Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1476
Views
5
Helpful
1
Replies

Inbound ACL on Cisco 4331

sweepscape
Level 1
Level 1

‎09-28-2015 12:32 AM - edited ‎03-05-2019 02:23 AM

Hi,

I'm trying to get a Cisco 4331 operating with an inbound internet ACL that has an implicit deny at the end. Every time I apply this, all outbound traffic ceases to work. On IOS based routers, I could solve this by using ip Inspect rules for outbound traffic, but with IOS XE those commands no longer seem to be available. From what I've been reading, a zone based firewall seems to be the alternative method of using ip inspect. I've set up a basic zone based firewall and that's all working but still as soon as I add the implicit deny rule to the end of my inbound acl for internet traffic, outbound traffic to the net stops working. Removing the ACL or putting permit ip any any at the end resolves it.

Below is a snip-it of the config. Any ideas?

-----------------------------------------------------------------------

class-map type inspect match-any internet-traffic-class
 match protocol http
 match protocol https
 match protocol dns
 match protocol icmp
 match protocol tcp
 match protocol udp
 match protocol ftp
 match protocol imap
 match protocol pop3
 match protocol ntp
!
policy-map type inspect private-internet-policy
 class type inspect internet-traffic-class
  inspect
 class class-default
!
zone security private
zone security internet
zone-pair security private-internet source private destination internet
 service-policy type inspect private-internet-policy

interface GigabitEthernet0/0/0
 ip address 192.168.3.254 255.255.255.0
 ip nat inside
 zone-member security private
 no cdp enable
 ip virtual-reassembly
!
interface GigabitEthernet0/0/1
 ip address 192.168.1.2 255.255.255.0
 ip nat outside
 ip access-group internet_in in
 zone-member security internet
 negotiation auto
 ip virtual-reassembly
!
ip nat inside source list nonat interface GigabitEthernet0/0/1 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
ip access-list extended internet_in
 remark block rfc1918 networks
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip host 255.255.255.255 any
 deny   ip host 0.0.0.0 any
 remark ACL for traffic coming in from the internet
 permit icmp any any administratively-prohibited
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any packet-too-big
 permit icmp any any time-exceeded
 permit icmp any any unreachable
 remark bad things
 deny ip any any
!
ip access-list extended nonat
 deny   ip 192.168.3.0 0.0.0.255 192.168.3.0 0.0.0.255
 remark outgoing nat internet traffic
 permit ip 192.168.3.0 0.0.0.255 any

Labels:
0 Helpful
1 Reply 1

Richard Bradfield
Level 6
Level 6

‎09-28-2015 03:44 PM

Hi,

It looks like with Zone firewalls and ACLs the ACL is applied to traffic on the interface before the Firewall function,, so if you have an ACL it must allow the same traffic as the ZFW

see bellow from the link.

http://www.cisco.com/c/en/us/td/docs/ios/sec_data_plane/configuration/guide/convert/sec_data_zbf_15_1_book/sec_zone_polcy_firew.html#wp1121745

ZZones and ACLs

Pinholes are not punched for return traffic in interface access control lists (ACLs).

ACLs applied to interfaces that are members of zones are processed before the policy is applied on the zone pair. So, you must relax interface ACLs when there are policies between zones so that they cannot interfere with the policy firewall traffic.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card