help with zbf lab

larsk84larsk84 Posts: 4Registered Users ■□□□□□□□□□
Hello
I need som help with my lab in configuring ZBF, I cant get it to work=/

/Lars

Comments

  • networker050184networker050184 Posts: 11,962Mod Mod
    You're going to have to provide a lot more info than that if you want help.
    An expert is a man who has made all the mistakes which can be made.
  • larsk84larsk84 Posts: 4Registered Users ■□□□□□□□□□
    of course..
    I have 2 sites with a domain controller in each site, (SITE A, & SITE B). Before I implemented ZBF I could successfully ping each DC. But now I cant ping and there's of course no replication between them. Domain controller in SITE A has 200.20.16.30 /28 and DC in SITE B has ip 205.205.2.130 /28 as shown in pic I added.

    Router s1r & e1r is configured with ZBF, with the right zone membership on interfaces, I've created zone-pair, policy-maps etc. but it doesn't work. And Another thing, since the two DC need to replicate should I insert every protocol which is needed in the ACL?

    I have namned the class-map DC_REPLICATION to allow Communication between the two DC.



    Router s1r config:
    !
    ip tcp synwait-time 5
    ip ssh time-out 60
    ip ssh authentication-retries 2
    ip ssh version 2
    !
    class-map type inspect match-any DC_REPLICATION
    match protocol icmp
    match protocol echo
    match protocol dns
    match protocol http
    match protocol isakmp
    match protocol kerberos
    match protocol ldap
    match protocol netbios-dgm
    match protocol netbios-ns
    match protocol netbios-ssn
    match protocol snmptrap
    match protocol tcp
    match protocol udp
    match access-group name DC-ACL
    !
    !
    policy-map type inspect PMAP-IN-TO-OUT
    class type inspect DC_REPLICATION
    inspect
    class class-default
    !
    zone security INSIDE
    zone security OUTSIDE

    zone-pair security ZONE_PAIR_IN_TO_OUT source INSIDE destination OUTSIDE
    service-policy type inspect PMAP-IN-TO-OUT

    !
    !
    !
    interface FastEthernet0/0
    description Connects to DMZ
    ip address 200.20.16.161 255.255.255.248
    zone-member security DMZ
    duplex auto
    speed auto
    !
    interface FastEthernet0/1
    description Connects to s1s
    no ip address
    zone-member security INSIDE
    duplex auto
    speed auto
    !
    interface FastEthernet0/1.10
    encapsulation dot1Q 10
    ip address 200.20.16.1 255.255.255.192
    ip helper-address 200.20.16.130
    zone-member security INSIDE
    !
    interface FastEthernet0/1.20
    encapsulation dot1Q 20
    ip address 200.20.16.65 255.255.255.192
    ip helper-address 200.20.16.130
    zone-member security INSIDE
    !
    interface FastEthernet0/1.30
    encapsulation dot1Q 30
    ip address 200.20.16.129 255.255.255.240
    ip helper-address 200.20.16.130
    zone-member security INSIDE
    !
    interface FastEthernet0/1.40
    encapsulation dot1Q 40
    ip address 200.20.16.145 255.255.255.240
    ip helper-address 200.20.16.130
    zone-member security INSIDE
    !
    interface Serial1/0
    description Connects to ISP
    ip address 200.20.16.169 255.255.255.252
    zone-member security OUTSIDE
    serial restart-delay 0
    !
    interface Serial1/1
    no ip address
    shutdown
    serial restart-delay 0
    !
    interface Serial1/2
    no ip address
    serial restart-delay 0
    !
    interface Serial1/3
    no ip address
    serial restart-delay 0
    !
    router ospf 1
    log-adjacency-changes
    passive-interface FastEthernet0/0
    network 10.0.0.0 0.0.255.255 area 0
    network 200.20.16.0 0.0.0.63 area 0
    network 200.20.16.64 0.0.0.63 area 0
    network 200.20.16.128 0.0.0.15 area 0
    network 200.20.16.144 0.0.0.15 area 0
    network 200.20.16.160 0.0.0.7 area 0
    network 200.20.16.168 0.0.0.3 area 0
    !
    !
    !
    no ip http server
    no ip http secure-server
    !
    ip access-list extended DC-ACL
    permit ip host 200.20.16.130 205.205.2.128 0.0.0.15
    permit ip host 205.205.2.130 200.20.16.128 0.0.0.15
    permit ip 205.205.2.128 0.0.0.15 200.20.16.128 0.0.0.15
    permit ip 200.20.16.128 0.0.0.15 205.205.2.128 0.0.0.15

    !
    logging trap debugging
    logging facility local3
    logging 200.20.16.165
    !
    !
    !
    !
    control-plane
    !
    banner motd ^CNo Unauthorized Access!^C
    !
    line con 0
    exec-timeout 0 0
    privilege level 15
    password 7 047802150C2E0D
    logging synchronous
    line aux 0
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    line vty 0 4
    privilege level 15
    logging synchronous
    transport input ssh
    line vty 5 15
    logging synchronous
    transport input all
    !
    ntp server 200.20.16.130
    !
    webvpn cef
    !
    end
    s1r#
    s1r#
    s1r#
    s1r#
    s1r#copy run start
    Destination filename [startup-config]?
    Building configuration...
    [OK]
    s1r#




    /Lars
    zbf.jpg 26.6K
  • IristheangelIristheangel CCIEx2 (Sec + DC), CCNP RS, CCNA V/S/R/DC, CISSP, CEH, MCSE 2003, A+/L+/N+/S+, and a lot more from m Pasadena, CAPosts: 4,116Mod Mod
    I'm going to assume that both routers are configured similarly and the zone pairs are the same.

    So think of it like this: The zone pair specifies certain traffic that can be initiated and pass from one zone to another, right? Well... Let's say you initiate DC replication or ICMP traffic from the inside zone to the outside zone of site 1. What happens? It passes through. No big deal. Well what happens when this traffic which is initiate from site 1 hits the outside zone of site 2? Well... unless you have a zone pair specifying that the traffic initiate from the outside zone can pass to the inside zone, it's not going to happen and site 2's router should be dropping it.

    Check out this Packetlife article: IOS Zone-Based Firewall - PacketLife.net

    It really helped me grasp ZBFWs when it first came out
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
    Bonus TE Fun: Nerd Photos
  • larsk84larsk84 Posts: 4Registered Users ■□□□□□□□□□
    So router in SITE 2 & SITE 1 should have a zone-pair similar to:


    zone-pair security ZONE-PAIR-DC-REP source OUTSIDE destination INSIDE
    service -policy map type inspect PMAP-OUT-TO-IN

    policy-map type inspect PMAP-OUT-TO-IN
    class type inspect DC_REPLICATION
    inspect
    class class-default

    class-map type inspect match-any DC_REPLICATION
    match protocol icmp
    match protocol echo
    match protocol dns
    match protocol http
    match protocol isakmp
    match protocol ldap
    match protocol tcp
    match protocol udp
    match access-Group name DC-ACL

    ip access-list extended DC-ACL
    permit ip 205.205.2.128 0.0.0.15 200.20.16.128 0.0.0.15
    permit ip 200.20.16.128 0.0.0.15 205.205.2.130 0.0.0.15


    Shouldn't the policy map PMAP-IN-TO-OUT accept return traffic, because the stateful inspection of ZBF ?


    /Lars
  • IristheangelIristheangel CCIEx2 (Sec + DC), CCNP RS, CCNA V/S/R/DC, CISSP, CEH, MCSE 2003, A+/L+/N+/S+, and a lot more from m Pasadena, CAPosts: 4,116Mod Mod
    Return traffic, yes. But if you are sending traffic that originates from one site to another and your ZBFW zone pair states that only traffic originating from inside can accept return traffic, what happens when the other side gets traffic that originates from the outside zone (i.e. traffic that originates from the other site)? Doesn't matter if it's originating from the Internet or another site, if your zone pair states that only traffic from inside -> outside can happen, the other sites traffic is going to be dropped since it originated from the outside zone according to the other site.

    (Yes, I'm laying it out in very simple terms. Just typing on a phone or else I'd draw you a pic)
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
    Bonus TE Fun: Nerd Photos
  • larsk84larsk84 Posts: 4Registered Users ■□□□□□□□□□
    I have done some modifications to my configs, but still doesn't work. What I'm doing wrong?



    Router s1r in SITE A_________________________________



    class-map type inspect match-any DC_REPLICATION
    match access-group name TRUST_TO_TRUST
    match protocol icmp
    match protocol echo
    match protocol dns
    match protocol http
    match protocol isakmp
    match protocol kerberos
    match protocol ldap
    match protocol netbios-dgm
    match protocol netbios-ns
    match protocol netbios-ssn
    match protocol snmptrap
    match protocol tcp
    match protocol udp
    class-map type inspect match-any CMAP-TRUSTED-TO-IN
    match access-group name TRUSTED_TO_IN
    match protocol icmp
    match protocol echo
    match protocol dns
    match protocol http
    match protocol isakmp
    match protocol kerberos
    match protocol ldap
    match protocol netbios-dgm
    match protocol netbios-ns
    match protocol netbios-ssn
    match protocol snmptrap
    match protocol tcp
    match protocol udp
    !
    !
    policy-map type inspect PMAP_OUT_TO_IN
    class type inspect CMAP-TRUSTED-TO-IN
    inspect
    class class-default
    policy-map type inspect PMAP-IN-TO-OUT
    class type inspect DC_REPLICATION
    inspect
    class class-default
    !
    zone security INSIDE
    zone security OUTSIDE
    zone security DMZ
    zone-pair security ZONE_PAIR_IN_TO_OUT source INSIDE destination OUTSIDE
    service-policy type inspect PMAP-IN-TO-OUT
    zone-pair security OUT_TO_DMZ source OUTSIDE destination DMZ
    zone-pair security DMZ_TO_OUT source DMZ destination OUTSIDE
    zone-pair security OUT_TO_TRUSTED source OUTSIDE destination INSIDE
    service-policy type inspect PMAP_OUT_TO_IN
    !
    !
    ip access-list extended TRUSTED_TO_IN
    permit icmp 205.205.2.0 0.0.0.255 200.20.16.0 0.0.0.255 echo
    permit icmp 205.205.2.0 0.0.0.255 200.20.16.0 0.0.0.255 echo-reply
    permit tcp 205.205.2.0 0.0.0.255 200.20.16.0 0.0.0.255
    permit udp 205.205.2.0 0.0.0.255 200.20.16.0 0.0.0.255
    permit ip 205.205.2.0 0.0.0.255 200.20.16.0 0.0.0.255

    ip access-list extended TRUST_TO_TRUST
    permit icmp 200.20.16.0 0.0.0.255 205.205.2.0 0.0.0.255 echo-reply
    permit icmp 200.20.16.0 0.0.0.255 205.205.2.0 0.0.0.255 echo
    permit tcp 200.20.16.0 0.0.0.255 205.205.2.0 0.0.0.255
    permit udp 200.20.16.0 0.0.0.255 205.205.2.0 0.0.0.255
    permit ip 200.20.16.0 0.0.0.255 205.205.2.0 0.0.0.255




    Router e1r in SITE B_______________________________________


    class-map type inspect match-any DC_REPLICATION
    match access-group name TRUST_TO_TRUST
    match protocol icmp
    match protocol echo
    match protocol dns
    match protocol http
    match protocol isakmp
    match protocol kerberos
    match protocol ldap
    match protocol netbios-dgm
    match protocol netbios-ns
    match protocol netbios-ssn
    match protocol snmptrap
    match protocol tcp
    match protocol udp
    class-map type inspect match-any CLASS_MAP_GRE_PROTOCOLS
    match access-group name GRE
    class-map type inspect match-any CMAP-TRUSTED-TO-IN
    match access-group name TRUSTED_TO_IN
    match protocol icmp
    match protocol echo
    match protocol dns
    match protocol http
    match protocol isakmp
    match protocol kerberos
    match protocol ldap
    match protocol netbios-dgm
    match protocol netbios-ns
    match protocol netbios-ssn
    match protocol snmptrap
    match protocol tcp
    match protocol udp
    !
    !
    policy-map type inspect PMAP_OUT_TO_IN
    class type inspect CMAP-TRUSTED-TO-IN
    inspect
    class class-default
    policy-map type inspect POLICY_MAP_IN_TO_OUT
    class type inspect DC_REPLICATION
    inspect
    class class-default
    !
    zone security OUTSIDE
    zone security INSIDE
    zone-pair security ZONE_PAIR_IN_TO_OUT source INSIDE destination OUTSIDE
    service-policy type inspect POLICY_MAP_IN_TO_OUT
    zone-pair security OUT_TO_TRUSTED source OUTSIDE destination INSIDE
    service-policy type inspect PMAP_OUT_TO_IN
    ip access-list extended TRUSTED_TO_IN
    permit icmp 200.20.16.0 0.0.0.255 205.205.2.0 0.0.0.255 echo
    permit icmp 200.20.16.0 0.0.0.255 205.205.2.0 0.0.0.255 echo-reply
    permit tcp 200.20.16.0 0.0.0.255 205.205.2.0 0.0.0.255
    permit udp 200.20.16.0 0.0.0.255 205.205.2.0 0.0.0.255
    permit ip 200.20.16.0 0.0.0.255 205.205.2.0 0.0.0.255

    ip access-list extended TRUST_TO_TRUST
    permit icmp 205.205.2.0 0.0.0.255 200.20.16.0 0.0.0.255 echo
    permit icmp 205.205.2.0 0.0.0.255 200.20.16.0 0.0.0.255 echo-reply
    permit tcp 205.205.2.0 0.0.0.255 200.20.16.0 0.0.0.255
    permit udp 205.205.2.0 0.0.0.255 200.20.16.0 0.0.0.255
    permit ip 205.205.2.0 0.0.0.255 200.20.16.0 0.0.0.255



    /Lars
Sign In or Register to comment.