Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ZBF woes

Hi I’m having some difficulty in understanding the behaviour of zone based firewalls on a 887va router, I do not understand the implications of including the self zone in a zone-pair. It seems that if you include the self zone in a pair with any other zone, the self zone becomes restrictive between all zones whether paired or not. For example if I include the self zone in a pair with the OUTSIDE zone, pinging the router from a host from the INSIDE zone no longer works…..

Secondly we operate a DMVPN  (this is a spoke router) and the tunnel will successfully establish with the following traffic configured to PASS

 

Tcp 4500

Tcp 500

ESP

GRE

 

However traffic through the tunnel will fail (including rip).

 

If however I modify the firewall policy to permit all traffic to and from the Self and OUTSIDE zones, tunnel traffic seems to work successfully between the SELF and VPN zones and the VPN and internal zones.

However given that all traffic destined for the tunnel would be encapsulated in a GRE header and GRE is permitted between the SELF and OUTSIDE Zones, I cannot see what other ports would need opening?

 

I’ve included some config below, any help would be greatly appreciated.

 

Access Lists

Extended IP access list OUTSIDE>INSIDE

    10 permit ip any any

Extended IP access list OUTSIDE>SELF

(   if this entry is included tunnel traffic works   permit ip object-group DMVPNIPGROUP object-group SELF (818 matches))

    10 permit gre object-group DMVPNIPGROUP object-group SELF

    20 permit tcp object-group DMVPNIPGROUP object-group SELF eq 4500

    30 permit tcp host HO host SELF eq 22 (18589 matches)

    40 permit tcp object-group DMVPNIPGROUP object-group SELF eq 500

    50 permit esp object-group DMVPNIPGROUP object-group SELF (424 matches)

    70 deny ip any any (7570 matches)

Extended IP access list SELF>OUTSIDE

(   if this entry is included tunnel traffic works       8 permit ip object-group SELF object-group DMVPNIPGROUP (1013 matches))

    10 permit gre object-group SELF any

    20 permit tcp object-group SELF any eq 4500

    30 permit tcp object-group SELF eq 22 host HO (12899 matches)

    40 permit tcp object-group SELF any eq 500

    50 permit esp object-group SELF any

Extended IP access list SELF>OUTSIDE_Insp

    10 permit tcp any any eq domain

    20 permit udp any any eq domain (86 matches)

Extended IP access list SELF>VPN

    10 permit ip any any (31 matches)

Extended IP access list SSH_Allow

    20 permit tcp network_obj HO any eq 22 log (22 matches)

    70 permit tcp LocalSubnet any eq 22

    80 deny ip any any log (8 matches)

Extended IP access list VPN>INSIDE

    10 permit ip any any (568 matches)

Extended IP access list VPN>SELF

    10 permit ip any any (15 matches)

 

 

Zone: self

  Description: System defined zone

 

Zone: OUTSIDE

  Member Interfaces:

    Dialer1

 

Zone: INSIDE

  Member Interfaces:

    Vlan1

 

Zone: VPN

  Member Interfaces:

    Tunnel0

 

Zone-pair              : OUTSIDE>SELF

Source Zone            : OUTSIDE

Destination Zone       : self

Service-policy inspect : PM-OUTSIDE>SELF

  Class-map : CM-OUTSIDE>SELF(match-any)

  Action : pass log

 

  Class-map : class-default(match-any)

  Action : drop log

 

Zone-pair              : INSIDE>OUTSIDE

Source Zone            : INSIDE

Destination Zone       : OUTSIDE

Service-policy inspect : PM-INSIDE>OUTSIDE

  Class-map : CM-INSIDE>OUTSIDE(match-any)

  Action : inspect

   Service Policy: http PM-DPI_HTTP_OUT

 

  Class-map : CM-INSIDE>OUTSIDE2(match-any)

  Action : inspect

 

  Class-map : class-default(match-any)

  Action : drop log

 

Zone-pair              : SELF>OUTSIDE

Source Zone            : self

Destination Zone       : OUTSIDE

Service-policy inspect : PM-SELF>OUTSIDE

  Class-map : CM-SELF>OUTSIDE(match-any)

  Action : pass log

 

  Class-map : CM-SELF>OUTSIDE_Insp(match-any)

  Action : inspect

 

  Class-map : class-default(match-any)

  Action : drop log

 

Zone-pair              : VPN>INSIDE

Source Zone            : VPN

Destination Zone       : INSIDE

Service-policy inspect : PM-VPN>INSIDE

  Class-map : CM-VPN>INSIDE(match-any)

  Action : pass log

 

  Class-map : class-default(match-any)

  Action : drop log

 

Zone-pair              : INSIDE>VPN

Source Zone            : INSIDE

Destination Zone       : VPN

Service-policy inspect : PM-INSIDE>VPN

  Class-map : CM-INSIDE>VPN(match-any)

  Action : pass log

 

  Class-map : class-default(match-any)

  Action : drop log

 

Zone-pair              : SELF>VPN

Source Zone            : self

Destination Zone       : VPN

Service-policy inspect : PM-SELF>VPN

  Class-map : CM-SELF>VPN(match-any)

  Action : pass log

 

  Class-map : class-default(match-any)

  Action : drop log

 

Zone-pair              : VPN>SELF

Source Zone            : VPN

Destination Zone       : self

Service-policy inspect : PM-VPN>SELF

  Class-map : CM-VPN>SELF(match-any)

  Action : pass log

 

  Class-map : class-default(match-any)

  Action : drop log

 

 Class Map type inspect match-any CM-SELF>OUTSIDE_Insp (id 33)

   Match access-group name SELF>OUTSIDE_Insp

 

 Class Map type inspect match-any CM-VPN>INSIDE (id 29)

   Match access-group name VPN>INSIDE

 

 Class Map type inspect match-any CM-INSIDE>VPN (id 30)

   Match access-group name INSIDE>VPN

 

 Class Map type inspect match-any CM-SELF>VPN (id 47)

   Match access-group name SELF>VPN

 

 Class Map type inspect match-any CM-VPN>SELF (id 48)

   Match access-group name VPN>SELF

 

 Class Map type inspect match-any CM-OUTSIDE>SELF (id 4)

   Match access-group name OUTSIDE>SELF

 

 Class Map type inspect match-any CM-OUTSIDE>INSIDE (id 5)

   Match access-group name OUTSIDE>INSIDE

 

 Class Map type inspect match-any CM-INSIDE>OUTSIDE (id 6)

   Match protocol http

 

 Class Map type inspect match-any CM-SELF>OUTSIDE (id 7)

   Match access-group name SELF>OUTSIDE

 

 Class Map type inspect match-any CM-INSIDE>OUTSIDE2 (id 10)

   Match protocol https

   Match protocol smtp

 

 

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions

HiSounds like you are having

Hi

Sounds like you are having some problems :)

It would be easier to see what has been done if you posted your running-config, instead of show commands, they are harder to follow than the running-config.

And its UDP port 500 and 4500 you want to open, not TCP.

2 REPLIES

HiSounds like you are having

Hi

Sounds like you are having some problems :)

It would be easier to see what has been done if you posted your running-config, instead of show commands, they are harder to follow than the running-config.

And its UDP port 500 and 4500 you want to open, not TCP.

New Member

Cannot believe I didn't see

Cannot believe I didn't see that, i'm gonna test a little more but I think that's it.

 

 

thanks for your help

105
Views
0
Helpful
2
Replies
CreatePlease login to create content