Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

zone based firewall one way access to a zone

I am trying to create a PCI zone inside a network. I am using a 1941 with security and ZFW to restrict traffic. PCI can go out to ASA and across to LAN. LAN can go to ASA but not to PCI, finally ASA can go back to both PCI and LAN to send natted traffic inside to servers respectively. Important config info below. In testing I can't ping from PCI to a LAN machine, but I can ping the LAN interface IP on the router. From LAN I can ping LAN interface IP of router, but can't ping PCI interface of router (this is desired). But I need to be able to ping LAN from PCI, think a nofoward dmz in an ASA. Initiated traffic from PCI is god traffic and can go anywhere. LAN zone can only go to other LAN zone or ASA zone.

interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description PCI Interface
 ip address 192.168.201.1 255.255.255.0
 zone-member security PCI
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description LAN Interface
 ip address 192.168.200.1 255.255.255.0
 ip access-group PCItest in
 zone-member security LAN
 duplex auto
 speed auto
!
interface GigabitEthernet0/0/0
 switchport access vlan 3
 no ip address
!
interface GigabitEthernet0/0/1
 switchport access vlan 2
 no ip address
!
interface GigabitEthernet0/0/2
 no ip address
!
interface GigabitEthernet0/0/3
 no ip address
!
interface Vlan1
 no ip address
!
interface Vlan2
 ip address 10.0.0.1 255.255.255.0
 zone-member security LAN
 ip tcp adjust-mss 1452
!
interface Vlan3
 description ASA INTERFACE
 ip address 172.16.20.1 255.255.255.0
 zone-member security ASA

 

ip access-list extended ASA-INBOUND-ACL
 permit ip 172.16.20.0 0.0.0.255 any
ip access-list extended LAN2any-ACL
 permit ip 192.168.200.0 0.0.0.255 any
 permit ip 10.0.0.0 0.0.0.255 any
 permit ip 192.168.5.0 0.0.0.255 any
 permit ip 192.168.50.0 0.0.0.255 any
ip access-list extended PCI2any-ACL
 permit ip 192.168.201.0 0.0.0.255 any

 

class-map type inspect match-all PCI-ASA-CLASS
 match access-group name PCI2any-ACL
class-map type inspect match-all ASA-PCI-CLASS
 match access-group name ASA-INBOUND-ACL
class-map type inspect match-all PCI-LAN-CLASS
 match access-group name PCI2any-ACL
class-map type inspect match-all LAN-ASA-CLASS
 match access-group name LAN2any-ACL
class-map type inspect match-all ASA-LAN-CLASS
 match access-group name ASA-INBOUND-ACL
!
policy-map type inspect LAN-ASA-POLICY
 class type inspect LAN-ASA-CLASS
  inspect
 class class-default
  drop
policy-map type inspect ASA-LAN-POLICY
 class type inspect ASA-LAN-CLASS
  inspect
 class class-default
  drop
policy-map type inspect ASA-PCI-POLICY
 class type inspect ASA-PCI-CLASS
  inspect
 class class-default
  drop
policy-map type inspect PCI-LAN-POLICY
 class type inspect PCI-LAN-CLASS
  inspect
 class class-default
  drop
policy-map type inspect PCI-ASA-POLICY
 class type inspect PCI-ASA-CLASS
  inspect
 class class-default
  drop
!
zone security PCI
zone security LAN
zone security ASA
zone-pair security PCI-to-LAN source PCI destination LAN
 service-policy type inspect PCI-LAN-POLICY
zone-pair security PCI-to-ASA source PCI destination ASA
 service-policy type inspect PCI-ASA-POLICY
zone-pair security LAN-to-ASA source LAN destination ASA
 service-policy type inspect LAN-ASA-POLICY
zone-pair security ASA-to-PCI source ASA destination PCI
 service-policy type inspect ASA-PCI-POLICY
zone-pair security ASA-to-LAN source ASA destination LAN
 service-policy type inspect ASA-LAN-POLICY

 

 

 

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

First of all, this ACL is

First of all, this ACL is wrongly configured or you have just placed it on the wrong interface:

interface GigabitEthernet0/1
 description LAN Interface
 ip address 192.168.200.1 255.255.255.0
 ip access-group PCItest in

ip access-list extended PCI2any-ACL
 permit ip 192.168.201.0 0.0.0.255 any

This is saying that a source IP of 192.168.201.0/24 will be entering the LAN interface and this is not the case. in any case I suggest removing this ACL from the interface.

As you are have not included a zone pair for LAN to the PCI interface IP you will not be able to ping from LAN to the PCI interface (from my understanding of your post this is what you are trying to achieve?)

You would need to explicitly permit this traffic since you have the interfaces placed in security zones.

ip access-list extended LAN-to-PCI-ACL
 permit ip any host 192.168.201.1

class-map type inspect match-all LAN-PCI-CLASS
 match access-group name LAN-to-PCI-ACL

policy-map type inspect LAN-PCI-POLICY
 class type inspect LAN-PCI-CLASS
  inspect
 class class-default
  drop

zone-pair security LAN-to.PCI source LAN destination PCI
 service-policy type inspect LAN-PCI-POLICY

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
2 REPLIES
VIP Green

First of all, this ACL is

First of all, this ACL is wrongly configured or you have just placed it on the wrong interface:

interface GigabitEthernet0/1
 description LAN Interface
 ip address 192.168.200.1 255.255.255.0
 ip access-group PCItest in

ip access-list extended PCI2any-ACL
 permit ip 192.168.201.0 0.0.0.255 any

This is saying that a source IP of 192.168.201.0/24 will be entering the LAN interface and this is not the case. in any case I suggest removing this ACL from the interface.

As you are have not included a zone pair for LAN to the PCI interface IP you will not be able to ping from LAN to the PCI interface (from my understanding of your post this is what you are trying to achieve?)

You would need to explicitly permit this traffic since you have the interfaces placed in security zones.

ip access-list extended LAN-to-PCI-ACL
 permit ip any host 192.168.201.1

class-map type inspect match-all LAN-PCI-CLASS
 match access-group name LAN-to-PCI-ACL

policy-map type inspect LAN-PCI-POLICY
 class type inspect LAN-PCI-CLASS
  inspect
 class class-default
  drop

zone-pair security LAN-to.PCI source LAN destination PCI
 service-policy type inspect LAN-PCI-POLICY

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

i had forgotten about this

i had forgotten about this post!

PCI to LAN is allowed, LAN to PCI is not.

I played with the ACL's and have had it working. I'm marking your answer correct, as it does correct the one ACL issue I was having with assignment of the directions. Thanks for taking the time to respond!

 

 

164
Views
0
Helpful
2
Replies
CreatePlease login to create content