Zone-Based Firewall Problem

EildorEildor Member Posts: 444
in CCNP Security
I can't seem to get my HTTP traffic through the Zone-Based Firewall; think the NAT might be confusing me. Here is my configuration on GNS3:
R1#show run
Building configuration...

Current configuration : 1773 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ip cef
!
ip domain name lab.local
ip name-server 194.168.4.100
ip name-server 194.168.8.100
!
multilink bundle-name authenticated
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
 match access-group name INSIDE-TO-OUTSIDE
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
 class type inspect INSIDE-TO-OUTSIDE-CLASS
  inspect
 class class-default
  drop log
!
zone security INSIDE
zone security OUTSIDE
zone-pair security INSIDE-TO-OUTSIDE source INSIDE destination OUTSIDE
 service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface FastEthernet1/0
 ip address 192.168.0.254 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 zone-member security OUTSIDE
 duplex half
!
interface FastEthernet2/0
 ip address 172.16.0.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security INSIDE
 duplex half
!
ip route 0.0.0.0 0.0.0.0 192.168.0.1
no ip http server
no ip http secure-server
!
ip nat inside source list NAT interface FastEthernet1/0 overload
!
ip access-list standard NAT
 permit 172.16.0.0 0.0.0.255
!
ip access-list extended INSIDE-TO-OUTSIDE
 permit tcp 172.16.0.0 0.0.0.255 any eq www
 permit tcp 172.16.0.0 0.0.0.255 any eq domain
!
logging alarm informational
!
control-plane
!
gatekeeper
 shutdown
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
!
end

I'm NATing the internal network (172.16.0.0/24) to 192.168.0.254 as that is private network configured on my home router. There is a default route to my home router (192.168.0.1), and that is obviously going to be NATed again (which I have no control over) before traffic leaves.

My permit statements in the class-map is for the internal 172.16.0.0/24 network... is that correct? I'm not exactly sure how Zone-Based Firewall works with NAT. Logs are showing that DNS traffic is being dropped:
*Jul 20 01:32:41.183: %FW-6-DROP_PKT: Dropping Other pkt 192.168.0.254:44646 => 208.67.222.222:53 with ip ident 27112 due to DROP action found in policy-map

Why would DNS be dropped? I thought 192.168.0.254 would be considered to be in the self zone, and therefore be permitted anyway?
· Share on FacebookShare on Twitter

Comments

  • powmiapowmia Users Awaiting Email Confirmation Posts: 322
    It's not coming from "self," as your router is not originating the traffic, and it is not traffic for a daemon running on your router. The packet appears sourced from your router, only because it was translated to 192.168.0.254.

    You just need to add the NAT'd to address (192.168.0.254) to your INSIDE-TO-OUTSIDE access-list. On that external interface, inbound filtering occurs 'pre-nat' while outboud occurs 'post-nat'
    · Share on FacebookShare on Twitter
  • EildorEildor Member Posts: 444
    powmia wrote: »
    It's not coming from "self," as your router is not originating the traffic, and it is not traffic for a daemon running on your router. The packet appears sourced from your router, only because it was translated to 192.168.0.254.

    You just need to add the NAT'd to address (192.168.0.254) to your INSIDE-TO-OUTSIDE access-list. On that external interface, inbound filtering occurs 'pre-nat' while outboud occurs 'post-nat'

    I did try that but it didn't seem to make a difference... I'll try again to be sure and post back. Thank you.
    · Share on FacebookShare on Twitter
  • powmiapowmia Users Awaiting Email Confirmation Posts: 322
    Oh, didn't look at that close enough. DNS uses TCP for zone-transfers, UDP is for queries. Use UDP.
    · Share on FacebookShare on Twitter
  • powmiapowmia Users Awaiting Email Confirmation Posts: 322
    And I think you can disregard my previous post... statefulness of your setup should just need the internal addresses in the ACL. Sorry about that... in need of coffee.
    · Share on FacebookShare on Twitter
  • EildorEildor Member Posts: 444
    I've put in everything just to be sure but it still doesn't seem to work...

    Standard IP access list NAT
    10 permit 172.16.0.0, wildcard bits 0.0.0.255 (127 matches)
    Extended IP access list INSIDE-TO-OUTSIDE
    10 permit tcp 172.16.0.0 0.0.0.255 any eq www (49 matches)
    20 permit tcp 172.16.0.0 0.0.0.255 any eq domain
    30 permit udp 172.16.0.0 0.0.0.255 any eq domain (209 matches)
    40 permit udp 192.168.0.0 0.0.0.255 any eq domain
    50 permit tcp 192.168.0.0 0.0.0.255 any eq domain
    60 permit tcp 192.168.0.0 0.0.0.255 any eq www

    Everything else is exactly the same as before. I'm no longer getting log messages so I guess the traffic is going out but the return traffic isn't getting back to the host? :S
    · Share on FacebookShare on Twitter
  • EildorEildor Member Posts: 444
    Wireshark shows that 192.168.0.254 is ARPing for 192.168.0.1 but never seems to get a response... not sure why that would be.
    · Share on FacebookShare on Twitter
  • powmiapowmia Users Awaiting Email Confirmation Posts: 322
    gns3???
    · Share on FacebookShare on Twitter
  • EildorEildor Member Posts: 444
    Yes GNS3 ...makes doing even the most simplest of tasks a pain in the bottom.
    · Share on FacebookShare on Twitter
  • powmiapowmia Users Awaiting Email Confirmation Posts: 322
    Yeah, before you go on a troubleshooting fit... I would save the configs and rebuild your topology.
    · Share on FacebookShare on Twitter
  • EildorEildor Member Posts: 444
    Did that multiple times... anyway not to worry -- thanks mate.
    · Share on FacebookShare on Twitter
  • gregorio323gregorio323 Member Posts: 201 ■■■□□□□□□□
    Have you tried to make sure if it works with out the ZBF configuration?
    Eildor wrote: »
    Did that multiple times... anyway not to worry -- thanks mate.
    · Share on FacebookShare on Twitter
  • EildorEildor Member Posts: 444
    As far as I can remember (I've redone everything like 5 times so I could be wrong) it worked fine without ZBF. Anyway no worries I don't want to spend any more time on it. Cheers!
    · Share on FacebookShare on Twitter
  • gregorio323gregorio323 Member Posts: 201 ■■■□□□□□□□
    lol don't give up!. run some debug policy-firewall commands and see what is happening.
    Eildor wrote: »
    As far as I can remember (I've redone everything like 5 times so I could be wrong) it worked fine without ZBF. Anyway no worries I don't want to spend any more time on it. Cheers!
    · Share on FacebookShare on Twitter
  • EildorEildor Member Posts: 444
    It's set to log dropped packets... nothing is showing up at all so I guess the traffic is going out but not being allowed back in. I'll look into it when I get the chance one last time.
    · Share on FacebookShare on Twitter
  • EildorEildor Member Posts: 444
    Could the problem be the fact that I am using Linux on the VMs? I'm going to download Windows XP and see if that helps.
    · Share on FacebookShare on Twitter
  • Mrock4Mrock4 Banned Posts: 2,359 ■■■■■■■■□□
    I labbed up your almost exact config (except interface names), and was successful in reaching the end device. I connected the devices in a series, such as: R2
    R3
    R10 .....I utilized an existing topology I had for this, so that's why the hostnames are not in order. R3 was doing the ZBF and NAT. R10 had the IP of 192.168.0.1, and R2 had the IP of 172.16.0.1. .254 resides on the R3 interfaces.

    See screenshots:

    http://www.sgtccie.com/images/ZBF_issue.png (Shows successful telnet from R2 to R10)
    http://www.sgtccie.com/images/ZBF_issue2.png (Shows config of R3)
    · Share on FacebookShare on Twitter
  • EildorEildor Member Posts: 444
    Argh this is doing my head in... feel like I'm wasting my time. Thanks for all the help, I'll get there eventually...
    · Share on FacebookShare on Twitter
  • Mrock4Mrock4 Banned Posts: 2,359 ■■■■■■■■□□
    No worries. Have you run a wireshark capture at the host to see if traffic is reaching it? I know you said you saw .254 ARPing, but does the .1 address see those ARP requests? I'd be willing to venture if you solve the unanswered ARP you will solve your problem (big surprise, right?)

    Best of luck!
    · Share on FacebookShare on Twitter
  • EildorEildor Member Posts: 444
    Everything now seems to be working... don't ask me why because I have absolutely no clue as I tried over 9000 different things, including: changing software firewall (Comodo and GNS3 do NOT get along), using Windows XP on VMs instead of Linux, pulling my hair out, etc.

    Hopefully I don't have this much trouble setting up ASA on GNS3... thanks again.
    · Share on FacebookShare on Twitter
  • gregorio323gregorio323 Member Posts: 201 ■■■□□□□□□□
    Sounds like the 9001 try was it... :)
    Eildor wrote: »
    Everything now seems to be working... don't ask me why because I have absolutely no clue as I tried over 9000 different things, including: changing software firewall (Comodo and GNS3 do NOT get along), using Windows XP on VMs instead of Linux, pulling my hair out, etc.

    Hopefully I don't have this much trouble setting up ASA on GNS3... thanks again.
    · Share on FacebookShare on Twitter
  • EildorEildor Member Posts: 444
    I'm just glad it's working now... ASA is up and running as expected too :)
    · Share on FacebookShare on Twitter
Sign In or Register to comment.