Inspect parameter maps are used to define connection thresholds, timeouts,
and other parameters pertaining to the inspect action. Try to use that with
your configuration. You might or might not encounter on the lab, but a good
practice. Especially when you want to see syslog messages: audit-trail on
inside the parameter map.
Most of the debug ip inspect still could be used for troubleshooting: try
debug ip inspect icmp. And also debug zone security event (don't do if you
have high volume of traffic)
Try show policy-map type inspect zone-pair sessions command.
NAT is transparent to ZPF. For me, I always have zone-pair for public back
to private for better policy/security control.
Why don't you try something like that: Create an ACL permit icmp from
4.2.2.2 to your inside local IP address (Notice the firewall session table
is tracking the connection based upon the "Inside Local" address for both
inbound and outbound), create a class-map match-all to match protocol icmp
AND match that ACL. For outbound try to do that as well since you can look
at the ACL counter in addition.
Regards,
------------------------------------
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
http://www.netcraftsmen.net
-----------------------------------
-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Fake
Name
Sent: Thursday, August 27, 2009 10:18 AM
To: groupstudy_at_cconlinelabs.com
Cc: Anthony Sequeira; Cisco certification
Subject: Re: [Junk released by Allow List] Re: zone based firewall
It works perfectly fine with the cbac configuration below.
ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC icmp
interface FastEthernet0/0
ip inspect CBAC out
When I remove the config and put the zone based firewall configuration as
seen below
it does not work anymore. I do a ping from a host behind the private zones
interface to 4.2.2.2 as you can see from the show ip nat translations the
nat entry gets
put in the table fine. With the cbac config the ping worked but with the
zbf config
it did not. Heres something really odd. Everytime I ping 4.2.2.2 from a
host behind the private
interface I notice when I "sh policy-map type inspect zone-pair" the icmp
counter goes up only 1 time
not 4 even though 4 ping messages are sent from the host yet all pings time
out on the host.
I must be doing something stupid/silly or possibly ios bug?
Cisco2801#sh run
Building configuration...
Current configuration : 5607 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco2801
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 128000
no logging console
enable secret 5 $1$Sz.G$hunXhcScXrQkHmAllKj4.0
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
!
!
aaa session-id common
errdisable recovery cause bpduguard
errdisable recovery interval 400
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
ip domain name datasc.local
ip inspect udp idle-time 1800
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
crypto pki trustpoint TP-self-signed-2766443098
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2766443098
revocation-check none
rsakeypair TP-self-signed-2766443098
!
!
crypto pki certificate chain TP-self-signed-2766443098
certificate self-signed 01
**removed**
!
!
username ****** privilege 15 secret 5 *****
archive
log config
hidekeys
!
!
!
!
!
!
class-map type inspect match-any inspecttraffic-private2dmz
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-any inspecttraffic-dmz2internet
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-any inspecttraffic-private2internet
match protocol tcp
match protocol udp
match protocol icmp
!
!
policy-map type inspect inspect-dmz-to-internet
class type inspect inspecttraffic-dmz2internet
inspect
class class-default
drop
policy-map type inspect inspect-private-to-internet
class type inspect inspecttraffic-private2internet
inspect
class class-default
drop
policy-map type inspect inspect-private-to-dmz
class type inspect inspecttraffic-private2dmz
inspect
class class-default
drop
!
zone security private
zone security internet
zone security dmz
zone-pair security private-internet source private destination internet
service-policy type inspect inspect-private-to-internet
zone-pair security private-dmz source private destination dmz
service-policy type inspect inspect-private-to-dmz
zone-pair security dmz-internet source dmz destination internet
service-policy type inspect inspect-dmz-to-internet
!
!
!
!
interface FastEthernet0/0
bandwidth 16000
ip address dhcp
ip access-group internet in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
zone-member security internet
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.1.200.1 255.255.255.252
ip nat inside
ip virtual-reassembly
zone-member security private
duplex auto
speed auto
!
interface FastEthernet0/1/0
description ConnectionDell2900DMZ
switchport access vlan 150
spanning-tree portfast
!
interface FastEthernet0/1/1
switchport access vlan 150
spanning-tree portfast
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface Vlan1
no ip address
!
interface Vlan150
ip address 10.1.150.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security dmz
!
router eigrp 1
network 10.0.0.0
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 24.126.129.1
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list NATNETWORKS interface FastEthernet0/0 overload
ip nat inside source static tcp 10.1.150.150 80 24.126.129.229 8080
extendable
!
ip access-list extended NATNETWORKS
permit ip 10.1.0.0 0.0.255.255 any
ip access-list extended internet
permit udp any any eq isakmp
permit tcp any any eq 22
permit udp any eq bootps any eq bootpc
permit gre any any
permit esp any any
permit tcp any any eq 5001
permit tcp any any eq www
permit tcp any any eq 8080
!
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp fax t38 ecm
mgcp behavior g729-variants static-pt
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input ssh
line vty 5 15
privilege level 15
transport input ssh
!
scheduler allocate 20000 1000
end
Cisco2801#
Cisco2801#
Cisco2801#sh ip nat trans
Pro Inside global Inside local Outside local
Outside global
icmp 24.126.129.229:1 10.1.20.3:1 4.2.2.2:1
4.2.2.2:1
Cisco2801#sh policy-map type inspect zone-pair
policy exists on zp private-internet
Zone-pair: private-internet
Service-policy inspect : inspect-private-to-internet
Class-map: inspecttraffic-private2internet (match-any)
Match: protocol tcp
75 packets, 2396 bytes
30 second rate 0 bps
Match: protocol udp
258 packets, 12843 bytes
30 second rate 0 bps
Match: protocol icmp
1 packets, 40 bytes
30 second rate 0 bps
Inspect
Packet inspection statistics [process switch:fast switch]
tcp packets: [2:670]
udp packets: [262:0]
icmp packets: [0:4]
Session creations since subsystem startup or last reset 334
Current session counts (estab/half-open/terminating) [2:6:0]
Maxever session counts (estab/half-open/terminating) [2:13:0]
Last session created 00:00:00
Last statistic reset never
Last session creation rate 11
Maxever session creation rate 52
Last half-open session total 6
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
policy exists on zp private-dmz
Zone-pair: private-dmz
Service-policy inspect : inspect-private-to-dmz
Class-map: inspecttraffic-private2dmz (match-any)
Match: protocol tcp
78 packets, 75288 bytes
30 second rate 0 bps
Match: protocol udp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol icmp
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Session creations since subsystem startup or last reset 0
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:0:0]
Last session created never
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 0
Last half-open session total 0
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
policy exists on zp dmz-internet
Zone-pair: dmz-internet
Service-policy inspect : inspect-dmz-to-internet
Class-map: inspecttraffic-dmz2internet (match-any)
Match: protocol tcp
1 packets, 32 bytes
30 second rate 0 bps
Match: protocol udp
208 packets, 6268 bytes
30 second rate 0 bps
Match: protocol icmp
1 packets, 133 bytes
30 second rate 0 bps
Inspect
Packet inspection statistics [process switch:fast switch]
tcp packets: [0:3]
udp packets: [726:0]
Session creations since subsystem startup or last reset 209
Current session counts (estab/half-open/terminating) [0:4:0]
Maxever session counts (estab/half-open/terminating) [0:9:0]
Last session created 00:00:03
Last statistic reset never
Last session creation rate 22
Maxever session creation rate 23
Last half-open session total 4
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
Cisco2801#
Cisco2801#
Cisco2801#sh ver
Cisco IOS Software, 2801 Software (C2801-ADVENTERPRISEK9_IVS-M), Version
12.4(24)T1, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Fri 19-Jun-09 15:53 by prod_rel_team
ROM: System Bootstrap, Version 12.3(8r)T8, RELEASE SOFTWARE (fc1)
Cisco2801 uptime is 13 hours, 15 minutes
System returned to ROM by reload at 00:50:28 UTC Thu Aug 27 2009
System image file is "flash:c2801-adventerprisek9_ivs-mz.124-24.T1.bin"
Cisco2801#sh zone sec
zone self
Description: System defined zone
zone private
Member Interfaces:
FastEthernet0/1
zone internet
Member Interfaces:
FastEthernet0/0
zone dmz
Member Interfaces:
Vlan150
On Thu, Aug 27, 2009 at 9:48 AM, Tony Schaffran (GS) <
groupstudy_at_cconlinelabs.com> wrote:
> Your zone config looks good.
>
>
>
> I saw in your previous configs that you had some nat and other things
going
> on that may be interfering with your results.
>
>
>
> You may want to try to simplify to see what is causing your issue.
>
>
>
> Tony Schaffran
>
> Sr. Network Consultant
>
> CCIE #11071
>
> CCNP, CCNA, CCDA,
>
> NNCDS, NNCSS, CNE, MCSE
>
>
>
> cconlinelabs.com
>
> Your #1 choice for online Cisco rack rentals.
>
>
>
>
>
> *From:* Fake Name [mailto:fname84_at_gmail.com]
> *Sent:* Thursday, August 27, 2009 6:45 AM
> *To:* Anthony Sequeira
> *Cc:* groupstudy_at_cconlinelabs.com; Cisco certification
> *Subject:* [Junk released by Allow List] Re: zone based firewall
>
>
>
> hm that's really odd with the current config it does not show the counters
> going up from the private to internet zones when I do a constant being to
> 4.2.2.2 from the inside. I am baffled why it does not catch the traffic
but
> when I do a show zone security it shows the interfaces in the proper
zones.
> I have rewritten my zbf config to further break everything out and not
> working still
>
>
>
>
>
>
> class-map type inspect match-any inspecttraffic-dmz2internet
> match protocol tcp
> match protocol udp
> match protocol icmp
>
> class-map type inspect match-any inspecttraffic-private2internet
> match protocol tcp
> match protocol udp
> match protocol icmp
>
> class-map type inspect match-any inspecttraffic-private2dmz
> match protocol tcp
> match protocol udp
> match protocol icmp
>
>
> policy-map type inspect inspect-dmz-to-internet
> class type inspect inspecttraffic-dmz2internet
> inspect
> class class-default
> drop
> policy-map type inspect inspect-private-to-internet
> class type inspect inspecttraffic-private2internet
> inspect
> class class-default
> drop
> policy-map type inspect inspect-private-to-dmz
> class type inspect inspecttraffic-private2dmz
> inspect
> class class-default
> drop
> !
> zone security private
> zone security internet
> zone security dmz
> zone-pair security private-internet source private destination internet
> service-policy type inspect inspect-private-to-internet
> zone-pair security private-dmz source private destination dmz
> service-policy type inspect inspect-private-to-dmz
> zone-pair security dmz-internet source dmz destination internet
> service-policy type inspect inspect-dmz-to-internet
>
>
> !
> interface FastEthernet0/0
> zone-member security internet
> !
> interface FastEthernet0/1
> zone-member security private
>
> int vlan 150
> zone-member security dmz
>
> On Wed, Aug 26, 2009 at 10:14 AM, Anthony Sequeira <asequeira_at_ine.com>
> wrote:
>
> show policy-map type inspect zone-pair
>
> Warmest Regards,
>
> Anthony J. Sequeira, CCIE #15626
> http://www.INE.com <http://www.ine.com/>
>
> Test your Core Knowledge today!
> Q: What authentication option may be used with EIGRP?
> A: MD5
> More Info:
>
http://www.cisco.com/en/US/docs/ios/12_0/np1/configuration/guide/1ceigrp.htm
l#wp4759
>
>
>
>
> On Aug 26, 2009, at 10:06 AM, Fake Name wrote:
>
> hmm tried that and still does not work...
>
> is there any good show commands that can be used to figure out what's
> happening...all I know is show zone security and it shows all the
> interfaces
> are in proper zones.
>
> On Wed, Aug 26, 2009 at 9:46 AM, Fake Name <fname84_at_gmail.com> wrote:
>
> so you mean like this?
>
> class-map type inspect match-any inspecttraffic
> match protocol tcp
> match protocol udp
> match protocol icmp
> !
> !
> policy-map type inspect inspect-private-to-internet
> class type inspect inspecttraffic
> inspect
> policy-map type inspect inspect-private-to-dmz
> class type inspect inspecttraffic
> inspect
> policy-map type inspect inspect-dmz-to-internet
> class type inspect inspecttraffic
> inspect
> class class-default
> drop
> zone security private
> zone security internet
> zone security dmz
> zone-pair security private-internet source private destination internet
> service-policy type inspect inspect-private-to-internet
> zone-pair security private-dmz source private destination dmz
> service-policy type inspect inspect-private-to-dmz
> zone-pair security dmz-internet source dmz destination internet
> service-policy type inspect inspect-dmz-to-internet
>
> On Wed, Aug 26, 2009 at 9:38 AM, Tony Schaffran (GS) <
> groupstudy_at_cconlinelabs.com> wrote:
>
> You need to setup a separate policy for inbound traffic from the internet
> and then configure your zone-pair from internet to dmz and internet to
> inside as well if you want traffic to be allowed from the internet.
>
> Tony Schaffran
> Sr. Network Consultant
> CCIE #11071
> CCNP, CCNA, CCDA,
> NNCDS, NNCSS, CNE, MCSE
>
> cconlinelabs.com
> Your #1 choice for online Cisco rack rentals.
>
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Fake
> Name
> Sent: Tuesday, August 25, 2009 8:53 PM
> To: Cisco certification
> Subject: zone based firewall
>
> I have done the following configuration for the zone based firewall for 3
> interfaces. A private, dmz, and internet interface. I am seeking that
> the
> private interface can talk through the dmz and internet interface and
> traffic be inspected. The dmz interface can talk through the internet
> interface and traffic be inspected. If a host from the dmz interface
> needs
> to reach a host on the inside interface without any initiating traffic
> coming from the inside there must be an acl statement. If a host from the
> outside interface needs to reach a host on the inside interface or dmz
> interface without any initiating traffic coming from the inside there must
> be an acl statement.
>
> Can anyone spot my configuration mistake?
>
>
>
>
> class-map type inspect match-any inspecttraffic
> match protocol tcp
> match protocol udp
> match protocol icmp
> match protocol ssh
> match protocol ftp
> match protocol imap
> match protocol http
> match protocol https
> match protocol dns
>
> policy-map type inspect inspecttrafficpolicy
> class type inspect inspecttraffic
> inspect
>
> zone security private
> zone security internet
> zone security dmz
>
> zone-pair security private-internet source private destination internet
> service-policy type inspect inspecttrafficpolicy
>
>
> zone-pair security private-dmz source private destination dmz
> service-policy type inspect inspecttrafficpolicy
>
> zone-pair security dmz-internet source dmz destination internet
> service-policy type inspect inspecttrafficpolicy
>
>
> !
> interface FastEthernet0/0
> zone-member internet
> !
> interface FastEthernet0/1
> zone-member private
>
> int vlan 150
> zone-member dmz
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Thu Aug 27 2009 - 11:09:00 ART
This archive was generated by hypermail 2.2.0 : Tue Sep 01 2009 - 05:43:57 ART