Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

external - internal firewall problem

hi,

i facing a problem that outside user cannot access to my webmail application. (https://mail.xxx.com)

fact:
1. Error message show at the broswer is "The server at mail.xxx.com is taking too long to respond."

2. from outside still manage ping to the mail server external IP.

3. From internal LAN access the webmail service is ok.

my question:
i just wanna ensure the border router newly running on IOS ZWF is it causing any conflict between the external firewall and internal firewall design

showing with network topology.

So, Traffic traverse from internet into the LAN / DMZ must go through border router.
currently, border router just implement IOS zone-pair firewall, where zone-pair shown as below:

1. zone-pair security ccp-zp-in-out source in-zone destination out-zone
2.policy inspect on the class-map of  ccp-insp-traffic
    match protocol http and match protocol https
3. border router's routing will pass the traffic reach the ASA FW as the threshole either doing NAT to get into private network or traverse between DMZ servers.
4. mail server IP is 202.168.14.40 / 28, which is same subnet with ASA FW

Did i miss anything? should i built another policy for out-zone -> in-zone?
ACL is it should permit any 202.168.11.32 0.0.0.16 , with allow protocol on domain, 443, 80, smtp ?
(i try but no go)

hints and idea needed to solve out this myth, thank you

thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: external - internal firewall problem

Hi,

> Did i miss anything? should i built another policy for out-zone ->  in-zone?

yes we will need another zone pair created from out-zone to in-zone and explicitly allow traffic to the mail server's Ip address (202.168.14.40) on TCP ports 80 and 443.

Another thing that you can do to check if the Border router is forwarding packets to the ASA is to apply captures on the ASA's outside interface.

Below is a useful document for ZBF which can you use for reference:

https://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

All the best!

Regards,

Prapanch

5 REPLIES
Cisco Employee

Re: external - internal firewall problem

Hi,

> Did i miss anything? should i built another policy for out-zone ->  in-zone?

yes we will need another zone pair created from out-zone to in-zone and explicitly allow traffic to the mail server's Ip address (202.168.14.40) on TCP ports 80 and 443.

Another thing that you can do to check if the Border router is forwarding packets to the ASA is to apply captures on the ASA's outside interface.

Below is a useful document for ZBF which can you use for reference:

https://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

All the best!

Regards,

Prapanch

New Member

Re: external - internal firewall problem

sir, bingo !!! you hit it !!!

allow me to ask 2 additional question for these IOS FW

(1) let say if i have other services server (say web server ) reside at the DMZ, meaning to say i need to explicitly create the ACL permit any to host x.x.x.x eq 80.

so is it possible if i just permit any 202.168.14.32 0.0.0.16 eq 80, will it also produce the same result?

(2) what if i have a tunnel interface at my edge router,

interface Tunnel1
ip address 210.xx.x.xxx 255.255.255.254
keepalive 10 3
tunnel source Serial2/1/0:0
tunnel destination 2xx.xx.x.160
!

edge router serial 2/1/0 is connecting to the border router

now i see there's a log at the border router

003116: Aug 18 12:09:25.358 PCTime: %FW-6-DROP_PKT: Dropping Unknown-l4 session 202.1xx.xx.2:0 2xx.xx.x.160:0 on zone-pair ccp-zp-in-out class class-default due to  DROP action found in policy-map with ip ident 0

what does this mean?

anyway, thanks for helping solve the previous problem, thank you

Cisco Employee

Re: external - internal firewall problem

Hi,

(1) Yes we can either have an ACL to the specific host on port 80 or we can have it for the entire subnet. Both should have the same effect (only that in the 2nd case we will be opening up port 80 for an entire subnet).

(2) The log that you see is due to the packet being dropped by the ZBF config on the border router. the packet being dropped is being sourced from the source IP to the destination IP you see in the log. Also, we see it is being dropped by the "class-default" which has an action drop for it.

If you think it's legitimate traffic, then you might want to allow on the zone pair for in-zone to out-zone.

All the best!!

Regards,

Prapanch

New Member

Re: external - internal firewall problem

hi sir, it's another round of follow-up qustion , again on this IOS ZWF problem.

after i put the policy for out -> in zone, my webmail services can go. but after reload the router, private subnet (which is in-zone) cannot get online.

last effort i need to take the zone-member secuirty away from interface, then everything seems fine again

the class-map, policy-map , zone-pair goes like this

class-map type inspect match-any outzone-inzone
match protocol http
match protocol https
match access-group 110

class-map type inspect match-any ccp-cls-insp-traffic
match protocol http
match protocol https
match protocol dns
match protocol icmp
!
policy-map type inspect ccp-inspect
class type inspect ccp-cls-insp-traffic
  inspect
class class-default
  drop
!
policy-map type inspect out-in
class type inspect outzone-inzone
  inspect
class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security zp-out-to-in source out-zone destination in-zone
service-policy type inspect out-in
zone-pair security zp-in-to-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
!

access-list 110 permit tcp any host 202.168.14.40 eq www
access-list 110 permit tcp any host 202.168.14.40 eq 443

any magic hints again? thanks

Noel

Cisco Employee

Re: external - internal firewall problem

Hi,

Well from the configuration i do not see any problem. Did you notice any logs when the internet access was not working? That would help us to guess where exactly the problem was?

Regards,

Prapanch

1021
Views
0
Helpful
5
Replies