Zone-Based Firewall Problem

I can't seem to get my HTTP traffic through the Zone-Based Firewall; think the NAT might be confusing me. Here is my configuration on GNS3:

R1#show run
Building configuration...

Current configuration : 1773 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ip cef
!
ip domain name lab.local
ip name-server 194.168.4.100
ip name-server 194.168.8.100
!
multilink bundle-name authenticated
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
 match access-group name INSIDE-TO-OUTSIDE
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
 class type inspect INSIDE-TO-OUTSIDE-CLASS
  inspect
 class class-default
  drop log
!
zone security INSIDE
zone security OUTSIDE
zone-pair security INSIDE-TO-OUTSIDE source INSIDE destination OUTSIDE
 service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface FastEthernet1/0
 ip address 192.168.0.254 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 zone-member security OUTSIDE
 duplex half
!
interface FastEthernet2/0
 ip address 172.16.0.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security INSIDE
 duplex half
!
ip route 0.0.0.0 0.0.0.0 192.168.0.1
no ip http server
no ip http secure-server
!
ip nat inside source list NAT interface FastEthernet1/0 overload
!
ip access-list standard NAT
 permit 172.16.0.0 0.0.0.255
!
ip access-list extended INSIDE-TO-OUTSIDE
 permit tcp 172.16.0.0 0.0.0.255 any eq www
 permit tcp 172.16.0.0 0.0.0.255 any eq domain
!
logging alarm informational
!
control-plane
!
gatekeeper
 shutdown
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
!
end

I'm NATing the internal network (172.16.0.0/24) to 192.168.0.254 as that is private network configured on my home router. There is a default route to my home router (192.168.0.1), and that is obviously going to be NATed again (which I have no control over) before traffic leaves.

My permit statements in the class-map is for the internal 172.16.0.0/24 network... is that correct? I'm not exactly sure how Zone-Based Firewall works with NAT. Logs are showing that DNS traffic is being dropped:

*Jul 20 01:32:41.183: %FW-6-DROP_PKT: Dropping Other pkt 192.168.0.254:44646 => 208.67.222.222:53 with ip ident 27112 due to DROP action found in policy-map

Why would DNS be dropped? I thought 192.168.0.254 would be considered to be in the self zone, and therefore be permitted anyway?

Find more posts tagged with

Comments

powmia

It's not coming from "self," as your router is not originating the traffic, and it is not traffic for a daemon running on your router. The packet appears sourced from your router, only because it was translated to 192.168.0.254.

You just need to add the NAT'd to address (192.168.0.254) to your INSIDE-TO-OUTSIDE access-list. On that external interface, inbound filtering occurs 'pre-nat' while outboud occurs 'post-nat'

Eildor

powmia wrote: »

It's not coming from "self," as your router is not originating the traffic, and it is not traffic for a daemon running on your router. The packet appears sourced from your router, only because it was translated to 192.168.0.254.

You just need to add the NAT'd to address (192.168.0.254) to your INSIDE-TO-OUTSIDE access-list. On that external interface, inbound filtering occurs 'pre-nat' while outboud occurs 'post-nat'

I did try that but it didn't seem to make a difference... I'll try again to be sure and post back. Thank you.

powmia

Oh, didn't look at that close enough. DNS uses TCP for zone-transfers, UDP is for queries. Use UDP.

powmia

And I think you can disregard my previous post... statefulness of your setup should just need the internal addresses in the ACL. Sorry about that... in need of coffee.

Eildor

I've put in everything just to be sure but it still doesn't seem to work...

Standard IP access list NAT
10 permit 172.16.0.0, wildcard bits 0.0.0.255 (127 matches)
Extended IP access list INSIDE-TO-OUTSIDE
10 permit tcp 172.16.0.0 0.0.0.255 any eq www (49 matches)
20 permit tcp 172.16.0.0 0.0.0.255 any eq domain
30 permit udp 172.16.0.0 0.0.0.255 any eq domain (209 matches)
40 permit udp 192.168.0.0 0.0.0.255 any eq domain
50 permit tcp 192.168.0.0 0.0.0.255 any eq domain
60 permit tcp 192.168.0.0 0.0.0.255 any eq www

Everything else is exactly the same as before. I'm no longer getting log messages so I guess the traffic is going out but the return traffic isn't getting back to the host? :S

Eildor

Wireshark shows that 192.168.0.254 is ARPing for 192.168.0.1 but never seems to get a response... not sure why that would be.

powmia

gns3???

Eildor

Yes GNS3 ...makes doing even the most simplest of tasks a pain in the bottom.

powmia

Yeah, before you go on a troubleshooting fit... I would save the configs and rebuild your topology.

Eildor

Did that multiple times... anyway not to worry -- thanks mate.

gregorio323

Have you tried to make sure if it works with out the ZBF configuration?

Eildor wrote: »

Did that multiple times... anyway not to worry -- thanks mate.

Eildor

As far as I can remember (I've redone everything like 5 times so I could be wrong) it worked fine without ZBF. Anyway no worries I don't want to spend any more time on it. Cheers!

gregorio323

lol don't give up!. run some debug policy-firewall commands and see what is happening.

Eildor wrote: »

As far as I can remember (I've redone everything like 5 times so I could be wrong) it worked fine without ZBF. Anyway no worries I don't want to spend any more time on it. Cheers!

Eildor

It's set to log dropped packets... nothing is showing up at all so I guess the traffic is going out but not being allowed back in. I'll look into it when I get the chance one last time.

Eildor

Could the problem be the fact that I am using Linux on the VMs? I'm going to download Windows XP and see if that helps.

Mrock4

I labbed up your almost exact config (except interface names), and was successful in reaching the end device. I connected the devices in a series, such as: R2

R10 .....I utilized an existing topology I had for this, so that's why the hostnames are not in order. R3 was doing the ZBF and NAT. R10 had the IP of 192.168.0.1, and R2 had the IP of 172.16.0.1. .254 resides on the R3 interfaces.

See screenshots:

http://www.sgtccie.com/images/ZBF_issue.png (Shows successful telnet from R2 to R10)
http://www.sgtccie.com/images/ZBF_issue2.png (Shows config of R3)

Eildor

Argh this is doing my head in... feel like I'm wasting my time. Thanks for all the help, I'll get there eventually...

Mrock4

No worries. Have you run a wireshark capture at the host to see if traffic is reaching it? I know you said you saw .254 ARPing, but does the .1 address see those ARP requests? I'd be willing to venture if you solve the unanswered ARP you will solve your problem (big surprise, right?)

Best of luck!

Eildor

Everything now seems to be working... don't ask me why because I have absolutely no clue as I tried over 9000 different things, including: changing software firewall (Comodo and GNS3 do NOT get along), using Windows XP on VMs instead of Linux, pulling my hair out, etc.

Hopefully I don't have this much trouble setting up ASA on GNS3... thanks again.

gregorio323

Sounds like the 9001 try was it...

Eildor wrote: »

Everything now seems to be working... don't ask me why because I have absolutely no clue as I tried over 9000 different things, including: changing software firewall (Comodo and GNS3 do NOT get along), using Windows XP on VMs instead of Linux, pulling my hair out, etc.

Hopefully I don't have this much trouble setting up ASA on GNS3... thanks again.

Eildor

I'm just glad it's working now... ASA is up and running as expected too