192.168.12.254

!

ip dhcp pool Private

   import all

   network 172.16.1.0 255.255.255.0

   default-router 172.16.1.1

   dns-server 172.16.1.1 255.255.255.0

!

ip dhcp pool Guest

   network 192.168.12.0 255.255.255.0

   default-router 192.168.12.1

   dns-server 192.168.12.1 255.255.255.0

!

!

ip cef

no ip bootp server

ip domain name lab.local

ip name-server 68.94.156.1

ip name-server 68.94.157.1

ip name-server 8.8.8.8

login block-for 120 attempts 5 within 60

login delay 3

!

no ipv6 cef

!

multilink bundle-name authenticated

parameter-map type regex ccp-regex-nonascii

pattern [^\x00-\x80]

!

!

username someuser privilege 15 secret 5 xxxxxxxxxxxxxxx

!

!

!

archive

log config

  hidekeys

!

!

ip tcp synwait-time 10

ip ssh version 2

!

class-map type inspect match-any SDM_BOOTPC

match access-group name SDM_BOOTPC

class-map type inspect match-any SDM_DHCP_CLIENT_PT

match class-map SDM_BOOTPC

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any sdm-cls-bootps

match protocol bootps

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all GUEST-TO-OUTSIDE_CMAP

match access-group name GUEST-TO-OUTSIDE_ACL

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-invalid-src

match access-group 101

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect sdm-cls-bootps

  pass

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class type inspect ccp-sip-inspect

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h323annexe-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class type inspect ccp-h323nxg-inspect

  inspect

class type inspect ccp-skinny-inspect

  inspect

class class-default

  drop

policy-map type inspect ccp-permit

class type inspect SDM_DHCP_CLIENT_PT

  pass

class class-default

  drop

policy-map type inspect GUEST-TO-OUTSIDE_PMAP

class type inspect GUEST-TO-OUTSIDE_CMAP

  inspect

class class-default

  drop

!

zone security out-zone

zone security in-zone

zone security guest-zone

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-self-out source self destination out-zone

zone-pair security ccp-zp-guest-out source guest-zone destination out-zone

service-policy type inspect GUEST-TO-OUTSIDE_PMAP

!

!

!

interface Null0

no ip unreachables

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description ISP Connection$FW_OUTSIDE$

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

zone-member security out-zone

duplex auto

speed auto

no cdp enable

!

interface wlan-ap0

description Service module to manage the enbedded AP

ip unnumbered Vlan1

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

arp timeout 0

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

switchport mode trunk

!

interface Vlan1

description $FW_INSIDE$

ip address 172.16.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip tcp adjust-mss 1452

!

interface Vlan11

description $FW_INSIDE$

ip address 10.10.10.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

!

interface Vlan12

description Guest Vlan$FW_INSIDE$

ip address 192.168.12.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security guest-zone

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 dhcp

no ip http server

ip http authentication local

ip http secure-server

!

!

ip dns server

ip nat inside source list 100 interface FastEthernet4 overload

!

ip access-list extended GUEST-TO-OUTSIDE_ACL

permit ip 192.168.12.0 0.0.0.255 any

ip access-list extended SDM_BOOTPC

remark CCP_ACL Category=0

permit udp any any eq bootpc

!

logging trap debugging

access-list 99 remark CCP_ACL Category=16

access-list 99 permit 192.168.12.0 0.0.0.255

access-list 100 remark CCP_ACL Category=130

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 172.16.1.0 0.0.0.255 any

access-list 101 remark CCP_ACL Category=128

access-list 101 permit ip host 255.255.255.255 any

access-list 101 permit ip 127.0.0.0 0.255.255.255 any

no cdp run

!

!

!

!

!

control-plane

!

banner login ^CWarning!  Authorized Access Only!^C

!

line con 0

password 7 xxxxxxxxxxxxxxx

logging synchronous

no modem enable

transport output telnet

line aux 0

transport output telnet

line 2

no activation-character

no exec

transport preferred none

transport input all

line vty 0 4

password 7 xxxxxxxxxxxxxxx

transport input telnet ssh

transport output telnet

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

Correct Answer
h.grankvist Wed, 05/09/2012 - 02:14

Can't find anything wrong the firewall, but I think it's the NAT - again(?). You said erlier that you added the 192.168.12.0 network to the allowed NAT:ing list but in this config it is still just the 172.16.1.0 network.

I will suggest removing the old access-lists and make a new one:

no ip nat inside source list 100 interface FastEthernet4 overload

no access-list 99 remark CCP_ACL Category=16

no access-list 99 permit 192.168.12.0 0.0.0.255

no access-list 100 remark CCP_ACL Category=130

no access-list 100 permit ip host 255.255.255.255 any

no access-list 100 permit ip 127.0.0.0 0.255.255.255 any

no access-list 100 permit ip 172.16.1.0 0.0.0.255 any

ip nat inside source list NAT interface FastEthernet4 overload

ip access-list extended NAT

remark These networks are allowed to be NAT:ed

permit ip 172.16.1.0 0.0.0.255 any

permit ip 192.168.12.0 0.0.0.255 any

PatrickWare Wed, 05/09/2012 - 07:24

Henrik,

You are right, I forgot to add the line allowing the  access list GUEST-TO-OUTSIDE_ACL to NAT, so I just added the following,  and everything now seems to work (and not allowing vlan 12 access to  vlan1, just like I wanted):

ip nat inside source list GUEST-TO-OUTSIDE_ACL interface FastEthernet4 overload

One  thing I did notice is that I can ping the vlan 1 gateway (172.16.1.1)  from the wlan vlan 12 (192.168.12.0/24) host, but can't get to or ping  anything else in the vlan 1 network (172.16.1.0/24) from the vlan 12  host.

As far as the advice you just gave about  scrapping the old access lists, and creating a combined new one, is that  just to clean up the configuration?

Correct Answer
h.grankvist Wed, 05/09/2012 - 09:45

Yes, the removal of the old access-list and to add the new one was just to clean up the config. But it's important to know that "GUEST-TO-OUTSIDE_ACL" has nothing to do with NAT in this configuration. You need an additional access-list that has both your local networks in it (just like the one i showed you).

About the pings. The zone-based firewall works by configuring zones, like the out-zone and guest-zone. But there is also a default zone, and that is the self zone and that zone includes the routers own IP-addresses. So when you ping 172.16.1.1 you are pinging the self zone.

If you wan't I can help you to configure a policy for the self zone so the guest-zone can't telnet to the router, but still be able to get an IP-address through DHCP.

PatrickWare Wed, 05/09/2012 - 13:28

I went back and looked, and I understand now.  Here is how it ended up:

ip nat inside source list NAT_ALLOWED interface FastEthernet4 overload

!

ip access-list extended NAT_ALLOWED

remark These networks are allowed to NAT

permit ip 172.16.1.0 0.0.0.255 any

permit ip 192.168.12.0 0.0.0.255 any

ip access-list extended SDM_BOOTPC

remark CCP_ACL Category=0

permit udp any any eq bootpc

!

logging trap debugging

access-list 101 remark CCP_ACL Category=128

access-list 101 permit ip host 255.255.255.255 any

access-list 101 permit ip 127.0.0.0 0.255.255.255 any

no cdp run

Also, I'm always game for help if you feel so inclined. 

I should be going after my CCNA Security in a couple of months, and I feel this will really help in my understanding.

Correct Answer
h.grankvist Wed, 05/09/2012 - 13:48

That config looks good.

This config will make the guest-zone only allowed to ping and get an IP-address of the router:

class-map type inspect match-any GUEST-TO-SELF_CMAP

match access-group name SDM_BOOTPC

match protocol icmp

policy-map type inspect GUEST-TO-SELF_PMAP

class type inspect GUEST-TO-SELF_CMAP

zone-pair security GUEST-TO-SELF source guest-zone dest self

service-policy type inspect GUEST-TO-SELF_PMAP

------------------------

I though the CCNA Security was a really great, it's hard to understand all the new config for CBAC, ZFW and then IPS at first, but with a little hands on configuration the pieces falls together.

This youtube-video is really helpfull for understanding:

http://www.youtube.com/watch?v=cTxyM_ZCceI

And this cisco-document contains everything you need to know about ZFW.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

PatrickWare Wed, 05/09/2012 - 13:57

Ok, so now I have no internet connection for vlan 12.  Isn't it true that you can only have one access list per protocol, per direction?  If this is the case, shouldn't I get rid of the following?:

access-list 101 remark CCP_ACL Category=128

access-list 101 permit ip host 255.255.255.255 any

access-list 101 permit ip 127.0.0.0 0.255.255.255 any

h.grankvist Wed, 05/09/2012 - 14:34

Did you loose it after you added the latest config i posted, or before?

ZFW uses access-list 101 to block those addresses because they are an invalid source.

PatrickWare Wed, 05/09/2012 - 14:57

I lost it before the latest config you posted.

I found the problem.

I had a reference to my old access list here:

class-map type inspect match-all GUEST-TO-OUTSIDE_CMAP

match access-group name GUEST-TO-OUTSIDE_ACL

I changed it to reflect the new access list:

class-map type inspect match-all GUEST-TO-OUTSIDE_CMAP

match access-group name NAT_ALLOWED

This worked.  The only problem with this is now that the permissions for the GUEST ZONE (vlan 12) will be applied to both VLANS I think, so now I'm hosed again....  This is fun learning to keep all of this straight in my head...

I didn't save any of the configuration, so I reloaded to take me back to my old configuration before I created one access-list for both VLANS.

h.grankvist Thu, 05/10/2012 - 00:09

That change wouldn't have made a difference. The "GUEST-TO-OUTSIDE_ACL" is the correct one to be there.

Post the complete config again please.

PatrickWare Thu, 05/10/2012 - 05:48

Henrik,

The I'm actually back to the config that is shown by the last "show run" posted above. 

As far as the GUEST-TO-OUTSIDE_ACL, when I had made the last configuration change to combine the NAT under the NAT_ALLOWED acl, I had gotten rid of the GUEST-TO-OUTSIDE_ACL access list because I was under the impression that there could only be one access list in one direction per protocol.  Are you saying that I shouldn't have gotten rid of the

GUEST-TO-OUTSIDE_ACL list?

h.grankvist Thu, 05/10/2012 - 06:39

Yes, that is what I'm saying. It's only when ACLs are applied to interfaces that matters. The "GUEST-TO-OUTSIDE_ACL" is matched in a class-map and not applied on a interface.

PatrickWare Thu, 05/10/2012 - 10:49

Henrik,

I redid the changes you suggested (excluding the

config to make the guest-zone only allowed to ping and get an IP-address of the route).  I cannot connect to the internet from VLAN12.  Here is my config below:

R1-881W#show run

Building configuration...

Current configuration : 8875 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname R1-881W

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging message-counter syslog

logging buffered 51200

logging console critical

enable secret 5 xxxxxxxxxxxxxxx

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

!

aaa session-id common

service-module wlan-ap 0 bootimage autonomous

!

crypto pki trustpoint TP-self-signed-1234567890

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1234567890

revocation-check none

rsakeypair TP-self-signed-1234567890

!

!

crypto pki certificate chain TP-self-signed-1234567890

certificate self-signed 01

 

        quit

no ip source-route

!

!

ip dhcp excluded-address 172.16.1.1 172.16.1.200

ip dhcp excluded-address 192.168.12.200 192.168.12.254

!

ip dhcp pool Private

   import all

   network 172.16.1.0 255.255.255.0

   default-router 172.16.1.1

   dns-server 172.16.1.1 255.255.255.0

!

ip dhcp pool Guest

   network 192.168.12.0 255.255.255.0

   default-router 192.168.12.1

   dns-server 192.168.12.1 255.255.255.0

!

!

ip cef

no ip bootp server

ip domain name lab.local

ip name-server 68.94.156.1

ip name-server 68.94.157.1

ip name-server 8.8.8.8

login block-for 120 attempts 5 within 60

login delay 3

!

no ipv6 cef

!

multilink bundle-name authenticated

parameter-map type regex ccp-regex-nonascii

pattern [^\x00-\x80]

!

!

username somerookieuser privilege 15 secret 5 xxxxxxxxxxxxxxx

!

!

!

archive

log config

  hidekeys

!

!

ip tcp synwait-time 10

ip ssh version 2

!

class-map type inspect match-any SDM_BOOTPC

match access-group name SDM_BOOTPC

class-map type inspect match-any SDM_DHCP_CLIENT_PT

match class-map SDM_BOOTPC

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any sdm-cls-bootps

match protocol bootps

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all GUEST-TO-OUTSIDE_CMAP

match access-group name GUEST-TO-OUTSIDE_ACL

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-invalid-src

match access-group 101

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect sdm-cls-bootps

  pass

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class type inspect ccp-sip-inspect

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h323annexe-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class type inspect ccp-h323nxg-inspect

  inspect

class type inspect ccp-skinny-inspect

  inspect

class class-default

  drop

policy-map type inspect ccp-permit

class type inspect SDM_DHCP_CLIENT_PT

  pass

class class-default

  drop

policy-map type inspect GUEST-TO-OUTSIDE_PMAP

class type inspect GUEST-TO-OUTSIDE_CMAP

class class-default

  drop

!

zone security out-zone

zone security in-zone

zone security guest-zone

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-self-out source self destination out-zone

zone-pair security ccp-zp-guest-out source guest-zone destination out-zone

service-policy type inspect GUEST-TO-OUTSIDE_PMAP

!

!

!

interface Null0

no ip unreachables

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description ISP Connection$FW_OUTSIDE$

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

zone-member security out-zone

duplex auto

speed auto

no cdp enable

!

interface wlan-ap0

description Service module to manage the enbedded AP

ip unnumbered Vlan1

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

arp timeout 0

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

switchport mode trunk

!

interface Vlan1

description $FW_INSIDE$

ip address 172.16.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip tcp adjust-mss 1452

!

interface Vlan11

description $FW_INSIDE$

ip address 10.10.10.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

!

interface Vlan12

description Guest Vlan$FW_INSIDE$

ip address 192.168.12.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security guest-zone

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 dhcp

no ip http server

ip http authentication local

ip http secure-server

!

!

ip dns server

ip nat inside source list NAT_ALLOWED interface FastEthernet4 overload

!

ip access-list extended GUEST-TO-OUTSIDE_ACL

permit ip 192.168.12.0 0.0.0.255 any

ip access-list extended NAT_ALLOWED

permit ip 172.16.1.0 0.0.0.255 any

permit ip 192.168.12.0 0.0.0.255 any

ip access-list extended SDM_BOOTPC

remark CCP_ACL Category=0

permit udp any any eq bootpc

!

logging trap debugging

access-list 101 remark CCP_ACL Category=128

access-list 101 permit ip host 255.255.255.255 any

access-list 101 permit ip 127.0.0.0 0.255.255.255 any

no cdp run

!

!

!

!

!

control-plane

!

banner login ^CWarning!  Authorized Access Only!^C

!

line con 0

password 7 somestrongpassword

logging synchronous

no modem enable

transport output telnet

line aux 0

transport output telnet

line 2

no activation-character

no exec

transport preferred none

transport input all

line vty 0 4

password 7 somestrongpassword

transport input telnet ssh

transport output telnet

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

R1-881W#

Correct Answer
h.grankvist Thu, 05/10/2012 - 11:19

There is a line missing in the policy map:

policy-map type inspect GUEST-TO-OUTSIDE_PMAP

class type inspect GUEST-TO-OUTSIDE_CMAP

  inspect

Copy-past that.

Are you still using static dns-server on the clients btw?

PatrickWare Thu, 05/10/2012 - 12:13

Thanks!  I actually added that line last time before I reloaded without saving, but forgot to do it this time.  It works now.  Saving.

PatrickWare Thu, 05/10/2012 - 16:14

Everything works now.  Next, I shall setup VPN.  Thanks again.  Just  know that your time was not wasted here.  I will remember well what I  have learned.

PatrickWare Thu, 05/10/2012 - 19:06

I had to undo the config that made it so that the guest-zone only allowed to ping and get an IP-address of the router.  I'm referring to this part:

class-map type inspect match-any GUEST-TO-SELF_CMAP

match access-group name SDM_BOOTPC

match protocol icmp

policy-map type inspect GUEST-TO-SELF_PMAP

class type inspect GUEST-TO-SELF_CMAP

zone-pair security GUEST-TO-SELF source guest-zone dest self

service-policy type inspect GUEST-TO-SELF_PMAP

For some reason after I did this, I couldn't get any wireless dhcp address for VLAN 12...  After I undid it, VLAN 12 worked again...

Actions

Login or Register to take actions

This Discussion

Posted May 7, 2012 at 10:02 AM
Stats:
Replies:24 Avg. Rating:5
Views:1247 Votes:0
Shares:0
Tags: nat, firewall, 881w
+

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446