cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3922
Views
0
Helpful
8
Replies

IOS Zone Based Firewall and class-default pass doesn't work

pointless_l
Level 1
Level 1

I have set up a ZBF on a Cisco 1801 with 4 zones:

- LAN: The internal network

- WAN: The ADSL dialup

- VPN: The DMVPN tunnel

- ILAN: A separate network for unrestricted internet access

The communication between the LAN and VPN is unrestricted and works fine. The restrictive LAN to WAN policy also works as planned but it's the ILAN to WAN connection that's blocking everything. I set this policy to allow all traffic to go out but the FW drops all the traffic. Removing the WAN and ILAN zones allows traffic to flow again. Initially I defined the following class map for this zone like this:

policy-map type inspect ilan2wan

class class-default

  pass

This, for some reason unknown to me, doesn't work at all. I played around a bit (thinking the pass all didn't work) and ended up with the following config but still no go.

Any takers?

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

service sequence-numbers

no service password-recovery

!

hostname

!

boot-start-marker

boot system flash:c180x-adventerprisek9-mz.124-24.T4.bin

boot-end-marker

!

dot11 syslog

no ip source-route

ip options drop

!

ip cef

no ip bootp server

ip name-server 213.x.x.x

ip name-server 213.x.x.x

no ipv6 cef

!

class-map type inspect match-any InternetVerkeer

match protocol icmp

match protocol http

match protocol https

class-map type inspect match-all NaarInternet

match class-map InternetVerkeer

match access-group name Webservices

class-map type inspect match-any OpenInternet

match access-group 101

class-map type inspect match-all NaarKPN

match protocol dns

match access-group name KPN-DNS

class-map type inspect match-all NaarAlarmcentrale

match protocol udp

match access-group name Alarmcentrale

!

policy-map type inspect lan2wan

class type inspect NaarInternet

  inspect

class type inspect NaarKPN

  inspect

class type inspect NaarAlarmcentrale

  inspect

class class-default

  drop log

policy-map type inspect lan2vpn

class class-default

  pass

policy-map type inspect vpn2lan

class class-default

  pass

policy-map type inspect ilan2wan

class type inspect OpenInternet

  inspect

class class-default

  drop log

!

zone security LAN

description Internal LAN

zone security WAN

description Internet

zone security VPN

description VPN Tunnel

zone security ILAN

description Internet-only LAN

zone-pair security lan2wan source LAN destination WAN

service-policy type inspect lan2wan

zone-pair security lan2vpn source LAN destination VPN

service-policy type inspect lan2vpn

zone-pair security vpn2lan source VPN destination LAN

service-policy type inspect vpn2lan

zone-pair security ilan2wan source ILAN destination WAN

service-policy type inspect ilan2wan

!

interface Tunnel0

bandwidth 1000

ip address 172.16.1.4 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1400

ip nhrp authentication

ip nhrp map multicast 217.x.x.x

ip nhrp map 172.16.1.13 217.115.195.99

ip nhrp network-id 100000

ip nhrp holdtime 360

ip nhrp nhs 172.16.1.13

zone-member security VPN

ip tcp adjust-mss 1360

delay 1000

tunnel source Dialer0

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile

!

interface Null0

no ip unreachables

!

interface ATM0

no ip address

load-interval 30

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

pvc 2/32

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!       

!

interface FastEthernet0

no ip address

duplex auto

speed auto

!

interface FastEthernet0.1

encapsulation dot1Q 4

ip address 192.168.4.100 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

zone-member security LAN

ip tcp adjust-mss 1452

no cdp enable

!        

interface FastEthernet0.2

encapsulation dot1Q 5

ip address 192.168.5.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

zone-member security ILAN

ip tcp adjust-mss 1452

no cdp enable

!

interface Vlan1

no ip address

!

interface Dialer0

ip address 92.x.x.x 255.255.255.248

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

zone-member security WAN

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication pap callin

ppp pap sent-username

!

router eigrp 113

network 172.16.1.0 0.0.0.255

network 192.168.4.0

no auto-summary

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

no ip http server

no ip http secure-server

!

ip nat inside source list 1 interface Dialer0 overload

!

ip access-list extended Alarmcentrale

permit udp any host 87.x.x.x

ip access-list extended KPN-DNS

permit ip any host 213.x.x.x

permit ip any host 213.x.x.x

ip access-list extended Webservices

permit ip any host 217.x.x.x

permit ip any 66.x.x.x 0.0.255.255

!        

access-list 1 remark NAT ACL 4 internet

access-list 1 permit 192.168.4.0 0.0.0.255

access-list 1 permit 192.168.5.0 0.0.0.255

access-list 101 permit ip any any

dialer-list 1 protocol ip permit

I know one solution is to put the FastEthernet 0.2 interface in the same zone as Dialer 0 but that would leave the devices unprotected.

Thanks in advance for your ideas.

S.

8 Replies 8

Maykol Rojas
Cisco Employee
Cisco Employee

Hello Sander,

I hope you are doing great. That is an expected behavior. The problem is that if you put the class default as pass, the return traffic will be dropped. In order for this to work, you can follow any of these two suggestions:

You will need to put the class default as inspect

You can create a new zone-pair from Out-zone to ILAN and have the same action (pass)

That will make this work.

If you have any doubts please let me know.

Thanks !

Mike

Mike

Thank you for your reply Maykol, really appreciate it.

Your answer sounds logical but it does make me wonder. I didn't have to define a WAN to LAN zone to allow traffic to flow back and still keep my internal network protected. How can I achieve the same for the ILAN zone? I assume defining a WAN to LAN zone-pair with pass will still expose open ports to the outside world while this now isn't the case for my LAN to WAN zone.

Can you clarify this?

Thanks in advance,

S.

Hi Sander,

Forgot to mention that. On the LAN portion, the actions for http and regular tcp traffic is inspect, which means that the zone based firewall will generate an stateful session for each connection made out, permitting the return traffic to come in, this does not happen when you have the pass action configured. The only thing that you need to do is to put the class default as inspect and that will do the trick.

Cheers

Mike

Mike

In that case I'm even more confused as I had this:

class type inspect OpenInternet

  inspect

class class-default

  drop log

!

zone-pair security ilan2wan source ILAN destination WAN

service-policy type inspect ilan2wan

Why doesn't this work then?

In your config add this command: ip inspect log drop-pkt

Then try communication from ILAN to WAN and post the log if you see that is is denied( dropped) then it is matching class-default so in this case  remove your policy and reenter it like this:

policy-map type inspect ILAN2WAN

class class-default

  no drop

  inspect

Regards

Don't forget to rate helpful posts.

Thank you both for your feedback. I already had to take this router into production so I'll setup a new router somewhere this week and try out your suggestion.

To be continued...

Ok I fixed it. For some reason the class-default inspect action doesn't work when there's nothing to inspect. I created a class-map that inspects everything:

class-map type inspect match-any UnrestrictedInternet

match protocol tcp

match protocol udp

match protocol icmp

That works perfectly. Thanks for all your help.

Hello,

It should, Please add the command that the other guy suggested, "ip inspect log drop-pkt" then turn on the terminal monitor, try to send traffic to the Wan and paste us the logs. If you are not able to see anything, take out the service-policy and put it back again.

Cheers

Mike

Mike
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: