Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ZBF seems to be breaking NAT or DNS, can't tell.

First off I want to apologize for not knowing everything, but this is why I am doing this, to learn.

Just recently passed my CCNA Sec and purchased a router so I can work on setting up Zone based Firewalls to help fully understand and grasp what there is to know about them.

Just so I can see all the moving pieces I was using CCP to build the firewall and then pasting the config to notepad and manipulate the class maps and policy maps based on what traffic I really cared about inspecting. Everything else was permitted and inspected in the policy map

When applying everything either via me manually doing it or CCP doing it I have noticed that I immediately lose internet connectivity.  I cannot tell if its breaking NAT or DNS. I have to remove the interface from the zones in order for traffic to restore.

I have even taken a simple approach and just created a class map matching on tcp and udp and the policy map inspecting it. Once I assigned the policy map to the zone pairs and assigned the interfaces to their zones traffic stopped working.

Not sure where to go from here if simple tcp udp inspect breaks traffic flow.

 

Any help would be appreciated.
 

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Below is a sample of a

Below is a sample of a working configuration I built using a combination of CCP and cli.

I pulled out a lot of other complexity not relevant to this discussion (there's a LOT else going on on this little 2921 ISR G2). My example is using subinterfaces on the inside. I only showed one of them here - you may not need that depending on your setup. My NAT basically exempts anything to another private network (there are connections to a DMVPN hub and MPLS WAN elsewhere in the config).

Compare it to yours and perhaps you can work out where your departures are causing problems.

It was indeed tricky at first to get my head around ZBFW and the syntax for inspections, class-maps etc.

 

class-map type inspect match-any ccp-cls-insp-traffic
 match protocol dns
 match protocol ftp
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp

 

class-map type inspect match-all ccp-invalid-src
 match access-group 101
class-map type inspect match-all ccp-protocol-http
 match protocol http
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-sip-inspect
 match protocol sip
class-map type inspect match-any ccp-h323-inspect
 match protocol h323
class-map type inspect match-any ccp-h323annexe-inspect
 match protocol h323-annexe
class-map type inspect match-any ccp-h225ras-inspect
 match protocol h225ras
class-map type inspect match-any ccp-h323nxg-inspect
 match protocol h323-nxg
class-map type inspect match-any ccp-skinny-inspect
 match protocol skinny

policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect 
 class type inspect ccp-insp-traffic
  inspect 
 class type inspect ccp-sip-inspect
  inspect 
 class type inspect ccp-h323-inspect
  inspect 
 class type inspect ccp-h323annexe-inspect
  inspect 
 class type inspect ccp-h225ras-inspect
  inspect 
 class type inspect ccp-h323nxg-inspect
  inspect 
 class type inspect ccp-skinny-inspect
  inspect 
 class class-default
  drop

zone security in-zone
zone security out-zone
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect

interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
 bandwidth 1000000
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
 no ip route-cache cef
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/0.1
 description $FW_INSIDE$
 encapsulation dot1Q 1 native
 ip address 192.168.3.1 255.255.255.128
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone

interface GigabitEthernet0/1
 description Connected to Comcast$FW_OUTSIDE$
 bandwidth 50000
 ip address x.x.x.x 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly in
 ip verify unicast reverse-path
 zone-member security out-zone
 duplex auto
 speed auto
 no cdp enable
 no mop enabled

ip nat inside source list NAT interface GigabitEthernet0/1 overload

access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip 173.10.5.0 0.0.0.255 any

ip access-list extended NAT
 deny   ip 192.168.3.0 0.0.0.255 10.0.0.0 0.255.255.255
 deny   ip 192.168.3.0 0.0.0.255 172.16.0.0 0.15.255.255
 deny   ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.255.255
 permit ip 192.168.3.0 0.0.0.255 any
7 REPLIES
Hall of Fame Super Silver

Below is a sample of a

Below is a sample of a working configuration I built using a combination of CCP and cli.

I pulled out a lot of other complexity not relevant to this discussion (there's a LOT else going on on this little 2921 ISR G2). My example is using subinterfaces on the inside. I only showed one of them here - you may not need that depending on your setup. My NAT basically exempts anything to another private network (there are connections to a DMVPN hub and MPLS WAN elsewhere in the config).

Compare it to yours and perhaps you can work out where your departures are causing problems.

It was indeed tricky at first to get my head around ZBFW and the syntax for inspections, class-maps etc.

 

class-map type inspect match-any ccp-cls-insp-traffic
 match protocol dns
 match protocol ftp
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp

 

class-map type inspect match-all ccp-invalid-src
 match access-group 101
class-map type inspect match-all ccp-protocol-http
 match protocol http
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-sip-inspect
 match protocol sip
class-map type inspect match-any ccp-h323-inspect
 match protocol h323
class-map type inspect match-any ccp-h323annexe-inspect
 match protocol h323-annexe
class-map type inspect match-any ccp-h225ras-inspect
 match protocol h225ras
class-map type inspect match-any ccp-h323nxg-inspect
 match protocol h323-nxg
class-map type inspect match-any ccp-skinny-inspect
 match protocol skinny

policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect 
 class type inspect ccp-insp-traffic
  inspect 
 class type inspect ccp-sip-inspect
  inspect 
 class type inspect ccp-h323-inspect
  inspect 
 class type inspect ccp-h323annexe-inspect
  inspect 
 class type inspect ccp-h225ras-inspect
  inspect 
 class type inspect ccp-h323nxg-inspect
  inspect 
 class type inspect ccp-skinny-inspect
  inspect 
 class class-default
  drop

zone security in-zone
zone security out-zone
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect

interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
 bandwidth 1000000
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
 no ip route-cache cef
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/0.1
 description $FW_INSIDE$
 encapsulation dot1Q 1 native
 ip address 192.168.3.1 255.255.255.128
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone

interface GigabitEthernet0/1
 description Connected to Comcast$FW_OUTSIDE$
 bandwidth 50000
 ip address x.x.x.x 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly in
 ip verify unicast reverse-path
 zone-member security out-zone
 duplex auto
 speed auto
 no cdp enable
 no mop enabled

ip nat inside source list NAT interface GigabitEthernet0/1 overload

access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip 173.10.5.0 0.0.0.255 any

ip access-list extended NAT
 deny   ip 192.168.3.0 0.0.0.255 10.0.0.0 0.255.255.255
 deny   ip 192.168.3.0 0.0.0.255 172.16.0.0 0.15.255.255
 deny   ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.255.255
 permit ip 192.168.3.0 0.0.0.255 any
New Member

Well, I will say I like your

Well, I will say I like your NAT setup, that would definitely allow me to get rid of my ACL to block NetBIOs traffic going to their broadcast addresses using NAT.  I am not seeing anything jumping out that isn't too different than the config I am using, with the exception of you having gi0/0 added to the zones.  I too am running multiple sub-interfaces, but I only added them to the zones and not the main interface.

I think I see why my simple tcp/udp policies were not working, I didn't match on an access-group first. (so I am not sure if knew what traffic to match on.)

 

Also, is it just a mis-conception on my part thinking that CCP would configure a working config?  I guess I just assumed basic HTTP/HTTPS traffic would have worked from the gate.

 

Thanks for your reply.

Hall of Fame Super Silver

You're welcome.CCP usually

You're welcome.

CCP usually does result in a working configuration. In fact it saved me on this setup as I added the DMVPN plus IPsec VPN plus QoS plus SRE running WLC  etc. all on this single router config (which was replicated over 7 sites). I would have never got it all on my own (well at least not without a lot of swearing and cursing MQC syntax along the way).

Having used CCP a good bit on this setup also helped me pass my CCNA Security, FWIW.

New Member

Hmm...makes me wonder what is

Hmm...makes me wonder what is wrong with my config that CCP didn't work right out of the gate.  You mind taking a looking and seeing if you see something that would be a red flag that ZBFW would make internet traffic stop working?  My hopes are if I get this working, then next step is to turn on IOS IPS, I want to see how much this 2821 can handle.

 

Please be mindful this was thrown together as the wife was in my ear about the internet not working.  My plan is to go back through and button up these ACL's to be more specific to their task.

 


version 15.1
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
!
ip cef
!
ip dhcp excluded-address 10.0.1.1
ip dhcp excluded-address 10.0.2.1
ip dhcp excluded-address 10.0.1.2
!
ip dhcp pool SIP_POOL
 network 10.0.2.0 255.255.255.248
 default-router 10.0.2.1
 dns-server 64.233.219.99 64.233.206.99
 lease 2
!
ip dhcp pool LAN_POOL
 network 10.0.1.0 255.255.255.0
 default-router 10.0.1.1
 dns-server 64.233.219.99 64.233.206.99
 lease 2
!
!
no ip bootp server
ip domain name yourdomain.com
no ipv6 cef
ip tcp synwait-time 10
!
interface Null0
 no ip unreachables
!
interface GigabitEthernet0/0
 description $FW_OUTSIDE$
 ip address dhcp
 ip access-group BLOCK_NETBIOS out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat enable
 ip virtual-reassembly in
 ip verify unicast reverse-path
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1.100
 description $FW_INSIDE$
 encapsulation dot1Q 100
 ip address 10.0.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat enable
 ip virtual-reassembly in
!
interface GigabitEthernet0/1.200
 description $FW_INSIDE$
 encapsulation dot1Q 200
 ip address 10.0.2.1 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat enable
 ip virtual-reassembly in
!
ip nat source list 3 interface GigabitEthernet0/0 overload
!
ip access-list extended BLOCK_NETBIOS
 deny   ip any host x.x.x.x log
 deny   ip any host 10.0.1.255 log
 deny   ip any host 10.0.2.7 log
 permit ip any any
!
no logging trap
access-list 1 remark NTP_ACCESS
access-list 1 permit 216.171.120.36
access-list 1 permit 216.229.0.179
access-list 2 remark SSH_ACCESS
access-list 2 permit x.x.x.x
access-list 2 permit 10.0.2.0 0.0.0.7
access-list 2 permit 10.0.1.0 0.0.0.255
access-list 3 remark NAT_TO_INTERNET
access-list 3 permit 10.0.1.0 0.0.0.255
access-list 3 permit 10.0.2.0 0.0.0.7
no cdp run
!
control-plane
!
mgcp profile default
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 session-timeout 10
 access-class 2 in
 logging synchronous
 transport input ssh
line vty 5 15
 session-timeout 10
 access-class 2 in
 logging synchronous
 transport input ssh
!
scheduler allocate 20000 1000
ntp logging
ntp access-group peer 1
ntp server nist1-chi.ustiming.org prefer
ntp server nist1-lnk.binary.net
end

 

 

Hall of Fame Super Silver

Did you mean to post the

Did you mean to post the version with the ZBFW bits included? The above config doesn't have any of the class-maps, policy-maps, zone-pair definitions etc.

New Member

I was just asking for the

I was just asking for the sake of why CCP always stopped traffic applying the ZBFW configuration.  I will say this time around I manually configured my ZBF and it works perfectly.  I just have basic HTTP, HTTPS, SIP, DNS, Invalid sources being inspected, everything is passed.

 

I was going to post my config, but it seems ZBF works so well I will need to build me an ACL for SSH access from work. haha.

 

Thanks for your guidance on this!

Hall of Fame Super Silver

OK, glad it's working now.You

OK, glad it's working now.

You're welcome.

 

171
Views
0
Helpful
7
Replies
CreatePlease to create content