09-28-2015 12:32 AM - edited 03-05-2019 02:23 AM
Hi,
I'm trying to get a Cisco 4331 operating with an inbound internet ACL that has an implicit deny at the end. Every time I apply this, all outbound traffic ceases to work. On IOS based routers, I could solve this by using ip Inspect rules for outbound traffic, but with IOS XE those commands no longer seem to be available. From what I've been reading, a zone based firewall seems to be the alternative method of using ip inspect. I've set up a basic zone based firewall and that's all working but still as soon as I add the implicit deny rule to the end of my inbound acl for internet traffic, outbound traffic to the net stops working. Removing the ACL or putting permit ip any any at the end resolves it.
Below is a snip-it of the config. Any ideas?
-----------------------------------------------------------------------
class-map type inspect match-any internet-traffic-class
match protocol http
match protocol https
match protocol dns
match protocol icmp
match protocol tcp
match protocol udp
match protocol ftp
match protocol imap
match protocol pop3
match protocol ntp
!
policy-map type inspect private-internet-policy
class type inspect internet-traffic-class
inspect
class class-default
!
zone security private
zone security internet
zone-pair security private-internet source private destination internet
service-policy type inspect private-internet-policy
interface GigabitEthernet0/0/0
ip address 192.168.3.254 255.255.255.0
ip nat inside
zone-member security private
no cdp enable
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
ip address 192.168.1.2 255.255.255.0
ip nat outside
ip access-group internet_in in
zone-member security internet
negotiation auto
ip virtual-reassembly
!
ip nat inside source list nonat interface GigabitEthernet0/0/1 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
ip access-list extended internet_in
remark block rfc1918 networks
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
remark ACL for traffic coming in from the internet
permit icmp any any administratively-prohibited
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any unreachable
remark bad things
deny ip any any
!
ip access-list extended nonat
deny ip 192.168.3.0 0.0.0.255 192.168.3.0 0.0.0.255
remark outgoing nat internet traffic
permit ip 192.168.3.0 0.0.0.255 any
09-28-2015 03:44 PM
Hi,
It looks like with Zone firewalls and ACLs the ACL is applied to traffic on the interface before the Firewall function,, so if you have an ACL it must allow the same traffic as the ZFW
see bellow from the link.
http://www.cisco.com/c/en/us/td/docs/ios/sec_data_plane/configuration/guide/convert/sec_data_zbf_15_1_book/sec_zone_polcy_firew.html#wp1121745
Pinholes are not punched for return traffic in interface access control lists (ACLs).
ACLs applied to interfaces that are members of zones are processed before the policy is applied on the zone pair. So, you must relax interface ACLs when there are policies between zones so that they cannot interfere with the policy firewall traffic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide