08-17-2010 07:08 PM - edited 03-11-2019 11:27 AM
hi,
i facing a problem that outside user cannot access to my webmail application. (https://mail.xxx.com)
fact:
1. Error message show at the broswer is "The server at mail.xxx.com is taking too long to respond."
2. from outside still manage ping to the mail server external IP.
3. From internal LAN access the webmail service is ok.
my question:
i just wanna ensure the border router newly running on IOS ZWF is it causing any conflict between the external firewall and internal firewall design
showing with network topology.
So, Traffic traverse from internet into the LAN / DMZ must go through border router.
currently, border router just implement IOS zone-pair firewall, where zone-pair shown as below:
1. zone-pair security ccp-zp-in-out source in-zone destination out-zone
2.policy inspect on the class-map of ccp-insp-traffic
match protocol http and match protocol https
3. border router's routing will pass the traffic reach the ASA FW as the threshole either doing NAT to get into private network or traverse between DMZ servers.
4. mail server IP is 202.168.14.40 / 28, which is same subnet with ASA FW
Did i miss anything? should i built another policy for out-zone -> in-zone?
ACL is it should permit any 202.168.11.32 0.0.0.16 , with allow protocol on domain, 443, 80, smtp ?
(i try but no go)
hints and idea needed to solve out this myth, thank you
thanks
Solved! Go to Solution.
08-17-2010 07:22 PM
Hi,
> Did i miss anything? should i built another policy for out-zone -> in-zone?
yes we will need another zone pair created from out-zone to in-zone and explicitly allow traffic to the mail server's Ip address (202.168.14.40) on TCP ports 80 and 443.
Another thing that you can do to check if the Border router is forwarding packets to the ASA is to apply captures on the ASA's outside interface.
Below is a useful document for ZBF which can you use for reference:
https://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
All the best!
Regards,
Prapanch
08-17-2010 07:22 PM
Hi,
> Did i miss anything? should i built another policy for out-zone -> in-zone?
yes we will need another zone pair created from out-zone to in-zone and explicitly allow traffic to the mail server's Ip address (202.168.14.40) on TCP ports 80 and 443.
Another thing that you can do to check if the Border router is forwarding packets to the ASA is to apply captures on the ASA's outside interface.
Below is a useful document for ZBF which can you use for reference:
https://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
All the best!
Regards,
Prapanch
08-17-2010 09:11 PM
sir, bingo !!! you hit it !!!
allow me to ask 2 additional question for these IOS FW
(1) let say if i have other services server (say web server ) reside at the DMZ, meaning to say i need to explicitly create the ACL permit any to host x.x.x.x eq 80.
so is it possible if i just permit any 202.168.14.32 0.0.0.16 eq 80, will it also produce the same result?
(2) what if i have a tunnel interface at my edge router,
interface Tunnel1
ip address 210.xx.x.xxx 255.255.255.254
keepalive 10 3
tunnel source Serial2/1/0:0
tunnel destination 2xx.xx.x.160
!
edge router serial 2/1/0 is connecting to the border router
now i see there's a log at the border router
003116: Aug 18 12:09:25.358 PCTime: %FW-6-DROP_PKT: Dropping Unknown-l4 session 202.1xx.xx.2:0 2xx.xx.x.160:0 on zone-pair ccp-zp-in-out class class-default due to DROP action found in policy-map with ip ident 0
what does this mean?
anyway, thanks for helping solve the previous problem, thank you
08-17-2010 10:10 PM
Hi,
(1) Yes we can either have an ACL to the specific host on port 80 or we can have it for the entire subnet. Both should have the same effect (only that in the 2nd case we will be opening up port 80 for an entire subnet).
(2) The log that you see is due to the packet being dropped by the ZBF config on the border router. the packet being dropped is being sourced from the source IP to the destination IP you see in the log. Also, we see it is being dropped by the "class-default" which has an action drop for it.
If you think it's legitimate traffic, then you might want to allow on the zone pair for in-zone to out-zone.
All the best!!
Regards,
Prapanch
08-18-2010 08:01 PM
hi sir, it's another round of follow-up qustion , again on this IOS ZWF problem.
after i put the policy for out -> in zone, my webmail services can go. but after reload the router, private subnet (which is in-zone) cannot get online.
last effort i need to take the zone-member secuirty away from interface, then everything seems fine again
the class-map, policy-map , zone-pair goes like this
class-map type inspect match-any outzone-inzone
match protocol http
match protocol https
match access-group 110
class-map type inspect match-any ccp-cls-insp-traffic
match protocol http
match protocol https
match protocol dns
match protocol icmp
!
policy-map type inspect ccp-inspect
class type inspect ccp-cls-insp-traffic
inspect
class class-default
drop
!
policy-map type inspect out-in
class type inspect outzone-inzone
inspect
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security zp-out-to-in source out-zone destination in-zone
service-policy type inspect out-in
zone-pair security zp-in-to-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
!
access-list 110 permit tcp any host 202.168.14.40 eq www
access-list 110 permit tcp any host 202.168.14.40 eq 443
any magic hints again? thanks
Noel
08-18-2010 08:36 PM
Hi,
Well from the configuration i do not see any problem. Did you notice any logs when the internet access was not working? That would help us to guess where exactly the problem was?
Regards,
Prapanch
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: