ASA/PIX, IDS, IPS, VPN, Cisco Secure ACS, AAA, ISE.
SteveAllen
New Member
Posts:
38
Joined:
Tue Feb 28, 2012 3:29 pm
Certs:
CCNA Security, CCNA, CCENT

IOS Zone Based Firewall Issue(I think)

Tue Feb 28, 2012 3:51 pm

Hi

I'm pretty new the IOS zone based firewall and up until now it has been working fine.

When I first set up the Zone based firewall I used the Wizard with a setting of "low".

The issue I am now having is related to adding a new subnet on a completely different IP range.

My normal network is 10.20.0.0/16 sub-netted down into /24's for each vlan.

Recently I added a new VLAN with a 172.16.0.0/16 subnet. I plan to use this vlan for testing purposes.

I updated NAT on the router to allow the 172.16.0.0/16 range to be NATTED.

From the router I can ping anything on the 172.16.0.0/16 range and from a test machine in the 172.16.0.0/16 I can ping all of the 10.20.0.0/16 addresses including the router.

My problem is I can not ping out onto the Internet from a 172.16.0.0/16 computer.

I have checked and so far I have not been able to find any policies on the firewall saying traffic must be sourced from the 10.20.0.0/16.

Can anyone point me in the right direction for troubleshooting this issue?

Many Thanks,

Kind Regards,

Steve A

User avatar
jdsilva
Post Whore
Posts:
5347
Joined:
Mon Jan 17, 2005 11:01 pm
Certs:
CCNP

Re: IOS Zone Based Firewall Issue(I think)

Tue Feb 28, 2012 3:53 pm

Post your config.

SteveAllen
New Member
Posts:
38
Joined:
Tue Feb 28, 2012 3:29 pm
Certs:
CCNA Security, CCNA, CCENT

Re: IOS Zone Based Firewall Issue(I think)

Tue Feb 28, 2012 4:03 pm

Which parts would you like?

SteveAllen
New Member
Posts:
38
Joined:
Tue Feb 28, 2012 3:29 pm
Certs:
CCNA Security, CCNA, CCENT

Re: IOS Zone Based Firewall Issue(I think)

Wed Feb 29, 2012 7:09 am

Infinite wrote:Post your config.


Please see below for the config on the router. I have taken another look and see can not see what would be stopping Internet access for the 172.16.0.0/16 range!

Code: Select all
!
! Last configuration change at 14:08:47 London Tue Feb 28 2012 by *****
! NVRAM config last updated at 13:11:29 London Tue Feb 28 2012 by *****
! NVRAM config last updated at 13:11:29 London Tue Feb 28 2012 by *****
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname HQ-RT-WG1
!
boot-start-marker
boot-end-marker
!
!
logging discriminator TCP msg-body drops Dropping TCP Segment
logging buffered notifications
enable secret 5 *****
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
!
!
!
!
!
aaa session-id common
!
clock timezone London 0 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
!
no ip bootp server
ip domain name *****
ip name-server 188.92.232.50
ip name-server 188.92.232.100
ip inspect tcp reassembly queue length 1024
ip inspect tcp reassembly timeout 10
login on-failure log every 2
login on-success log
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3663822092
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3663822092
 revocation-check none
 rsakeypair TP-self-signed-3663822092
!
!
crypto pki certificate chain TP-self-signed-3663822092
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33363633 38323230 3932301E 170D3131 31303036 30333435
  33325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 36363338
  32323039 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100ED60 F5C2EF1E C60075D5 D1DE5E44 A472C800 79FB502C 837E3B20 2DA2F6DD
  D7A6C557 AC031DC9 DAAC913A F1A2FE7A EAE19C6A EF86CEC2 C3229453 700A59E2
  182E33DA 84918D82 1DFEA52E A71A4BF2 C3AADEBC BB2C58A2 DF5E34D2 6FF8C9EE
  511AF6DC 766A3391 5AE79106 632C1B4F 600CC2FA 3B144245 68D23D57 362D9066
  30710203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 1488C647 635A4DA0 D6101B34 D5050735 B947F299 63301D06
  03551D0E 04160414 88C64763 5A4DA0D6 101B34D5 050735B9 47F29963 300D0609
  2A864886 F70D0101 05050003 8181007D 617EBCB1 E27ADFBD 12969C05 D04EB3A9
  A60D58E2 F0FB2766 41D06943 4BD89304 9C732778 F7AD90D5 CF74C49F 55568865
  019B2B16 4A8345EB C31D210C CE6DF487 1BF21F2A 2BD10AF8 2C477B79 CE03879D
  7990592F 26B62271 BE1799CA 4F80E21D B966D0BD 7C80E588 B5645869 0AF86036
  FE9F30CD D4E942BC ECB66B92 E72BA6
     quit
license udi pid CISCO2911/K9 sn FCZ154120VK
!
!
username ***** privilege 15 secret 5 *****
!
redundancy
!
!
!
!
ip ssh time-out 45
ip ssh version 2
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
 match access-group 103
class-map type inspect match-any SDM_HTTPS
 match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
 match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
 match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
 match class-map SDM_HTTPS
 match class-map SDM_SSH
 match class-map SDM_SHELL
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
 match access-group 109
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
 match access-group 107
class-map type inspect match-all sdm-cls-VPNOutsideToInside-5
 match access-group 113
class-map type inspect match-all sdm-cls-VPNOutsideToInside-4
 match access-group 111
class-map type inspect match-all sdm-cls-VPNOutsideToInside-7
 match access-group 117
class-map type inspect match-all sdm-cls-VPNOutsideToInside-6
 match access-group 115
class-map type inspect match-all sdm-cls-VPNOutsideToInside-9
 match access-group 121
class-map type inspect match-all sdm-cls-VPNOutsideToInside-8
 match access-group 119
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
 match protocol skinny
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
 match access-group 102
 match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol dns
 match protocol ftp
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_IP
 match access-group name SDM_IP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
 match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-all SDM_VPN_PT0
 match access-group 106
 match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any ccp-h323nxg-inspect
 match protocol h323-nxg
class-map type inspect match-all sdm-cls-VPNOutsideToInside-10
 match access-group 123
class-map type inspect match-all sdm-cls-VPNOutsideToInside-11
 match access-group 125
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-cls-VPNOutsideToInside-12
 match access-group 127
class-map type inspect match-any ccp-h225ras-inspect
 match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
 match protocol h323-annexe
class-map type inspect match-all sdm-access
 match class-map sdm-cls-access
 match access-group 105
class-map type inspect match-any ccp-h323-inspect
 match protocol h323
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-any ccp-sip-inspect
 match protocol sip
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
 class type inspect sdm-cls-VPNOutsideToInside-1
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-2
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-3
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-4
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-5
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-6
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-7
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-8
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-9
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-10
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-11
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-12
  inspect
 class class-default
  drop
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class type inspect ccp-sip-inspect
  inspect
 class type inspect ccp-h323-inspect
  inspect
 class type inspect ccp-h323annexe-inspect
  inspect
 class type inspect ccp-h225ras-inspect
  inspect
 class type inspect ccp-h323nxg-inspect
  inspect
 class type inspect ccp-skinny-inspect
  inspect
 class class-default
  pass
policy-map type inspect ccp-permit
 class type inspect SDM_VPN_PT0
  pass
 class type inspect sdm-access
  inspect
 class class-default
  drop
policy-map type inspect sdm-permit-ip
 class type inspect SDM_IP
  pass
 class class-default
  drop log
!
zone security in-zone
zone security out-zone
zone security ezvpn-zone
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-VPNOutsideToInside-1
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in2 source ezvpn-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
!
!
crypto isakmp policy 1
 encr ***
 hash ***
 authentication ***
 group ***
!
crypto isakmp policy 2
 hash ***
 authentication ***
 group ***
crypto isakmp key ***** address *****
crypto isakmp key ***** address *****
crypto isakmp key ***** address *****
crypto isakmp key ***** address *****
crypto isakmp key ***** address *****
!
crypto isakmp client configuration group *****
 key *****
 dns *****
 domain *****
 pool SDM_POOL_1
 netmask 255.255.255.0
!
!
crypto ipsec transform-set *****
crypto ipsec transform-set *****
crypto ipsec transform-set *****
crypto ipsec transform-set *****
crypto ipsec transform-set *****
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set *****
 match address 101
!
crypto dynamic-map SDM_DYNMAP_2 1
 set transform-set *****
 match address 118
crypto dynamic-map SDM_DYNMAP_2 2
 set transform-set *****
 match address 120
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel *****
 set peer *****
 set transform-set *****
 match address 108
crypto map SDM_CMAP_1 2 ipsec-isakmp
 description Tunnel *****
 set peer *****
 set transform-set *****
 match address 114
crypto map SDM_CMAP_1 5 ipsec-isakmp
 description Tunnel *****
 set peer *****
 set transform-set *****
 match address 126
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description $FW_OUTSIDE$
 ip address 31.6.79.18 255.255.255.240
 ip nat outside
 ip virtual-reassembly in
 zone-member security out-zone
 duplex full
 speed 100
 crypto map SDM_CMAP_1
!
interface GigabitEthernet0/1
 description LINK TO HQ-L3SW-WG1$FW_INSIDE$
 ip address 10.20.1.254 255.255.255.0
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface ATM0/0/0
 no ip address
 no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
 description KC ADSL BACKUP INTERNET
 pvc 1/50
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface Dialer0
 ip address negotiated
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname *****
 ppp chap password *****
!
ip local pool SDM_POOL_1 10.20.102.1 10.20.102.253
ip forward-protocol nd
!
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-export source GigabitEthernet0/1
ip flow-export version 5
ip flow-export destination 10.20.100.1 2055
ip flow-top-talkers
 top 100
 sort-by bytes
!
ip dns server
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 31.6.79.17
ip route 10.20.0.0 255.255.0.0 GigabitEthernet0/1
ip route 172.16.0.0 255.255.0.0 GigabitEthernet0/1
!
ip access-list standard SSH-FILTER
 *****
!
ip access-list extended SDM_AH
 remark CCP_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark CCP_ACL Category=1
 permit esp any any
ip access-list extended SDM_HTTPS
 remark CCP_ACL Category=1
 permit tcp any any eq 443
ip access-list extended SDM_IP
 remark CCP_ACL Category=1
 permit ip any any
ip access-list extended SDM_SHELL
 remark CCP_ACL Category=1
 permit tcp any any eq cmd
ip access-list extended SDM_SSH
 remark CCP_ACL Category=1
 permit tcp any any eq 22
!
logging trap notifications
logging host 10.20.100.1 discriminator TCP
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 31.6.79.16 0.0.0.15 any
access-list 101 remark CCP_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.20.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip any any
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip 172.16.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 104 remark CCP_ACL Category=2
access-list 104 remark IPSec Rule
access-list 104 deny   ip 10.20.0.0 0.0.255.255 10.131.0.0 0.0.255.255
access-list 104 remark IPSec Rule
access-list 104 deny   ip 10.20.0.0 0.0.255.255 10.30.0.0 0.0.255.255
access-list 104 remark IPSec Rule
access-list 104 deny   ip 10.20.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 104 permit ip 10.20.0.0 0.0.255.255 any
access-list 104 permit ip 172.16.0.0 0.0.255.255 any log
access-list 105 remark CCP_ACL Category=128
access-list 105 permit ip any any
access-list 106 remark CCP_ACL Category=128
access-list 106 permit ip any any
access-list 107 remark CCP_ACL Category=0
access-list 107 permit ip 172.16.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 108 remark CCP_ACL Category=4
access-list 108 remark IPSec Rule
access-list 108 permit ip 10.20.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 109 remark CCP_ACL Category=0
access-list 109 permit ip 172.16.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 110 remark CCP_ACL Category=4
access-list 110 remark IPSec Rule
access-list 110 permit ip 10.20.0.0 0.0.255.255 10.30.0.0 0.0.255.255
access-list 111 remark CCP_ACL Category=0
access-list 111 permit ip 10.30.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 111 permit ip 172.16.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 112 remark CCP_ACL Category=4
access-list 112 remark IPSec Rule
access-list 112 permit ip 10.20.0.0 0.0.255.255 10.30.0.0 0.0.255.255
access-list 113 remark CCP_ACL Category=0
access-list 113 permit ip 10.30.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 113 permit ip 172.16.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 114 remark CCP_ACL Category=4
access-list 114 remark IPSec Rule
access-list 114 permit ip 10.20.0.0 0.0.255.255 10.30.0.0 0.0.255.255
access-list 115 remark CCP_ACL Category=0
access-list 115 permit ip 10.30.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 115 permit ip 172.16.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 116 remark CCP_ACL Category=4
access-list 116 remark IPSec Rule
access-list 116 permit ip 10.20.0.0 0.0.255.255 10.35.0.0 0.0.255.255
access-list 117 remark CCP_ACL Category=0
access-list 117 permit ip 10.30.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 117 permit ip 172.16.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 117 permit ip 10.35.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 118 remark CCP_ACL Category=4
access-list 118 remark IPSec Rule
access-list 118 permit ip 10.20.0.0 0.0.255.255 10.131.0.0 0.0.255.255
access-list 119 remark CCP_ACL Category=0
access-list 119 permit ip 10.35.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 119 permit ip 10.30.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 119 permit ip 172.16.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 119 permit ip 10.131.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 120 remark CCP_ACL Category=4
access-list 120 remark IPSec Rule
access-list 120 permit ip 10.20.0.0 0.0.255.255 10.131.0.0 0.0.255.255
access-list 121 remark CCP_ACL Category=0
access-list 121 permit ip 10.35.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 121 permit ip 10.30.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 121 permit ip 172.16.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 121 permit ip 10.131.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 122 remark CCP_ACL Category=4
access-list 122 remark IPSec Rule
access-list 122 permit ip 10.20.0.0 0.0.255.255 10.131.0.0 0.0.255.255
access-list 123 remark CCP_ACL Category=0
access-list 123 permit ip 10.35.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 123 permit ip 10.30.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 123 permit ip 172.16.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 123 permit ip 10.131.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 124 remark CCP_ACL Category=4
access-list 124 remark IPSec Rule
access-list 124 permit ip 10.20.0.0 0.0.255.255 10.131.0.0 0.0.255.255
access-list 125 remark CCP_ACL Category=0
access-list 125 permit ip 10.131.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 125 permit ip 10.35.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 125 permit ip 10.30.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 125 permit ip 172.16.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 126 remark CCP_ACL Category=4
access-list 126 remark IPSec Rule
access-list 126 permit ip 10.20.0.0 0.0.255.255 10.131.0.0 0.0.255.255
access-list 127 remark CCP_ACL Category=0
access-list 127 permit ip 10.131.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 127 permit ip 10.35.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 127 permit ip 10.30.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 127 permit ip 172.16.0.0 0.0.255.255 10.20.0.0 0.0.255.255
dialer-list 1 protocol ip permit
!
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 104
!
!
snmp-server community ***** RO
!
!
!
control-plane
!
!
banner login 
---------------------------------------
You must use your own account to login.
---------------------------------------


banner motd 
******************************************************
Unauthorised access is strictly prohibited and will be
prosecuted to the full extent of the law.
******************************************************


!
line con 0
 exec-timeout 20 0
 privilege level 15
 logging synchronous
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class SSH-FILTER in
 exec-timeout 20 0
 privilege level 15
 logging synchronous
 transport input ssh
!
scheduler allocate 20000 1000
ntp master
ntp server uk.pool.ntp.org
end


Any Ideas?

User avatar
writeerase
Ultimate Member
Posts:
509
Joined:
Sat Apr 09, 2011 3:55 pm
Certs:
CCIE CCNP-S CCDA MCSE RHCT Sec+ A+

Re: IOS Zone Based Firewall Issue(I think)

Wed Feb 29, 2012 9:09 am

First, change this to a proper next-hop address: ip route 172.16.0.0 255.255.0.0 GigabitEthernet0/1. This is just a pet peeve of mine and is responsible for many problems unless it's on a p2p type link.

Second, I never advocate using the "wizards" (without doing a lot of cleanup/manual customization immediately after running it) because the config becomes very cluttered with a lot of features you likely aren't using.

Third, the access-lists referenced by the crypto map on the outside interface seem odd but I don't know enough about your network to really make a determination.

Forth, off-hand your NAT and ZBF rules look okay. Typically at this point I would just skip to a packet capture on either side if available but you can start with "show policy-map type inspect zone-pair..." and see if the inspection engine is catching your traffic. If you are running something like a constant ping and you don't see it in the output you know the traffic is being denied or redirected before it is hitting the inspection engine. Keep in mind what the order of operations is for traffic with complicated interface configs:

• If IPSec then check input access list
• decryption - for CET (Cisco Encryption Technology) or IPSec
• check input access list
• check input rate limits
• input accounting
• redirect to web cache
• policy routing
• routing
• NAT inside to outside (local to global translation)
• crypto (check map and mark for encryption)
• check output access list
• inspect (Context-based Access Control (CBAC))
• TCP intercept
• encryption
• Queueing

SteveAllen
New Member
Posts:
38
Joined:
Tue Feb 28, 2012 3:29 pm
Certs:
CCNA Security, CCNA, CCENT

Re: IOS Zone Based Firewall Issue(I think)

Thu Mar 01, 2012 3:26 pm

Hi writeerase

I tried the show command you suggested but was unable to find any traffic from the 172.16.0.0/16 network.

Does this mean the problem is not with the Zone based firewall?

User avatar
writeerase
Ultimate Member
Posts:
509
Joined:
Sat Apr 09, 2011 3:55 pm
Certs:
CCIE CCNP-S CCDA MCSE RHCT Sec+ A+

Re: IOS Zone Based Firewall Issue(I think)

Fri Mar 02, 2012 8:44 am

I don't think the ZBF is the problem.

If you follow the ZBF config though all those nested classes you'll eventually find that ICMP sourced from inside (using NBAR to determine the traffic type) has an inspect action applied to it. There isn't a drop action or anything referencing a source IP so that doesn't seem to be the problem. If you have some maintenance time you could always pull the zone-member commands off the interfaces to be sure.

Anyway, I think the problem is elsewhere. What does the rest of your topology look like? If you have a L3 switch adjacent to the router you could always set up a SPAN session and see what traffic is actually being sent between the devices or do an actual packet capture on the router (since you have a recent IOS).

SteveAllen
New Member
Posts:
38
Joined:
Tue Feb 28, 2012 3:29 pm
Certs:
CCNA Security, CCNA, CCENT

Re: IOS Zone Based Firewall Issue(I think)

Sat Mar 03, 2012 3:57 am

I have attached an very basic network diagram with the routing and interface config.

I think routing is working OK as I can ping the different network ranges from internally.

It's looking like it may be a natting issue on the router. I really hate the way the CCP wizard has over complicated the config. When I added a VPN using a wizard it has changed the natting to use a route map. Something I know nothing about.

I spent some time today playing around with the config trying to undo the wizards config. I removed everything to do with NAT and recreated a standard access list allowing 10.20.0.0 0.0.255.255 and 172.16.0.0 0.0.255.255. I added "log" onto the end of each entry.

I then made sure inside and outside interfaces where set. Lastly I created the NAT rule to source from the new standard access list and overload.

I did some test pings and pings work from the 10.20 range but again not from the 172.16 range.

I did a "show ip access-list NAT-LIST" and I could see the log number increasing for the 10.20.0.0 range but nothing had been logged for the 172.16.0.0 range.

I even tested the above nat config whilst the router interfaces where not part of a firewall zone.

Very strange.
Attachments
NetworkDiagram.png
Basic Network Diagram
NetworkDiagram.png (50.78 KiB) Viewed 845 times

User avatar
writeerase
Ultimate Member
Posts:
509
Joined:
Sat Apr 09, 2011 3:55 pm
Certs:
CCIE CCNP-S CCDA MCSE RHCT Sec+ A+

Re: IOS Zone Based Firewall Issue(I think)

Sun Mar 04, 2012 10:55 am

You still should change:

ip route 172.16.0.0 255.255.0.0 GigabitEthernet0/1 to ip route 172.16.0.0 255.255.0.0 10.20.1.253

This will eliminate the reliance on proxy-arp to resolve the layer 2 addresses of hosts on that network.

At this point you will need to observe the output of:

show ip nat translations (verbose) and/or show ip nat statistics to see what's going on.

Looking at the running config is only useful to a point. You need to delve deeper with show commands, and if you're still having issues, some debugs. You could always lab this up as well so you're not messing with "prod" equipment or have TAC help you with the debugs if you aren't comfortable. Remember that if you want to do something like debug ip packet (with an ACL hopefully) you'll need to disable cef on the related interfaces to see transit traffic. Bear in mind you can blow up the router if there is even a small amount of traffic on it and don't debug to the console... send it to syslog or the buffer.

Good luck.

'

Return to Cisco Security

Who is online

Users browsing this forum: No registered users and 22 guests