On 05/02/2012 15:51, Piotr Matusiak wrote:
> Hi,
> It should work with that config. Must be something wrong elsewhere.
I keep getting mixed results with ZBF - sometimes the inspect
policies simply FAIL to get a correct match. This happened to me again
and again during testing - sometimes a regex or protocol match simply...
doesn't match.
I have since downgraded the IOS version from 12.4(24)T2 to
12.4(15)T17 . (The reason? The "class-map type inspect http *match-all*
" keyword has... disappeared somewhere on the way between 12.4(15)T and
12.4(20)T. Which means there are some application filtering scenarios
that have just become impossible). However, the problem persists on the
"new" IOS.
The original config is attached (there might be some minor
differences from the one I posted, due to my attempts at troubleshooting).
I am also attaching a config (same router) from a transparent mode
ZBF configuration. The problem with this is a similar one - it fails to
match on the ICMP protocol, and the packets get dropped by the default
class.
Rack1R3#sh policy-map type in zone-pair INSIDE_DMZ
Zone-pair: INSIDE_DMZ
Service-policy inspect : *PM_INSIDE_DMZ*
Class-map: INSIDE_PROTO (match-all)
Match: protocol http
Match: protocol ftp
Match: protocol icmp
Match: protocol dns
Match: protocol ssh
Inspect
Session creations since subsystem startup or last reset 0
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:0:0]
Last session created never
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 0
Last half-open session total 0
Class-map: class-default (match-any)
Match: any
Drop
*10 packets, 800 bytes*
Rack1R3#sh run policy-map
<snip>
policy-map type inspect *PM_INSIDE_DMZ*
class type inspect*INSIDE_PROTO*
*inspect*
class class-default
drop log
Rack1R3#sh run class-map
Building configuration...
Current configuration : 262 bytes
!
class-map type inspect match-all *INSIDE_PROTO*
match protocol http
match protocol ftp
* match protocol icmp*
match protocol dns
match protocol ssh
Rack1R1#p 10.0.0.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.100, timeout is 2 seconds:
....
Success rate is 0 percent (0/5)
Rack1R3#
*Feb 5 17:23:37.759: %FW-6-DROP_PKT: *Dropping icmp session *10.0.0.1:0
10.0.0.100:0 on zone-pair INSIDE_DMZ class class-default due to policy
match failure with ip ident 25
<snip>
-- Bogdan Sass CCSP,LPIC-1,VCP5,CCIE #22221 (RS) Information Systems Security Professional "Curiosity was framed - ignorance killed the cat" Rack1R3#sh run Building configuration... Current configuration : 6030 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Rack1R3 ! boot-start-marker boot-end-marker ! logging message-counter syslog enable password cisco ! no aaa new-model ! dot11 syslog ip source-route ! ! ip cef ! ! no ip domain lookup ip domain name cisco.com ip port-map http port tcp 3128 ip inspect log drop-pkt no ipv6 cef ! multilink bundle-name authenticated ! ! ! ! parameter-map type inspect AUDIT audit-trail on parameter-map type inspect PARAM_OUTSIDE_DMZ max-incomplete low 1000 max-incomplete high 2000 one-minute low 10 one-minute high 100 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! voice-card 0 ! ! ! ! ! archive log config hidekeys ! ! ! ! ! ip tcp synwait-time 5 ip ssh version 1 ! class-map type inspect match-any DMZ_PROTO match protocol http match protocol ftp match protocol dns match protocol tacacs match access-group name ICMP class-map type inspect match-all CM_OUTSIDE_DMZ match access-group name TO_DMZ match class-map DMZ_PROTO class-map type inspect imap match-any IMAP match login clear-text class-map type inspect match-any INSIDE_OUTSIDE_PROTO match protocol http match protocol ftp match protocol icmp match protocol dns match protocol ssh match protocol telnet match protocol aol class-map type inspect match-all INSIDE_OUTSIDE match class-map INSIDE_OUTSIDE_PROTO match access-group name FROM_INSIDE class-map type inspect match-all ICMP match access-group name ICMP class-map type inspect match-all HTTPS_SSH_FROM_DMZ match access-group name SSH_HTTPS_TRAFFIc match access-group name FROM_DMZ class-map type inspect pop3 match-any SPOP match login clear-text class-map type inspect match-any CM_INSIDE_DMZ_PROTO match protocol https match protocol ssh match protocol http match protocol ftp match protocol dns match protocol tacacs class-map type inspect match-all CM_INSIDE_DMZ match class-map CM_INSIDE_DMZ_PROTO match access-group name FROM_INSIDE class-map type inspect match-any CM_SELF_ANY match access-group name ICMP match access-group name TELNET class-map type inspect match-all RIP match access-group name RIP class-map type inspect match-all SSH_HTTPS match access-group name SSH_HTTPS_TRAFFIC ! ! policy-map type inspect DMZ_SELF class type inspect HTTPS_SSH_FROM_DMZ inspect class type inspect RIP pass class class-default drop log policy-map type inspect OUTSIDE_SELF class type inspect SSH_HTTPS inspect class type inspect RIP pass class type inspect ICMP inspect class class-default drop log policy-map type inspect INSIDE_OUTSIDE class type inspect INSIDE_OUTSIDE inspect class class-default drop log policy-map type inspect PM_OUTSIDE_DMZ class type inspect CM_OUTSIDE_DMZ inspect AUDIT police rate 512000 burst 6400 class class-default drop log policy-map type inspect PM_INSIDE_DMZ class type inspect CM_INSIDE_DMZ inspect class class-default drop log policy-map type inspect PM_SELF_ANY class type inspect CM_SELF_ANY inspect AUDIT class type inspect RIP pass class class-default drop log ! zone security OUTSIDE zone security INSIDE zone security DMZ zone security zx zone security zy zone-pair security zx-zy source zx destination zy service-policy type inspect-internal px-py zone-pair security OUTSIDE_SELF source OUTSIDE destination self service-policy type inspect OUTSIDE_SELF zone-pair security DMZ_SELF source DMZ destination self service-policy type inspect DMZ_SELF zone-pair security INSIDE_OUTSIDE source INSIDE destination OUTSIDE service-policy type inspect INSIDE_OUTSIDE zone-pair security FW_INT_REV_INSIDE_OUTSIDE source OUTSIDE destination INSIDE service-policy type inspect-internal I_INSIDE_OUTSIDE zone-pair security OUTSIDE_DMZ source OUTSIDE destination DMZ service-policy type inspect PM_OUTSIDE_DMZ zone-pair security FW_INT_REV_OUTSIDE_DMZ source DMZ destination OUTSIDE service-policy type inspect-internal I_PM_OUTSIDE_DMZ zone-pair security SELF_OUTSIDE source self destination OUTSIDE service-policy type inspect PM_SELF_ANY zone-pair security SELF_DMZ source self destination DMZ service-policy type inspect PM_SELF_ANY zone-pair security SELF_INSIDE source self destination INSIDE service-policy type inspect PM_SELF_ANY zone-pair security FW_INT_REV_SELF_INSIDE source INSIDE destination self service-policy type inspect-internal I_PM_SELF_ANY ! ! ! ! interface FastEthernet0/0 ip address 136.1.13.3 255.255.255.0 zone-member security INSIDE duplex auto speed auto ! interface FastEthernet0/1 no ip address duplex auto speed auto ! interface FastEthernet0/1.23 encapsulation dot1Q 23 ip address 136.1.23.3 255.255.255.0 zone-member security OUTSIDE ! interface FastEthernet0/1.100 encapsulation dot1Q 901 ip address 10.0.0.3 255.255.255.0 zone-member security DMZ ! interface Serial0/0/0 no ip address shutdown no fair-queue clock rate 2000000 ! interface Serial0/0/1 no ip address shutdown clock rate 2000000 ! interface Serial0/1/0 no ip address shutdown ! interface Serial0/1/1 no ip address shutdown ! router rip version 2 network 10.0.0.0 network 136.1.0.0 no auto-summary ! ip forward-protocol nd no ip http server no ip http secure-server ! ! ! ip access-list standard FROM_DMZ permit 10.0.0.0 0.0.0.255 ip access-list standard FROM_INSIDE permit 136.1.13.0 0.0.0.255 ! ip access-list extended ICMP permit icmp any any ip access-list extended O2S permit tcp any any eq 22 permit icmp any any ip access-list extended RIP permit udp any any eq rip ip access-list extended SSH_HTTPS_TRAFFIC permit tcp any any eq 22 permit tcp any any eq 443 ip access-list extended TELNET permit tcp any any eq telnet ip access-list extended TO_DMZ permit ip any 10.0.0.0 0.0.0.255 ! ! ! ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 exec-timeout 0 0 privilege level 15 line vty 0 4 password cisco login ! scheduler allocate 20000 1000 end Rack1R3#sh run Building configuration... Current configuration : 3122 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Rack1R3 ! boot-start-marker boot-end-marker ! enable password cisco ! no aaa new-model dot11 syslog ! ! ip cef ! ! no ip domain lookup ip inspect log drop-pkt ip inspect name INSIDE http ip inspect name INSIDE ftp ip inspect name INSIDE icmp ip inspect name INSIDE dns ip inspect name INSIDE ssh ip inspect name DMZ ftp ip inspect name DMZ http ip inspect name DMZ dns ! multilink bundle-name authenticated ! parameter-map type inspect global audit-trail on sessions maximum 2147483647 ! voice-card 0 no dspfarm ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! archive log config hidekeys ! ! ! ! ip tcp synwait-time 5 ! class-map type inspect match-all INSIDE_PROTO match protocol http match protocol ftp match protocol icmp match protocol dns match protocol ssh class-map type inspect match-all DMZ_PROTO match protocol ftp match protocol icmp match protocol dns ! ! policy-map type inspect PM_OUTSIDE_DMZ class type inspect DMZ_PROTO inspect class class-default drop log policy-map type inspect PM_INSIDE_DMZ class type inspect INSIDE_PROTO inspect class class-default drop log policy-map type inspect PM_INSIDE_OUTSIDE class type inspect INSIDE_PROTO inspect class class-default drop log ! zone security INSIDE zone security OUTSIDE zone security DMZ zone-pair security INSIDE_OUTSIDE source INSIDE destination OUTSIDE service-policy type inspect PM_INSIDE_OUTSIDE zone-pair security INSIDE_DMZ source INSIDE destination DMZ service-policy type inspect PM_INSIDE_DMZ zone-pair security OUTSIDE_DMZ source OUTSIDE destination DMZ service-policy type inspect PM_OUTSIDE_DMZ bridge irb ! ! ! ! interface FastEthernet0/0 no ip address zone-member security INSIDE duplex auto speed auto bridge-group 1 bridge-group 1 input-type-list 201 ! interface FastEthernet0/1 no ip address duplex auto speed auto ! interface FastEthernet0/1.23 encapsulation dot1Q 23 zone-member security OUTSIDE bridge-group 1 bridge-group 1 input-type-list 201 ! interface FastEthernet0/1.100 encapsulation dot1Q 901 zone-member security DMZ bridge-group 1 bridge-group 1 input-type-list 201 ! interface Serial0/0/0 no ip address shutdown no fair-queue clock rate 2000000 ! interface Serial0/0/1 no ip address shutdown clock rate 2000000 ! interface Serial0/1/0 no ip address shutdown ! interface Serial0/1/1 no ip address shutdown ! interface BVI1 ip address 10.0.0.3 255.255.255.0 ! ip forward-protocol nd ! ! ip http server no ip http secure-server ! ip access-list extended DMZ_IN deny ip any any log ip access-list extended OUTSIDE_IN permit ip any 10.0.0.0 0.0.0.255 deny ip any any log ! access-list 201 deny 0x86DD 0x0000 access-list 201 permit 0x0000 0xFFFF ! ! ! ! ! ! control-plane ! bridge 1 protocol ieee bridge 1 route ip ! ! ! ! ! ! ! ! ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous line aux 0 exec-timeout 0 0 privilege level 15 line vty 0 4 password cisco login ! scheduler allocate 20000 1000 ! end Blogs and organic groups at http://www.ccie.netReceived on Sun Feb 05 2012 - 19:15:54 ART
This archive was generated by hypermail 2.2.0 : Thu Mar 01 2012 - 11:46:56 ART