Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Allowing Access through Zones on an 891

Hello,

I've recently purchased a Cisco 891 and I have it setup at a local office. I'm having some trouble allowing users access to servers and printers across a security zone.. I setup two different zones (MGMT, In-zone). The in-zone is where the server and applications are and the MGMT zone is for office staff.

I've gone through the guides for allowing applications through security zones, but I still cannot seem to get the access through.I've pasted a copy of the config below. Any help is greatly apreciated.

class-map type inspect match-any QBMGMT

match protocol kerberos

match protocol cddbp

match protocol mysql

match protocol dbase

match protocol sql-net

match protocol sqlserv

match protocol sqlsrv

match protocol ftp

match protocol ftps

match protocol kermit

match protocol nfs

match protocol tftp

match protocol uucp

match protocol tcp

match protocol udp

match protocol ddns-v3

match protocol dns

match protocol dnsix

match protocol ldap

match protocol ldap-admin

match protocol ldaps

match protocol netbios-ns

match protocol wins

match protocol icmp

match protocol cifs

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-all ccp-cls--1

match class-map QBMGMT

match protocol bootpc

class-map type inspect match-any QB

match protocol kerberos

match protocol cddbp

match protocol dbase

match protocol mysql

match protocol sql-net

match protocol sqlserv

match protocol sqlsrv

match protocol ftp

match protocol ftps

match protocol kermit

match protocol nfs

match protocol tftp

match protocol uucp

match protocol tcp

match protocol udp

match protocol ms-sql-m

match protocol ms-sql

match protocol icmp

match protocol echo

class-map type inspect match-any ccp-cls-insp-traffic

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any MGMT-INSIDE

description MGMT-INSIDE

match access-group name MGMT-inside

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-any SDM_SSH

match access-group name SDM_SSH

class-map type inspect match-any SDM_HTTPS

match access-group name SDM_HTTPS

class-map type inspect match-any SDM_SHELL

match access-group name SDM_SHELL

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class type inspect ccp-sip-inspect

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h323annexe-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class type inspect ccp-h323nxg-inspect

  inspect

class type inspect ccp-skinny-inspect

  inspect

class class-default

  pass

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class type inspect ccp-sip-inspect

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h323annexe-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class type inspect ccp-h323nxg-inspect

  inspect

class type inspect ccp-skinny-inspect

  inspect

policy-map type inspect ccp-permit

class type inspect ccp-sip-inspect

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h323annexe-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class type inspect ccp-h323nxg-inspect

  inspect

class type inspect ccp-skinny-inspect

  inspect

class class-default

  drop

policy-map type inspect ccp-policy-ccp-cls--1

class type inspect ccp-cls--1

  inspect

class class-default

  drop

!

zone security in-zone

zone security out-zone

zone security MGMT

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security MGMT source MGMT destination out-zone

service-policy type inspect ccp-inspect

zone-pair security MGMT-TO-INSIDE source MGMT destination in-zone

!

!

!

!

!

!

!

interface Null0

no ip unreachables

!

interface FastEthernet0

description Trunk to Switch

switchport mode trunk

no ip address

!

interface FastEthernet1

switchport access vlan 10

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

no ip address

!

interface FastEthernet5

no ip address

!

interface FastEthernet6

switchport access vlan 40

no ip address

!

interface FastEthernet7

no ip address

!

interface FastEthernet8

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

duplex auto

speed auto

!

interface GigabitEthernet0

description $FW_OUTSIDE$

ip address x.x.x.x 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly in

ip verify unicast reverse-path

zone-member security out-zone

duplex auto

speed auto

!

interface Vlan1

description $ETH_LAN$$FW_INSIDE$

ip address 10.10.10.1 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

ip tcp adjust-mss 1452

!

interface Vlan10

description $FW_INSIDE$

ip address 10.9.1.250 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

!

interface Vlan20

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

!

interface Vlan30

description $FW_INSIDE$

ip address 10.9.3.250 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

!

interface Vlan40

description $FW_INSIDE$

ip address 10.9.4.250 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

zone-member security MGMT

!

interface Async1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation slip

!

interface GMPLS0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

no fair-queue

no keepalive

!

ip forward-protocol nd

!

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip dns server

ip nat inside source static tcp 10.9.1.200 3389 interface GigabitEthernet0 3389

ip nat inside source list 1 interface GigabitEthernet0 overload

ip route 0.0.0.0 0.0.0.0 x.x.x.x

!

ip access-list extended MGMT-INSIDE

remark MGMT-INSIDE

remark CCP_ACL Category=128

permit ip 10.9.4.0 0.0.0.255 10.9.1.0 0.0.0.255

ip access-list extended MGMT-inside

remark MGMT to inside

remark CCP_ACL Category=1

permit tcp 10.9.4.0 0.0.0.255 10.9.1.0 0.0.0.255

ip access-list extended SDM_HTTPS

remark CCP_ACL Category=1

permit tcp any any eq 443

ip access-list extended SDM_SHELL

remark CCP_ACL Category=1

permit tcp any any eq cmd

ip access-list extended SDM_SSH

remark CCP_ACL Category=1

permit tcp any any eq 22

!

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.9.4.0 0.0.0.255

access-list 1 permit 10.10.10.0 0.0.0.7

access-list 1 permit 10.9.1.0 0.0.0.255

access-list 23 remark CCP_ACL Category=17

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 23 permit 10.9.4.0 0.0.0.255

access-list 23 permit 10.9.1.0 0.0.0.255 log

access-list 23 permit 10.9.3.0 0.0.0.255 log

access-list 23 permit 10.9.2.0 0.0.0.255 log

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

no cdp run

!

!

!

!

!

!

!

!

control-plane

!

!

!

!

mgcp profile default

!

!

!

!

banner login ^CThis is a private system. Unauthorized access to this system may result in criminal or civil prosecution^C

!

line con 0

login authentication local_authen

transport output telnet

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

login authentication local_authen

transport output telnet

line vty 0 4

access-class 23 in

authorization exec local_author

login authentication local_authen

transport input telnet ssh

line vty 5 15

access-class 23 in

authorization exec local_author

login authentication local_authen

transport input telnet ssh

! 4000 1000

scheduler interval 500

end

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

Re: Allowing Access through Zones on an 891

When configuring ZBF you need to remember that traffic traverses between zone-pairs and you need to allow traffic in both directions for connectivity.  If you only allow it in one direction the return traffic will be dropped.

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security MGMT source MGMT destination out-zone

service-policy type inspect ccp-inspect

zone-pair security MGMT-TO-INSIDE source MGMT destination in-zone

Here you have configured a zone-pair for MGMT to the in-zone yet you have not specified a policy that it will use to for inspection to allow...or drop...traffic.

You also dont have a zone-pair from the in-zone to the MGMT zone.  Add those two in and your traffic should start to flow between the two zones.

The config should look something like the following.  If you need to be even more restrictive with what is allowed you would need to create a new class-map to match traffic as well as a policy map which will define actions to take on the traffic matched by the class map.

zone-pair security MGMT-TO-INSIDE source MGMT destination in-zone

service-policy type inspect ccp-inspec

zone-pair security INSIDE-TO-MGMT source in-zone destination MGMT

service policy type inspect ccp-inspec

--

Please rate all helpful posts

--

Please remember to rate and select a correct answer
3 REPLIES
VIP Green

Re: Allowing Access through Zones on an 891

When configuring ZBF you need to remember that traffic traverses between zone-pairs and you need to allow traffic in both directions for connectivity.  If you only allow it in one direction the return traffic will be dropped.

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security MGMT source MGMT destination out-zone

service-policy type inspect ccp-inspect

zone-pair security MGMT-TO-INSIDE source MGMT destination in-zone

Here you have configured a zone-pair for MGMT to the in-zone yet you have not specified a policy that it will use to for inspection to allow...or drop...traffic.

You also dont have a zone-pair from the in-zone to the MGMT zone.  Add those two in and your traffic should start to flow between the two zones.

The config should look something like the following.  If you need to be even more restrictive with what is allowed you would need to create a new class-map to match traffic as well as a policy map which will define actions to take on the traffic matched by the class map.

zone-pair security MGMT-TO-INSIDE source MGMT destination in-zone

service-policy type inspect ccp-inspec

zone-pair security INSIDE-TO-MGMT source in-zone destination MGMT

service policy type inspect ccp-inspec

--

Please rate all helpful posts

--

Please remember to rate and select a correct answer
New Member

Re: Allowing Access through Zones on an 891

Hello,

Thank you for the help. I was trying to configure the zone -pairs through the CCP but for some reason the router was not accepting the configuration.

VIP Green

Re: Allowing Access through Zones on an 891

Glad I could help

--

Please remember to rate and select a correct answer
321
Views
0
Helpful
3
Replies
CreatePlease to create content