cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1917
Views
0
Helpful
1
Replies

default class map is dropping all Packets

DaChuckler
Level 1
Level 1

Hello I have a Cisco 871 router that used to have Access list based security. now I am trying the ZBFW for the first time.  I thought I had a pretty good program until I found all my traffic was getting dropped. This is my first stab at ZBFWs and I am a bit confused esp with the default class part. Any help is greatly appreciated!!!!

The router is for my house and thus also has to have priority for gaming. I will add the gaming and voice QOS once I get it working,

Guest VLAN has access to 2 IP's in Data for printing.

Cisco871#sh run

Building configuration...

Current configuration : 8005 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

service sequence-numbers

!

hostname Cisco871

!

boot-start-marker

boot-end-marker

!

logging buffered 4096

no logging console

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

!

aaa session-id common

clock summer-time PST recurring

!

crypto pki trustpoint TP-self-signed-4004039535

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-4004039535

revocation-check none

rsakeypair TP-self-signed-4004039535

!

!

crypto pki certificate chain TP-self-signed-4004039535

certificate self-signed 01

  3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 34303034 30333935 3335301E 170D3038 30323037 30373532

  32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30303430

  33393533 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100CEC2 7B89C73F AB4860EE 729C3B64 82139630 239A2301 8EA8B4C4 05505E25

  B0F24E7F 26ECEC53 3E266E80 F3104F61 BDDC5592 40E12537 2262D272 08D38F8E

  147F5059 7F632F5E 635B9CDF 652FFE82 C2F45C60 5F619AF0 72E640E0 E69EA9EF

  41C6B06C DD8ACF4B 0A1A33CF AF3C6BFB 73AD6BE0 BD84DD7F 435BD943 0A22E0E5

  F4130203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603

  551D1104 18301682 144C7570 696E2E44 61627567 61626F6F 732E6F72 67301F06

  03551D23 04183016 801473C6 E0784818 29A89377 23A22F5E BDD430CE E282301D

  0603551D 0E041604 1473C6E0 78481829 A8937723 A22F5EBD D430CEE2 82300D06

  092A8648 86F70D01 01040500 03818100 299AD241 442F976F 4F030B33 C477B069

  D356C518 8132E61B 1220F999 A30A4E0C D337DCE5 C408E3BC 0439BB66 543CF585

  8B26AA77 91FA510B 14796239 F272A306 C942490C A44336E0 A9430B81 9FC62524

  E55017FA 5C5463D7 B3492753 42315BEC 32B78F24 D10B0CA7 D1844CD5 C3E466B9

  3543BD68 A4B2692D 05CBF6DC C93C8142

            quit

!

!

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.0.0.1 10.0.0.5

ip dhcp excluded-address 172.16.15.1 172.16.15.5

ip dhcp excluded-address 172.16.15.14

ip dhcp excluded-address 172.16.17.1 172.16.17.5

ip dhcp excluded-address 192.168.19.1 192.168.19.5

!

ip dhcp pool MyNetNative

   import all

   network 10.0.0.0 255.255.255.248

   default-router 10.0.0.1

   domain-name MyNetNet.org

   dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220

   lease 0 2

!

ip dhcp pool MyNetData

   import all

   network 172.16.15.0 255.255.255.240

   dns-server 172.16.15.14 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220

   default-router 172.16.15.1

   domain-name MyDomain.org

!

ip dhcp pool MyNetVoice

   import all

   network 172.16.17.0 255.255.255.240

   dns-server 172.16.15.14

   default-router 172.16.17.1

   domain-name MyDomain.org

!

ip dhcp pool MyNetGuest

   import all

   network 192.168.19.0 255.255.255.240

   default-router 192.168.19.1

   domain-name MyNetGuest.org

   dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220

!

!

ip domain name MyDomain.org

ip name-server 172.16.15.14

ip name-server 4.2.2.4

ip inspect log drop-pkt

!

multilink bundle-name authenticated

parameter-map type inspect TCP_PARAM

parameter-map type inspect global

!

!

username MyAdmin privilege 15 secret 5 MyPassword

archive

log config

  hidekeys

!

!

!

class-map type inspect match-all MyNetGuest-access-list

match access-group 110

class-map type inspect match-any Base-protocols

match protocol http

match protocol https

match protocol ftp

match protocol ssh

match protocol dns

match protocol ntp

match protocol ica

match protocol pptp

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all MyNetGuest-Class

match class-map MyNetGuest-access-list

match class-map Base-protocols

class-map type inspect match-all MyNetNet-access-list

match access-group 100

class-map type inspect match-any Voice-protocols

match protocol h323

match protocol skinny

match protocol sip

class-map type inspect match-any Extended-protocols

match protocol pop3

match protocol pop3s

match protocol imap

match protocol imaps

match protocol smtp

class-map type inspect match-all MyNetNet-Class

match class-map MyNetNet-access-list

match class-map Voice-protocols

match class-map Extended-protocols

match class-map Base-protocols

!

!

policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy

class type inspect MyNetNet-Class

  inspect

class class-default

policy-map type inspect MyNetNet-zone_to_MyNetGuest-zone_policy

class type inspect MyNetNet-Class

  inspect

class class-default

policy-map type inspect MyNetGuest-zone_to_MyNetNet-zone_policy

class type inspect MyNetGuest-access-list

  inspect

class class-default

policy-map type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy

class type inspect MyNetGuest-Class

  inspect

class class-default

policy-map type inspect MyNetNet-zone

class class-default

  pass

!

zone security MyNetNet-zone

zone security MyNetGuest-zone

zone security MyNetWAN-zone

zone-pair security MyNetNet->MyNetGuest source MyNetNet-zone destination MyNetGuest-zone

service-policy type inspect MyNetNet-zone_to_MyNetGuest-zone_policy

zone-pair security MyNetNet->MyNetWAN source MyNetNet-zone destination MyNetWAN-zone

service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy

zone-pair security MyNetGuest->MyNetWAN source MyNetGuest-zone destination MyNetWAN-zone

service-policy type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy

zone-pair security MyNetGuest->MyNetNet source MyNetGuest-zone destination MyNetNet-zone

service-policy type inspect MyNetGuest-zone_to_MyNetNet-zone_policy

!

!

!

interface FastEthernet0

description Cisco-2849-Switch

switchport mode trunk

speed 100

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

description SBS-Server

switchport access vlan 10

spanning-tree portfast

!

interface FastEthernet4

description WAN

no ip address

ip mtu 1492

ip nat outside

ip virtual-reassembly

zone-member security MyNetWAN-zone

ip tcp adjust-mss 1452

duplex auto

speed auto

no cdp enable

!

interface Vlan1

description MyNetNative

ip address 10.0.0.1 255.255.255.248

ip nat inside

ip virtual-reassembly

zone-member security MyNetNet-zone

ip tcp adjust-mss 1452

!

interface Vlan10

description MyNetData

ip address 172.16.15.1 255.255.255.240

ip nat inside

ip virtual-reassembly

zone-member security MyNetNet-zone

!

interface Vlan20

description MyNetVoice

ip address 172.16.17.1 255.255.255.240

ip nat inside

ip virtual-reassembly

zone-member security MyNetNet-zone

!

interface Vlan69

description MyNetGuest

ip address 192.168.19.1 255.255.255.240

ip nat inside

ip virtual-reassembly

zone-member security MyNetGuest-zone

!

!

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

access-list 100 remark MyNetnet

access-list 100 permit ip 10.0.0.0 0.0.0.7 any

access-list 100 permit ip 172.16.15.0 0.0.0.31 any

access-list 100 permit ip 172.16.17.0 0.0.0.15 any

access-list 110 remark MyNetGuest

access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.2

access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.3

access-list 110 deny   ip 192.168.19.0 0.0.0.15 10.0.0.0 0.0.0.7

access-list 110 deny   ip 192.168.19.0 0.0.0.15 172.16.15.0 0.0.0.31

access-list 110 deny   ip 192.168.19.0 0.0.0.15 172.16.17.0 0.0.0.15

access-list 110 permit ip 192.168.19.0 0.0.0.15 any

!

!

!

!

control-plane

!

banner login ^CC

****************************************************************

You know if you should be here or not.

         if not please leave

NOW

****************************************************************

^C

!

line con 0

no modem enable

line aux 0

line vty 0 4

privilege level 15

transport input telnet ssh

!

scheduler max-task-time 5000

ntp server 172.16.15.14

!

webvpn cef

end

Cisco871#sh zone security

zone self

  Description: System defined zone

zone MyNetNet-zone

  Member Interfaces:

    Vlan1

    Vlan10

    Vlan20

zone MyNetGuest-zone

  Member Interfaces:

    Vlan69

zone MyNetWAN-zone

  Member Interfaces:

    FastEthernet4

Cisco871#sh zone-pair security

Zone-pair name MyNetNet->MyNetGuest

    Source-Zone MyNetNet-zone  Destination-Zone MyNetGuest-zone

    service-policy MyNetNet-zone_to_MyNetGuest-zone_policy

Zone-pair name MyNetNet->MyNetWAN

    Source-Zone MyNetNet-zone  Destination-Zone MyNetWAN-zone

    service-policy MyNetNet-zone_to_MyNetWAN-zone_policy

Zone-pair name MyNetGuest->MyNetWAN

    Source-Zone MyNetGuest-zone  Destination-Zone MyNetWAN-zone

    service-policy MyNetGuest-zone_to_MyNetWAN-zone_policy

Zone-pair name MyNetGuest->MyNetNet

    Source-Zone MyNetGuest-zone  Destination-Zone MyNetNet-zone

    service-policy MyNetGuest-zone_to_MyNetNet-zone_policy

Cisco871#sh int faste4

FastEthernet4 is up, line protocol is up

  Hardware is PQUICC_FEC, address is 0016.9d29.a667 (bia 0016.9d29.a667)

  Description: WAN

  Internet address is 10.38.177.98/25

  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  Keepalive set (10 sec)

  Full-duplex, 100Mb/s, 100BaseTX/FX

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input 00:00:00, output 00:34:50, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 2000 bits/sec, 3 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

     593096 packets input, 73090812 bytes

     Received 592752 broadcasts, 0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     0 watchdog

     0 input packets with dribble condition detected

     9940 packets output, 1016025 bytes, 0 underruns

     0 output errors, 0 collisions, 3 interface resets

     0 babbles, 0 late collision, 0 deferred

     0 lost carrier, 0 no carrier

     0 output buffer failures, 0 output buffers swapped out

Zone-pair: MyNetNet->MyNetWAN

  Service-policy inspect : MyNetNet-zone_to_MyNetWAN-zone_policy

    Class-map: MyNetNet-Class (match-all)

      Match: class-map match-all MyNetNet-access-list

        Match: access-group 100

      Match: class-map match-any Voice-protocols

        Match: protocol h323

          0 packets, 0 bytes

          30 second rate 0 bps

        Match: protocol skinny

          0 packets, 0 bytes

          30 second rate 0 bps

        Match: protocol sip

          0 packets, 0 bytes

          30 second rate 0 bps

      Match: class-map match-any Extended-protocols

        Match: protocol pop3

          0 packets, 0 bytes

          30 second rate 0 bps

        Match: protocol pop3s

          0 packets, 0 bytes

          30 second rate 0 bps

        Match: protocol imap

          0 packets, 0 bytes

          30 second rate 0 bps

        Match: protocol imaps

          0 packets, 0 bytes

          30 second rate 0 bps

        Match: protocol smtp

          0 packets, 0 bytes

          30 second rate 0 bps

      Match: class-map match-any Base-protocols

        Match: protocol http

          0 packets, 0 bytes

          30 second rate 0 bps

        Match: protocol https

          0 packets, 0 bytes

          30 second rate 0 bps

        Match: protocol ftp

          0 packets, 0 bytes

          30 second rate 0 bps

        Match: protocol ssh

          0 packets, 0 bytes

          30 second rate 0 bps

        Match: protocol dns

          0 packets, 0 bytes

          30 second rate 0 bps

        Match: protocol ntp

          0 packets, 0 bytes

          30 second rate 0 bps

        Match: protocol ica

          0 packets, 0 bytes

          30 second rate 0 bps

        Match: protocol pptp

          0 packets, 0 bytes

          30 second rate 0 bps

        Match: protocol icmp

          0 packets, 0 bytes

          30 second rate 0 bps

        Match: protocol tcp

          0 packets, 0 bytes

          30 second rate 0 bps

        Match: protocol udp

          0 packets, 0 bytes

          30 second rate 0 bps

      Inspect

        Session creations since subsystem startup or last reset 0

        Current session counts (estab/half-open/terminating) [0:0:0]

        Maxever session counts (estab/half-open/terminating) [0:0:0]

        Last session created never

        Last statistic reset never

        Last session creation rate 0

        Maxever session creation rate 0

        Last half-open session total 0

    Class-map: class-default (match-any)

      Match: any

      Drop (default action)

        5196 packets, 256211 bytes

Cisco871#sh log

Syslog logging: enabled (1 messages dropped, 0 messages rate-limited,

                0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.

    Console logging: disabled

    Monitor logging: level debugging, 0 messages logged, xml disabled,

                     filtering disabled

    Buffer logging:  level debugging, 1745 messages logged, xml disabled,

                     filtering disabled

    Logging Exception size (4096 bytes)

    Count and timestamp logging messages: disabled

    Persistent logging: disabled

No active filter modules.

ESM: 0 messages dropped

    Trap logging: level informational, 1785 message lines logged

Log Buffer (4096 bytes):

001779: *Feb 15 11:00:55.979: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:61806 => 168.94.0.1:53 with ip ident 511 due to  policy match failure

001780: *Feb 15 11:00:59.739: %FW-6-DROP_TCP_PKT: Dropping Other pkt 172.16.15.6:4399 => 168.94.69.30:443 due to  policy match failure -- ip ident 515 tcpflags 0x7002 seq.no 974122240 ack 0

001781: *Feb 15 11:01:26.507: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:51991 => 168.94.0.1:53 with ip ident 625 due to  policy match failure

001783: *Feb 15 11:01:57.891: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:64470 => 168.94.0.1:53 with ip ident 677 due to  policy match failure

1 Accepted Solution

Accepted Solutions

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Charlie,

I would recomend you to investigate a little bit more about how the ZBFW features works

Now I am going to help you on this one at least, then I will give you a few links you could use to study

We are going to study traffic from MyNetNet-zone to the MyNetWan-zone

First the zone-pair

zone-pair security MyNetNet->MyNetWAN source MyNetNet-zone destination MyNetWAN-zone

service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy

so lets go policy-map

policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy

class type inspect MyNetNet-Class

  inspect

class class-default

Finally to the class map

class-map type inspect match-all MyNetNet-Class

match class-map MyNetNet-access-list

match class-map Voice-protocols

match class-map Extended-protocols

match class-map Base-protocols

That keyword MATCH-ALL is the one causing the issues!!

Why?

Because you are telling the ZBFW to inspect traffic only if matches all of those class-maps so a packet will need to math the base protocols and the extended protocol and as you know that is not possible ( Just one protocol )

So here are the links

http://blogg.kvistofta.nu/cisco-ios-zone-based-policy-firewall/

https://supportforums.cisco.com/thread/2138873

http://pktmaniac.info/2011/08/zone-based-firewalls-something-to-keep-in-mind/

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

You have some work to do

Please remember to rate all the helpful posts

Julio

CCSP

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

1 Reply 1

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Charlie,

I would recomend you to investigate a little bit more about how the ZBFW features works

Now I am going to help you on this one at least, then I will give you a few links you could use to study

We are going to study traffic from MyNetNet-zone to the MyNetWan-zone

First the zone-pair

zone-pair security MyNetNet->MyNetWAN source MyNetNet-zone destination MyNetWAN-zone

service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy

so lets go policy-map

policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy

class type inspect MyNetNet-Class

  inspect

class class-default

Finally to the class map

class-map type inspect match-all MyNetNet-Class

match class-map MyNetNet-access-list

match class-map Voice-protocols

match class-map Extended-protocols

match class-map Base-protocols

That keyword MATCH-ALL is the one causing the issues!!

Why?

Because you are telling the ZBFW to inspect traffic only if matches all of those class-maps so a packet will need to math the base protocols and the extended protocol and as you know that is not possible ( Just one protocol )

So here are the links

http://blogg.kvistofta.nu/cisco-ios-zone-based-policy-firewall/

https://supportforums.cisco.com/thread/2138873

http://pktmaniac.info/2011/08/zone-based-firewalls-something-to-keep-in-mind/

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

You have some work to do

Please remember to rate all the helpful posts

Julio

CCSP

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: