Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Firewall Question

Below are portions of the running config of a 2911 with a firewall configured (partially through CCP, but mainly through CLI).  In the CCP GUI, is shows the proper zones and zone pairs, and under the Firewall Policy editor, it seems to show the proper policy/class maps.  Basically, I want to allow ALL traffic between the router and select external IP address in both directions.  The problem I have is that while I'm expecting all other traffic (from any address other than those specified) to be blocked (dropped) and logged, I can still ping the external interface of the router from another external address and I can also access the CCP Express from another IP also (we have a sperate cable line we can use for testing outside connections and I used Google to determine the source external IP).  Clearly, this testing IP is not one of the IPs in the access list that are allowed, yet I can still ping and access the CCP Express (which uses https) which I would expect to be blocked.  Now when I run TERMINAL MONITOR, I see traffic being dropped from a variety of other address but I still echo replies going out, which means other IPs can also ping.  Now perhaps the other traffic is being blocked but I would like to know why pings and https can get through?  Please help me out here.  Thanks in advance.

Current firewall commands in the config (IPs have been changed for security, but the IPs shown are all public or otherwise trusted):

class-map type inspect match-all OUT-TO-IN-CLASS

match access-group name OUTSIDE-TO-INSIDE

class-map type inspect match-all IN-TO-OUT-CLASS

match access-group name INSIDE-TO-OUTSIDE

!

policy-map type inspect OUT-TO-IN-POLICY

class type inspect OUT-TO-IN-CLASS

  inspect

class class-default

  drop log

policy-map type inspect IN-TO-OUT-POLICY

class type inspect IN-TO-OUT-CLASS

  inspect

class class-default

  drop log

!

zone security INSIDE

zone security OUTSIDE

zone-pair security IN-TO-OUT-ZP source INSIDE destination OUTSIDE

service-policy type inspect IN-TO-OUT-POLICY

zone-pair security OUT-TO-IN-ZP source OUTSIDE destination INSIDE

service-policy type inspect OUT-TO-IN-POLICY

!

!

ip access-list extended INSIDE-TO-OUTSIDE

permit ip 1.1.1.1 0.0.0.3 any

permit ip 2.2.2.2 0.0.0.3 any

permit ip any host 3.3.3.3

permit ip any host 4.4.4.4

permit ip any host 5.5.5.5

ip access-list extended OUTSIDE-TO-INSIDE

permit ip 2.2.2.2 0.0.0.3 any

permit ip 1.1.1.1 0.0.0.3 any

permit ip host 6.6.6.6 any

permit ip host 3.3.3.3 any

permit ip host 5.5.5.5 any

permit ip host 4.4.4.4 any

!

!

166
Views
0
Helpful
0
Replies
CreatePlease to create content