Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ZBFW - dmz-zone to in-zone access

Hi IOSers,

I have a Cisco 2901 which terminates a Class C address pool.

I have split the Class C address pool into 3 sub-nets and 2 zones and created a non-addressable pool (private pool):

dmz-zone : x.x.x.0 TO x.x.x.127 (x.x.x.0/25)

in-zone: x.x.x.128 TO x.x.x.159 (x.x.x.128/27) & x.x.x.160 TO x.x.x.191 (x.x.x.160/27)

private-zone: 192.168.x.0 TO 192.168.x.255 (192.168.x.0/24)

I have configured private-zone NAT to use address pool x.x.x.161 TO x.x.x.189 within the in-zone.

Within the:

dmz-zone - are servers for : DNS, Syslog, SIP & HTTP/HTTPS

in-zone - is a SMTP mail server which is behind VPN Gateway/NAT, TomCat (Application Server) and PostgreSQL Server

private-zone - is where all standard users are operating from and they can access the SIP & HTTP/HTTPS servers within dmz-zone

My problem is that I cannot seem to configure the ZBFW to allow the dmz-zone HTTP/HTTP server to redirect to in-zone TomCat server.

I do not want to make the TomCat server generally visible and am instead using the Apache proxy/ajp13 to connect from dmz-zone server to in-zone server.

However I cannot seem to get anything (including icmp) to work from dmz-zone to in-zone.

I have Policy:

POLICY-DMZ-IN (dmz-zone to in-zone) which has:

any any udp/tcp inspect

any any icmp inspect

unmatched traffic DROP/LOG

But I still cannot get anything from dmz-zone to in-zone...

Can anyone please advise...

Could the POLICY-DMZ-IN be being overridden by other dmz-zone to out-zone policies?

I think I am making a basically incorrect assumption somewhere ...

NOTE: I have routing rules for each of various sub-nets and all out-zone to dmz-zone, out-zone to in-zone and private-zone to out-zone, in-zone and dmz-zone routing works ok, so it appears problem is with ZBFW not routing table.

Thank for any expertise you can bring to help resolve this.

Regards,

Zebity.

4 REPLIES

ZBFW - dmz-zone to in-zone access

can u post the configuration to investigate further

Community Member

ZBFW - dmz-zone to in-zone access

Hi Karthikeyan,

thank you for offering to look at this, I do all my configuration using CCP, which is a lot easier than pawing over IOS commands.

I have dumped out the config, but as it is hard to pull out the partiular part of the config, so find following screen snap & config:

The areas where I think there are problems are with "self" zone items (can I get rid of self zone case completely, with exception of blocking any external (DSL) access to self?)

and the dmz-zone to in-zone and in-zone to dmz-zone configs.

Building configuration...

Current configuration : 32292 bytes

!

! Last configuration change at 00:16:54 UTC Mon Jun 11 2012 by admin

! NVRAM config last updated at 07:37:35 UTC Sun Jun 10 2012 by admin

!

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname big

!

boot-start-marker

boot-end-marker

!

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 informational

enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXX

!

no aaa new-model

!

!

no ipv6 cef

no ip source-route

ip cef

!

!

!

ip dhcp excluded-address 168.192.200.1 168.192.200.99

ip dhcp excluded-address 168.192.200.126 168.192.200.254

ip dhcp excluded-address 200.200.200.1 200.200.200.79

ip dhcp excluded-address 200.200.200.91 200.200.200.126

!

ip dhcp pool PRIVATE-POOL-1

   import all

   network 168.192.200.0 255.255.255.0

   domain-name in.froghop.com

   dns-server 200.200.200.20 200.200.200.4

   default-router 168.192.200.1

!

!

ip dhcp pool FROGHOP-POOL-2

   import all

   network 200.200.200.0 255.255.255.128

   domain-name froghop.com

   dns-server 200.200.200.20 200.200.200.4

   default-router 200.200.200.1

!

!

no ip bootp server

ip domain name froghop.com

ip name-server 200.200.200.4

ip name-server 200.200.200.20

ip inspect log drop-pkt

ip inspect audit-trail

ip inspect name CCP_MEDIUM appfw CCP_MEDIUM

ip inspect name CCP_MEDIUM dns

ip inspect name CCP_MEDIUM ftp

ip inspect name CCP_MEDIUM h323

ip inspect name CCP_MEDIUM sip

ip inspect name CCP_MEDIUM https

ip inspect name CCP_MEDIUM icmp

ip inspect name CCP_MEDIUM imap reset

ip inspect name CCP_MEDIUM pop3 reset

ip inspect name CCP_MEDIUM netshow

ip inspect name CCP_MEDIUM rcmd

ip inspect name CCP_MEDIUM realaudio

ip inspect name CCP_MEDIUM rtsp

ip inspect name CCP_MEDIUM esmtp

ip inspect name CCP_MEDIUM sqlnet

ip inspect name CCP_MEDIUM streamworks

ip inspect name CCP_MEDIUM tftp

ip inspect name CCP_MEDIUM tcp

ip inspect name CCP_MEDIUM udp

ip inspect name CCP_MEDIUM vdolive

ip inspect name dmzinspect tcp

ip inspect name dmzinspect udp

!

appfw policy-name CCP_MEDIUM

  application im aol

    service default action allow alarm

    service text-chat action allow alarm

    server permit name login.oscar.aol.com

    server permit name toc.oscar.aol.com

    server permit name oam-d09a.blue.aol.com

    audit-trail on

  application im msn

    service default action allow alarm

    service text-chat action allow alarm

    server permit name messenger.hotmail.com

    server permit name gateway.messenger.hotmail.com

    server permit name webmessenger.msn.com

    audit-trail on

  application http

    strict-http action allow alarm

    port-misuse im action reset alarm

    port-misuse p2p action reset alarm

    port-misuse tunneling action allow alarm

  application im yahoo

    service default action allow alarm

    service text-chat action allow alarm

    server permit name scs.msg.yahoo.com

    server permit name scsa.msg.yahoo.com

    server permit name scsb.msg.yahoo.com

    server permit name scsc.msg.yahoo.com

    server permit name scsd.msg.yahoo.com

    server permit name cs16.msg.dcn.yahoo.com

    server permit name cs19.msg.dcn.yahoo.com

    server permit name cs42.msg.dcn.yahoo.com

    server permit name cs53.msg.dcn.yahoo.com

    server permit name cs54.msg.dcn.yahoo.com

    server permit name ads1.vip.scd.yahoo.com

    server permit name radio1.launch.vip.dal.yahoo.com

    server permit name in1.msg.vip.re2.yahoo.com

    server permit name data1.my.vip.sc5.yahoo.com

    server permit name address1.pim.vip.mud.yahoo.com

    server permit name edit.messenger.yahoo.com

    server permit name messenger.yahoo.com

    server permit name http.pager.yahoo.com

    server permit name privacy.yahoo.com

    server permit name csa.yahoo.com

    server permit name csb.yahoo.com

    server permit name csc.yahoo.com

    audit-trail on

!

multilink bundle-name authenticated

!

parameter-map type inspect global

log dropped-packets enable

parameter-map type protocol-info yahoo-servers

server name scs.msg.yahoo.com

server name scsa.msg.yahoo.com

server name scsb.msg.yahoo.com

server name scsc.msg.yahoo.com

server name scsd.msg.yahoo.com

server name cs16.msg.dcn.yahoo.com

server name cs19.msg.dcn.yahoo.com

server name cs42.msg.dcn.yahoo.com

server name cs53.msg.dcn.yahoo.com

server name cs54.msg.dcn.yahoo.com

server name ads1.vip.scd.yahoo.com

server name radio1.launch.vip.dal.yahoo.com

server name in1.msg.vip.re2.yahoo.com

server name data1.my.vip.sc5.yahoo.com

server name address1.pim.vip.mud.yahoo.com

server name edit.messenger.yahoo.com

server name messenger.yahoo.com

server name http.pager.yahoo.com

server name privacy.yahoo.com

server name csa.yahoo.com

server name csb.yahoo.com

server name csc.yahoo.com

parameter-map type protocol-info aol-servers

server name login.oscar.aol.com

server name toc.oscar.aol.com

server name oam-d09a.blue.aol.com

parameter-map type protocol-info msn-servers

server name messenger.hotmail.com

server name gateway.messenger.hotmail.com

server name webmessenger.msn.com

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-2085601892

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2085601892

revocation-check none

!

!

crypto pki certificate chain TP-self-signed-2085601892

certificate self-signed 01

  XXXXXXXX 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  .............................................

  .............................................

  4A6B4C93 CEE0C972 CEA5A38E 3C041EAD 803F43B2 DD121173 4302DC1E XXXXXXXX

  4F5E79FE 8C76B0EC BC5DD668 69BE1A

            quit

license udi pid CISCO2901/K9 sn FTXXXXXXXXXX

hw-module pvdm 0/0

!

!

!

username admin privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXX

!

redundancy

!

!

!

!

ip tcp synwait-time 10

no ip ftp passive

!

class-map type inspect match-any OPEN-TRAFFIC-OUT-190

match access-group name OPEN-TRAFFIC-OUT-190

class-map type inspect match-any SMTPS-TRAFFIC-IN

match access-group name SMTPS-IN

class-map type inspect match-all NAT-POOL-TCP-TRAFFIC-OUT

match access-group name NAT-POOL-TRAFFIC-OUT

match protocol tcp

class-map type inspect imap match-any ccp-app-imap

match  invalid-command

class-map type inspect match-any ccp-cls-protocol-p2p

match protocol edonkey signature

match protocol gnutella signature

match protocol kazaa2 signature

match protocol fasttrack signature

match protocol bittorrent signature

class-map type inspect match-all NAT-POOL-UDP-TRAFFIC-OUT

match access-group name NAT-POOL-TRAFFIC-OUT

match protocol udp

class-map type inspect match-all SELF-DNS-OUT

match access-group name SELF-DNS-OUT

match protocol dns

class-map type inspect match-any SMTP-PROTOCOL

match protocol smtp

class-map type inspect match-all ccp-cls-POLICY-DMZ-OUT-1

match class-map SMTP-PROTOCOL

match access-group name DMZ-MAIL-OUT

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any SIP-PROTOCOLS

match protocol sip

match protocol sip-tls

class-map type inspect match-all ccp-cls-POLICY-DMZ-OUT-2

match class-map SIP-PROTOCOLS

match access-group name DMS-SIP-TRAFFIC

class-map type inspect match-any OPEN-TRAFFIC-OUT-140

match access-group name OPEN-TRAFFIC-OUT-140

class-map type inspect match-any ccp-cls-insp-traffic

match protocol pptp

match protocol dns

match protocol ftp

match protocol https

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect gnutella match-any ccp-app-gnutella

match  file-transfer

class-map type inspect match-any OPENDIR-PROTOCOLS

match protocol kerberos

match protocol ldap

match protocol ldaps

match protocol ldap-admin

class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices

match  service any

match  service text-chat

class-map type inspect msnmsgr match-any ccp-app-msn-otherservices

match  service any

class-map type inspect match-any SYSLOG-PROTOCOL

match protocol syslog

class-map type inspect match-any ICMP-PROTOCOLS

match protocol icmp

class-map type inspect match-all SELF-ICMP

match access-group name SELF-ICMP-TRAFFIC

match class-map ICMP-PROTOCOLS

class-map type inspect match-any DMZ-DNS

match protocol dns

class-map type inspect match-all OPENDIR-OUT

match class-map OPENDIR-PROTOCOLS

match access-group name OPENDIR-TRAFFIC

class-map type inspect match-all SMTPS-TRAFFIC

match class-map SMTPS-TRAFFIC-IN

match protocol tcp

class-map type inspect match-any TRUSTED-HOSTS

match access-group name TRUSTED-HOSTS

match protocol udp

match protocol tcp

match protocol icmp

class-map type inspect match-any TRANSPORT-PROTOCOLS

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-cls-protocol-im

match protocol ymsgr yahoo-servers

match protocol msnmsgr msn-servers

match protocol aol aol-servers

class-map type inspect aol match-any ccp-app-aol-otherservices

match  service any

class-map match-any sdm_p2p_kazaa

match protocol fasttrack

match protocol kazaa2

class-map type inspect match-any WEB-PROTOCOLS

match protocol http

match protocol https

class-map type inspect match-all ccp-protocol-pop3

match protocol pop3

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map match-any sdm_p2p_edonkey

match protocol edonkey

class-map type inspect match-any SELF-DNS-IN

match access-group name SELF-DNS-IN

match protocol dns

class-map match-any sdm_p2p_gnutella

match protocol gnutella

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-any OPEN-TRAFFIC-IN-140

match access-group name OPEN-TRAFFIC-IN-140

class-map type inspect match-all SYSLOG-IN-DMZ

match access-group name SYSLOG-TRAFFIC

match class-map SYSLOG-PROTOCOL

class-map type inspect pop3 match-any ccp-app-pop3

match  invalid-command

class-map match-any sdm_p2p_bittorrent

match protocol bittorrent

class-map type inspect kazaa2 match-any ccp-app-kazaa2

match  file-transfer

class-map type inspect match-all ccp-protocol-p2p

match class-map ccp-cls-protocol-p2p

class-map type inspect match-all SDM_GRE

match access-group name SDM_GRE

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect msnmsgr match-any ccp-app-msn

match  service text-chat

class-map type inspect ymsgr match-any ccp-app-yahoo

match  service text-chat

match  service any

class-map type inspect match-all ccp-cls-ccp-pol-outToIn-1

match class-map SMTP-PROTOCOL

match access-group name SMTP-TRAFFIC

class-map type inspect match-any DNS-PROTOCOL

match protocol dns

class-map type inspect match-all ccp-protocol-im

match class-map ccp-cls-protocol-im

class-map type inspect match-all ccp-cls-ccp-pol-outToIn-2

match class-map ICMP-PROTOCOLS

match access-group name IN-ZONE-ICMP

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-any ACCESS-PROTOCOLS

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-cls-ccp-pol-outToIn-3

match class-map ACCESS-PROTOCOLS

match access-group name DMZ-ZONE-TRAFFIC

class-map type inspect http match-any ccp-app-httpmethods

match  request method bcopy

match  request method bdelete

match  request method bmove

match  request method bpropfind

match  request method bproppatch

match  request method connect

match  request method copy

match  request method delete

match  request method edit

match  request method getattribute

match  request method getattributenames

match  request method getproperties

match  request method index

match  request method lock

match  request method mkcol

match  request method mkdir

match  request method move

match  request method notify

match  request method options

match  request method poll

match  request method propfind

match  request method proppatch

match  request method put

match  request method revadd

match  request method revlabel

match  request method revlog

match  request method revnum

match  request method save

match  request method search

match  request method setattribute

match  request method startrev

match  request method stoprev

match  request method subscribe

match  request method trace

match  request method unedit

match  request method unlock

match  request method unsubscribe

class-map type inspect edonkey match-any ccp-app-edonkey

match  file-transfer

match  text-chat

match  search-file-name

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all PUSH-NOTIFICATIONS

match access-group name PUSH-NOTIFICATIONS

match protocol tcp

class-map type inspect http match-any ccp-http-blockparam

match  request port-misuse im

match  request port-misuse p2p

match  req-resp protocol-violation

class-map type inspect edonkey match-any ccp-app-edonkeydownload

match  file-transfer

class-map type inspect match-all DEST-DNS

match access-group name DEST-DNS

match class-map DNS-PROTOCOL

class-map type inspect aol match-any ccp-app-aol

match  service text-chat

class-map type inspect match-all ccp-protocol-imap

match protocol imap

class-map type inspect edonkey match-any ccp-app-edonkeychat

match  search-file-name

match  text-chat

class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-1

match class-map SYSLOG-PROTOCOL

match access-group name DMZ-SYSLOG

class-map type inspect match-any FTP-PROTOCOL

match protocol ftp

class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-2

match class-map ICMP-PROTOCOLS

match access-group name DMZ-ICMP

class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-3

match class-map WEB-PROTOCOLS

match access-group name DMZ-WEB

class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-4

match class-map SIP-PROTOCOLS

match access-group name DMZ-SIP

class-map type inspect match-any TIME-PROTOCOLS

match protocol ntp

class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-5

match class-map DMZ-DNS

match access-group name DMZ-DNS-TRAFFIC

class-map type inspect http match-any ccp-http-allowparam

match  request port-misuse tunneling

class-map type inspect fasttrack match-any ccp-app-fasttrack

match  file-transfer

class-map type inspect match-all ccp-protocol-http

match protocol http

class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-6

match class-map ACCESS-PROTOCOLS

match access-group name IN-ZONE-TRAFFIC

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect POLICY-PRIVATE-TRANSIT

class type inspect ACCESS-PROTOCOLS

  pass log

class class-default

  drop

policy-map type inspect p2p ccp-action-app-p2p

class type inspect edonkey ccp-app-edonkeychat

  log

  allow

class type inspect edonkey ccp-app-edonkeydownload

  log

  allow

class type inspect fasttrack ccp-app-fasttrack

  log

  allow

class type inspect gnutella ccp-app-gnutella

  log

  allow

class type inspect kazaa2 ccp-app-kazaa2

  log

  allow

policy-map type inspect POLICY-IN-SELF

class type inspect ICMP-PROTOCOLS

  inspect

class class-default

  drop log

policy-map type inspect POLICY-SELF-IN

class type inspect OPEN-TRAFFIC-OUT-190

  pass

class type inspect ccp-icmp-access

  inspect

class class-default

  drop

policy-map type inspect POLICY-DMZ-OUT

class type inspect TIME-PROTOCOLS

  inspect

class type inspect WEB-PROTOCOLS

  inspect

class type inspect FTP-PROTOCOL

  inspect

class type inspect ccp-cls-POLICY-DMZ-OUT-2

  inspect

class type inspect ccp-cls-POLICY-DMZ-OUT-1

  inspect

class type inspect PUSH-NOTIFICATIONS

  inspect

class type inspect DEST-DNS

  inspect

class class-default

  drop log

policy-map type inspect im ccp-action-app-im

class type inspect aol ccp-app-aol

  log

  allow

class type inspect msnmsgr ccp-app-msn

  log

  allow

class type inspect ymsgr ccp-app-yahoo

  log

  allow

class type inspect aol ccp-app-aol-otherservices

  log

  reset

class type inspect msnmsgr ccp-app-msn-otherservices

  log

  reset

class type inspect ymsgr ccp-app-yahoo-otherservices

  log

  allow

policy-map type inspect http ccp-action-app-http

class type inspect http ccp-http-blockparam

  log

  allow

class type inspect http ccp-app-httpmethods

  log

  allow

class type inspect http ccp-http-allowparam

  log

  allow

policy-map type inspect imap ccp-action-imap

class type inspect imap ccp-app-imap

  log

policy-map type inspect pop3 ccp-action-pop3

class type inspect pop3 ccp-app-pop3

  log

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ICMP-PROTOCOLS

  inspect

class type inspect ccp-protocol-http

  inspect

  service-policy http ccp-action-app-http

class type inspect ccp-protocol-imap

  inspect

  service-policy imap ccp-action-imap

class type inspect ccp-protocol-pop3

  inspect

  service-policy pop3 ccp-action-pop3

class type inspect ccp-protocol-p2p

  inspect

  service-policy p2p ccp-action-app-p2p

class type inspect ccp-protocol-im

  inspect

  service-policy im ccp-action-app-im

class type inspect ccp-sip-inspect

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h323annexe-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class type inspect ccp-h323nxg-inspect

  inspect

class type inspect ccp-skinny-inspect

  inspect

class type inspect ccp-insp-traffic

  inspect

class class-default

  drop log

policy-map type inspect POLICY-PRIVATE-IN-DMZ

class type inspect TRANSPORT-PROTOCOLS

  inspect

class type inspect ICMP-PROTOCOLS

  inspect

class class-default

  drop log

policy-map type inspect POLICY-IN-OUT

class type inspect OPEN-TRAFFIC-OUT-140

  pass log

class type inspect WEB-PROTOCOLS

  inspect

class type inspect OPENDIR-OUT

  inspect

class type inspect DEST-DNS

  inspect

class type inspect PUSH-NOTIFICATIONS

  inspect

class class-default

  drop log

policy-map type inspect ccp-permit

class class-default

  drop

policy-map type inspect POLICY-DMZ-SELF

class type inspect ICMP-PROTOCOLS

  inspect

class type inspect TRANSPORT-PROTOCOLS

  inspect

class class-default

  drop log

policy-map type inspect POLICY-SELF-OUT

class type inspect SELF-DNS-OUT

  pass

class type inspect TIME-PROTOCOLS

  pass

class type inspect NAT-POOL-UDP-TRAFFIC-OUT

  inspect

class type inspect NAT-POOL-TCP-TRAFFIC-OUT

  inspect

class class-default

  drop log

policy-map type inspect POLICY-OUT-SELF

class type inspect SELF-DNS-IN

  pass

class type inspect TIME-PROTOCOLS

  pass

class type inspect SELF-ICMP

  inspect

class class-default

  drop log

policy-map type inspect POLICY-IN-DMZ

class type inspect SYSLOG-IN-DMZ

  pass

class type inspect ICMP-PROTOCOLS

  inspect

class class-default

  drop log

policy-map type inspect POLICY-DMZ-IN

class type inspect TRANSPORT-PROTOCOLS

  inspect

class type inspect ICMP-PROTOCOLS

  inspect

class class-default

  drop log

policy-map type inspect ccp-permit-dmzservice

class type inspect ccp-cls-ccp-permit-dmzservice-4

  inspect

class type inspect ccp-cls-ccp-permit-dmzservice-1

  pass

class type inspect ccp-cls-ccp-permit-dmzservice-3

  inspect

class type inspect ccp-cls-ccp-permit-dmzservice-5

  inspect

class type inspect ccp-cls-ccp-permit-dmzservice-2

  inspect

class class-default

  drop log

policy-map type inspect ccp-pol-outToIn

class type inspect OPEN-TRAFFIC-IN-140

  pass

class type inspect ccp-cls-ccp-pol-outToIn-1

  inspect

class type inspect ccp-cls-ccp-pol-outToIn-2

  inspect

class type inspect SMTPS-TRAFFIC

  inspect

class type inspect SMTPS-TRAFFIC-IN

  pass log

class class-default

  drop log

policy-map sdmappfwp2p_CCP_MEDIUM

class sdm_p2p_edonkey

class sdm_p2p_gnutella

class sdm_p2p_kazaa

class sdm_p2p_bittorrent

!

zone security dmz-zone

zone security in-zone

zone security out-zone

zone security PRIVATE-ZONE

zone security PRIVATE-IN

zone-pair security ccp-zp-out-dmz source out-zone destination dmz-zone

service-policy type inspect ccp-permit-dmzservice

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect POLICY-IN-OUT

zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone

service-policy type inspect ccp-pol-outToIn

zone-pair security ZP-DMZ-IN source dmz-zone destination in-zone

service-policy type inspect POLICY-DMZ-IN

zone-pair security ZP-DMZ-OUT source dmz-zone destination out-zone

service-policy type inspect POLICY-DMZ-OUT

zone-pair security ZP-IN-DMZ source in-zone destination dmz-zone

service-policy type inspect POLICY-IN-DMZ

zone-pair security ZP-OUT-SELF source out-zone destination self

service-policy type inspect POLICY-OUT-SELF

zone-pair security ZP-SELF-OUT source self destination out-zone

service-policy type inspect POLICY-SELF-OUT

zone-pair security ZP-PRIVATE-OUT source PRIVATE-ZONE destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ZP-PRIVATE-IN source PRIVATE-ZONE destination in-zone

service-policy type inspect POLICY-PRIVATE-IN-DMZ

zone-pair security ZP-PRIVATE-DMZ source PRIVATE-ZONE destination dmz-zone

service-policy type inspect POLICY-PRIVATE-IN-DMZ

zone-pair security ZP-IN-SELF source in-zone destination self

service-policy type inspect POLICY-IN-SELF

zone-pair security ZP-SELF-IN source self destination in-zone

service-policy type inspect POLICY-SELF-IN

zone-pair security ZP-DMZ-SELF source dmz-zone destination self

service-policy type inspect POLICY-DMZ-SELF

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

!

!

!

!

!

interface Loopback0

ip address 200.200.200.190 255.255.255.224

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

zone-member security in-zone

!

interface Null0

no ip unreachables

!

interface GigabitEthernet0/0

description $ETH-LAN$$FW_INSIDE$

ip address 200.200.200.130 255.255.255.224

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip nat outside

ip virtual-reassembly in

zone-member security in-zone

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1

description $ETH-LAN$$FW_INSIDE$

ip address 168.192.200.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

zone-member security PRIVATE-ZONE

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/2/0

description $ETH-LAN$$FW_INSIDE$

ip address 192.168.1.160 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

zone-member security PRIVATE-ZONE

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/2/1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

duplex auto

speed auto

no mop enabled

!

interface ATM0/3/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

no atm ilmi-keepalive

!

interface ATM0/3/0.1 point-to-point

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

pvc 8/35

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface GigabitEthernet0/0/0

!

interface GigabitEthernet0/0/1

!

interface GigabitEthernet0/0/2

!

interface GigabitEthernet0/0/3

!

interface Virtual-Template1 type serial

description $FW_INSIDE$

ip unnumbered Loopback0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly in

zone-member security in-zone

!

interface Vlan1

description $ETH-4ESG$$INTF-INFO-10/100/1000 Ethernet$$ETH-LAN$FW-DMZ$$FW_INSIDE$

ip address 200.200.200.1 255.255.255.128

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly in

zone-member security dmz-zone

!

interface Dialer0

description $FW_OUTSIDE$

ip address 210.210.210.154 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly in

zone-member security out-zone

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname XXXXX@tadpole.net

ppp chap password 7 XXXXXXXXXXXXXXXX

ppp pap sent-username xxxxx@tadpole.net password 7 XXXXXXXXXXXX

service-policy input sdmappfwp2p_CCP_MEDIUM

service-policy output sdmappfwp2p_CCP_MEDIUM

!

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

ip flow-top-talkers

top 200

sort-by bytes

cache-timeout 500

!

ip dns server

ip nat pool NAT-POOL1 200.200.200.161 200.200.200.189 netmask 255.255.255.224

ip nat inside source route-map SDM_RMAP_1 pool NAT-POOL1

ip route 0.0.0.0 0.0.0.0 210.210.210.1

ip route 10.210.210.0 255.255.255.0 192.168.1.1 permanent

ip route 192.168.1.0 255.255.255.0 FastEthernet0/2/0 permanent

ip route 168.192.200.0 255.255.255.0 GigabitEthernet0/1 permanent

ip route 200.200.200.0 255.255.255.128 Vlan1 permanent

ip route 200.200.200.128 255.255.255.224 GigabitEthernet0/0 permanent

ip route 200.200.200.160 255.255.255.224 Loopback0 permanent

!

ip access-list extended DEST-DNS

remark CCP_ACL Category=1

permit udp any any eq domain

ip access-list extended DMS-SIP-TRAFFIC

remark CCP_ACL Category=128

permit ip host 200.200.200.30 any

permit ip host 200.200.200.40 any

ip access-list extended DMZ-DNS-TRAFFIC

remark CCP_ACL Category=128

permit ip any host 200.200.200.20

ip access-list extended DMZ-ICMP

remark CCP_ACL Category=128

permit ip any any

ip access-list extended DMZ-MAIL-OUT

remark CCP_ACL Category=128

permit ip any host 230.211.70.60

permit ip any host 230.250.90.137

ip access-list extended DMZ-SIP

remark CCP_ACL Category=128

permit ip any host 200.200.200.40

permit ip any host 200.200.200.30

ip access-list extended DMZ-SYSLOG

remark CCP_ACL Category=128

permit ip 230.211.70.0 0.0.0.255 host 200.200.200.32

permit ip 200.200.200.128 0.0.0.127 host 200.200.200.32

ip access-list extended DMZ-WEB

remark CCP_ACL Category=128

permit ip any host 200.200.200.35

permit ip any host 200.200.200.20

ip access-list extended DMZ-ZONE-TRAFFIC

remark CCP_ACL Category=128

permit ip 200.200.200.0 0.0.0.128 any

ip access-list extended ESP-TRAFFIC

remark CCP_ACL Category=1

permit esp any any

ip access-list extended IN-ZONE-ICMP

remark CCP_ACL Category=128

permit ip any any

ip access-list extended IN-ZONE-TRAFFIC

remark CCP_ACL Category=128

permit ip host 200.200.200.140 any

ip access-list extended NAT-POOL-TRAFFIC-IN

remark CCP_ACL Category=128

permit ip any 0.0.0.0 255.255.255.224

ip access-list extended NAT-POOL-TRAFFIC-OUT

remark CCP_ACL Category=128

permit ip 0.0.0.30 255.255.255.224 any

ip access-list extended OPEN-TRAFFIC-IN-140

remark CCP_ACL Category=1

permit udp host 230.211.70.60 host 200.200.200.140 eq isakmp

permit esp host 230.211.70.60 host 200.200.200.140

permit ip host 230.211.70.10 host 200.200.200.140

permit tcp host 230.211.70.35 host 200.200.200.140

deny   ip host 230.211.70.60 host 200.200.200.140

ip access-list extended OPEN-TRAFFIC-OUT-140

remark CCP_ACL Category=1

permit udp host 200.200.200.140 host 230.211.70.60 eq isakmp

permit esp host 200.200.200.140 host 230.211.70.60

permit ip host 200.200.200.140 host 230.211.70.10

permit tcp host 200.200.200.140 host 230.211.70.35

deny   ip host 200.200.200.140 host 230.211.70.60

ip access-list extended OPENDIR-TRAFFIC

remark CCP_ACL Category=128

permit ip any host 230.211.70.10

ip access-list extended PUSH-NOTIFICATIONS

remark CCP_ACL Category=1

permit tcp any any eq 5223

ip access-list extended SDM_GRE

remark CCP_ACL Category=1

permit gre any any

ip access-list extended SELF-DNS-IN

remark CCP_ACL Category=1

permit udp any eq domain any

ip access-list extended SELF-DNS-OUT

remark CCP_ACL Category=128

permit ip any host 200.200.200.20

permit ip any host 200.200.200.4

ip access-list extended SELF-ICMP-TRAFFIC

remark CCP_ACL Category=128

permit ip any host 200.200.200.190

ip access-list extended SMTP-TRAFFIC

remark CCP_ACL Category=128

permit ip any host 200.200.200.140

ip access-list extended SMTPS-IN

remark CCP_ACL Category=1

permit tcp any any eq 465

permit tcp any any eq 587

ip access-list extended SMTPS-OUT

remark CCP_ACL Category=1

permit tcp any eq 465 any

permit tcp any eq 587 any

ip access-list extended SYSLOG-TRAFFIC

remark CCP_ACL Category=128

permit ip any host 200.200.200.32

ip access-list extended TRUSTED-HOSTS

remark CCP_ACL Category=128

permit ip host 230.211.70.35 any

permit ip host 230.211.70.60 any

!

logging 200.200.200.32

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 168.192.200.0 0.0.0.255

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 210.210.210.0 0.0.0.255 any

access-list 100 permit ip 200.200.200.0 0.0.0.255 any

access-list 102 remark CCP_ACL Category=2

access-list 102 permit ip 168.192.200.0 0.0.0.255 any

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

no cdp run

!

!

!

route-map SDM_RMAP_1 permit 1

match ip address 102

!

!

!

control-plane

!

!

banner login ^CThis device is propoerty of FROGHOP and all activity is logged.^C

!

line con 0

line aux 0

line vty 0 4

privilege level 15

login local

transport input telnet ssh

line vty 5 15

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

ntp update-calendar

ntp server 192.189.54.17

ntp server 192.189.54.33

ntp server 203.161.12.165

ntp server 130.102.2.123

end

Thanks in advance for any tips.

Regards,

John.

Community Member

Re: ZBFW - dmz-zone to in-zone access

Cisco IOSers & ZBFW experts,

I am still trying to resolve the problem of DMZ-ZONE to IN-ZONE access.

I have done a lot of clean up of the various zones and rules having re-read the following Cisco documents:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd805ffde8.html

Here is what my simplifed configuation looks like in CCP:

So by way of comparison with my PRIVATE-ZONE to IN-ZONE & DMZ-ZONE rules I can do pings from PRIVATE-ZONE (a NAT based interface) to SELF, IN-ZONE & DMZ-ZONE servers.

To test which rule was being uses I changed the "POLICY-PRIVATE-IN-DMZ" to deny and log ICMP traffic and sure enough I could not longer ping anything.

So now if you look at "POLICY-DMZ-IN" it is pretty much exactly the same.... allow everything tcp/udp and icmp with INSPECTION... but guess what?

I still cannot get any connection from DMZ-ZONE to IN-ZONE....

This is getting very frustrating.

The rest of the ZBFW configurations seem to be behaving as configured. I must be missing something pretty obvious here....

Thank in advance.

Regards,

John.

Community Member

Re: ZBFW - dmz-zone to in-zone access

IOSers,

Problems solved by looking at ARP entires and realising that when I partitiioned C class network into 3 I did not change the netmask of original subnet machines from 255.255.255.0 to 255.255.255.128.

So machines on that subnet where not directing IP packets with address > X.X.X.128 to X.X.X.255 to the default gateway (X.X.X.1) for routing.

So packets where never hitting the DMZ-ZONE to IN-ZONE rule.

ZBFW, now working ok and is more flexible and readily managed than old ACL based "Classic Firewall"

Regards,

John,

696
Views
0
Helpful
4
Replies
CreatePlease to create content