Zone Based Firewall

geezer

Hi

Trying again to lab up a ZBF in GNS3 with VPCS. I have a 7200 router with local cloud (my PC's loopback address connected to i/f f0/0. VPC1 on f0/1, VPC2 on f1/0 and VPC3 on f1/1.

I can ping all interfaces from all interfaces after startup but as soon as I configure f0/0 (as trusted) and f1/0 (untrusted) I can no longer ping between those two interfaces. The CBAC interfaces can ping eachother still (f0/1 and f1/1) but have tried adding icmp to the sdm but no joy.

The theory looks great but this is one thing that isn't easy to get working. I see that the CBT nuggets video (although brief'ish') talks about configuring via the additional tasks pane is there any difference between that and the 'edit firewall' in the firewall tab?

If anyone can guide me on how to SDM the firewall for ping even it would give me more hope about taking the exam.

And I thought VPN was tricky!

notgoing2fail

Well that's because you applied those two interfaces to trust and untrust. So they are in different zones. So until you create a policy map to allow pings, it won't work.

As for the other ones, they are not part of any zones, so they will be able to communicate.

geezer

Tried to add icmp but it is to do with the default in-out access-list (invalid-src) that drops the subnets' traffic from in to outzone. Configured it to PASS but still didn't work. Had to change the address in access list to get pings to work from in to out zone.

If I want to permit ICMP from in to out zone but deny everything else what would I have to do? Head a bit fried after late working and ZBF of course!

Cheers.

notgoing2fail

geezer wrote: »

Tried to add icmp but it is to do with the default in-out access-list (invalid-src) that drops the subnets' traffic from in to outzone. Configured it to PASS but still didn't work. Had to change the address in access list to get pings to work from in to out zone.

If I want to permit ICMP from in to out zone but deny everything else what would I have to do? Head a bit fried after late working and ZBF of course!

Cheers.

Well I'm glad you are working on this because I haven't worked on ZBF in awhile so I can shake off the rust. Can you post your configs?

Just post the necessary info, no need to post your entire runing-config....

Also, did you try INSPECT instead of PASS?

geezer

Did try 'Inspect' to no avail. The firewall was dropping all source addys via an access-list to deny loopback, broadcast and inside and spoofed addresses (from the outside interface) from leaving the in-to-out zone.

Not on GNS at the min, got to get some studying notes sorted - IPS then the Encryption 'suite' of chapters - oh the joy!!!

Will try and take a look when I have made more progress with studies. Just glad that VPN is a little more easy to understand/perceive.

Cheers.

notgoing2fail

geezer wrote: »

Did try 'Inspect' to no avail. The firewall was dropping all source addys via an access-list to deny loopback, broadcast and inside and spoofed addresses (from the outside interface) from leaving the in-to-out zone.

Not on GNS at the min, got to get some studying notes sorted - IPS then the Encryption 'suite' of chapters - oh the joy!!!

Will try and take a look when I have made more progress with studies. Just glad that VPN is a little more easy to understand/perceive.

Cheers.

VPN is a lot easier concept to grasp. ZBF isn't that bad once you get the hang of it but it took me a little while to see how it worked...

And like anything, it would be better to be working with it on a daily basis which I assume most people aren't....

That's what PIX/ASA is for!!!

geezer

A lot of pieces to ZBF I suppose which can be as clear as mud esp. when using sdm and its naming! Haven't tried CLI only config but where the SDM creates in/out to the self-zone is it needed for CLI too or just overkill?

The 'inspect' not allowing ping packets in the ACL action was confusing as I would expect it to be allowed but what else is needed for the 'inspect' action to allow traffic as it is acting just like 'drop'?

Cheers

notgoing2fail

geezer wrote: »

A lot of pieces to ZBF I suppose which can be as clear as mud esp. when using sdm and its naming! Haven't tried CLI only config but where the SDM creates in/out to the self-zone is it needed for CLI too or just overkill?

The 'inspect' not allowing ping packets in the ACL action was confusing as I would expect it to be allowed but what else is needed for the 'inspect' action to allow traffic as it is acting just like 'drop'?

Cheers

SDM does add more commands than you normally would need, not just for ZBF but other features as well.

From what I remember, the self-zone if referring to the router itself. So you would only need that if you need communication go the router. Say you wanted to ping the routers interface, then you'd need policies for it.

The inspect or pass should work, I suspect that it's just a configuration mishap, so it's really hard tell without seeing your config.

logicmyfoot

dude plz post some config , its really hard to troubleshoot without seeing the actual config.

also if your policy-map "action" is "PASS" you will need bidirectional zone pairs, for both in and out zone

logicmyfoot

geezer wrote: »

Hi

Trying again to lab up a ZBF in GNS3 with VPCS. I have a 7200 router with local cloud (my PC's loopback address connected to i/f f0/0. VPC1 on f0/1, VPC2 on f1/0 and VPC3 on f1/1.

I can ping all interfaces from all interfaces after startup but as soon as I configure f0/0 (as trusted) and f1/0 (untrusted) I can no longer ping between those two interfaces. The CBAC interfaces can ping eachother still (f0/1 and f1/1) but have tried adding icmp to the sdm but no joy.

The theory looks great but this is one thing that isn't easy to get working. I see that the CBT nuggets video (although brief'ish') talks about configuring via the additional tasks pane is there any difference between that and the 'edit firewall' in the firewall tab?

If anyone can guide me on how to SDM the firewall for ping even it would give me more hope about taking the exam.

And I thought VPN was tricky!

Are both CBAC and ZBF configured for f0/0 and f0/1??

TesseracT

What's the point of using CBAC and ZBF at the same time? I've seen it in the wild before as well...

Doesn't all CBAC do is inspect traffic - exactly the same as the 'inspect' policy rule on ZBF?

logicmyfoot

^^ yep they do

yiannit

you shouldnt be able to use both on one interface

geezer

TesseracT wrote: »

What's the point of using CBAC and ZBF at the same time? I've seen it in the wild before as well...

Doesn't all CBAC do is inspect traffic - exactly the same as the 'inspect' policy rule on ZBF?

SPI (CBAC) model used on interfaces not used as part of the zoning policy so will keep traffic separate from zoned interfaces. The ZBF allows for finer control over inspection, e.g. policy maps containing class maps with different subnets specified - one subnet inspects HTTP and another subnet inspected for URL filtering.

Cisco are moving away from the CLI 'ip inspect...' idea to the ZBF model