zone based security

[imbadatthis]

trying to figure zone based policy inspection working ...

so I defined my DMZ:

class-map type inspect match-any DMZ-TRAFFIC
 match protocol http
 match protocol dns
 match protocol https
 match protocol icmp
 match protocol ftp
 match protocol smtp extended
 match protocol sip
 match protocol pop3
 match protocol ntp
 match protocol telnet
 match protocol fasttrack
 match access-group name DMZ

I figured since i have alot of traffic matching access-group DMZ and i trust that traffic I can just pass it instead of inspecting it.

policy-map type inspect DMZ
 class type inspect DMZ-TRAFFIC
  pass
 class class-default
  inspect

zone security DMZ
zone security OUTSIDE

zone-pair security DMZ-OUTSIDE source DMZ destination OUTSIDE
 service-policy type inspect DMZ

and then I put fa0/0 as OUTSIDE
and my fa0/1 as INSIDE.

however traffic comes to a stopping halt.
Furthermore, the router says its passing DNS traffic but I can't load websites:

 Zone-pair: DMZ-OUTSIDE

  Service-policy inspect : DMZ

    Class-map: DMZ-TRAFFIC (match-any)
      Match: protocol http
        82 packets, 2504 bytes
        30 second rate 0 bps
      Match: protocol dns
        12 packets, 532 bytes
        30 second rate 0 bps
      Match: protocol https
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol icmp
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol ftp
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol smtp extended
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol sip
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol pop3
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol ntp
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol telnet
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: protocol fasttrack
        0 packets, 0 bytes
        30 second rate 0 bps
      Match: access-group name DMZ
        20 packets, 612 bytes
        30 second rate 0 bps
      Pass
        114 packets, 3648 bytes

    Class-map: class-default (match-any)
      Match: any
      Inspect
        Packet inspection statistics [process switch:fast switch]
        tcp packets: [554:3301]
        udp packets: [966:7657]

        Session creations since subsystem startup or last reset 1505
        Current session counts (estab/half-open/terminating) [0:0:0]
        Maxever session counts (estab/half-open/terminating) [152:194:4]
        Last session created 00:01:10
        Last statistic reset never
        Last session creation rate 88
        Maxever session creation rate 469
        Last half-open session total 0

the Cisco site says the zone-pairing is unidirectional only, however it says that responding traffic should come through.

what am I doing incorrectly ?


We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

 

[unclerico]

do you have inside to outside zone-pair established??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[brianinms]

If you are using 3 interfaces you will need 3 zones. For the return traffic to be allowed to a zone you need to inspect it versus passing it.

 

[imbadatthis]

unclerico[/]b ,
yes, fa0/0 is OUTSIDE, and fa0/1 is INSIDE.
I read up some more, PASS treatment only allows unidirectional, so if i change it to inspect it kinda of works. I have internet connectivity (DNS queries come back through). However my torrent downloads screeches to a halt...
so the only thing that has changed in the code:

policy-map type inspect DMZ
 class type inspect DMZ-TRAFFIC
  [b]Inspect[/b]

when i enable IP nbar protocol discovery I see that large number of packets are matching unknown (this could be my torrents).

I've tried mapping the port i use to fasstrack but still no luck .

any help would be appreciated.

braininms: I agree, eventually 3 zones, but im trying to get one working. I reckon when one is fixed, I can easily do the rest.

cheers

We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

 

[brianinms]

ZBF use the ip port mappings and not the nbar port mappings. You didn't specify which ones you are using but figured I would mention it as its bitten me before.

 

[imbadatthis]

alright, posting a clean config, and also some debug information . Maybe someone can clear things up for me

ip port-map bittorrent port tcp from 57450 to 57550  
ip inspect log drop-pkt
!
class-map type inspect match-any DMZ-TRAFFIC
 match protocol http
 match protocol dns
 match protocol https
 match protocol icmp
 match protocol ftp
 match protocol smtp extended
 match protocol sip
 match protocol pop3
 match protocol ntp
 match protocol telnet
 match protocol fasttrack
 match access-group name DMZ-HOST
!
policy-map type inspect DMZ
 class type inspect DMZ-TRAFFIC
  inspect
 class class-default
!
zone security DMZ
zone security OUTSIDE
zone-pair security DMZ-OUTSIDE source DMZ destination OUTSIDE
 service-policy type inspect DMZ
zone-pair security OUTSIDE-DMZ source OUTSIDE destination DMZ
 service-policy type inspect DMZ
!
interface FastEthernet0/0
 description $FW_OUTSIDE$
 ip address dhcp hostname ISEEDEADPACKETS
 ip verify unicast source reachable-via rx allow-default 100
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip nat enable
 zone-member security OUTSIDE
 ip virtual-reassembly
 duplex auto
 speed auto
 no keepalive
 no mop enabled

interface FastEthernet0/1.3
 description $FW_DMZ$
 encapsulation dot1Q 3
 ip address 10.100.100.1 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip nat enable
 zone-member security DMZ
 ip virtual-reassembly

ip nat inside source static tcp 10.100.100.2 57465 interface FastEthernet0/0 57465
ip nat inside source list 1 interface FastEthernet0/0 overload

ip access-list extended DMZ-HOST
 permit tcp any host 10.100.100.2 eq 57465
 permit tcp host 10.100.100.2 any eq 57465

syslog is showing:
10.100.100.1 63: 000069: Nov 22 13:22:27.547 PST: %FW-6-DROP_PKT: Dropping udp session 192.168.1.64:50710 69.72.255.20:8253 due to One of the interfaces not being cfged for zoning with ip ident 20576

10.100.100.1 62: 000068: Nov 22 13:21:54.122 PST: %FW-6-DROP_PKT: Dropping tcp session 82.247.151.111:39069 10.100.100.2:57465 due to policy match failure with ip ident 65124 tcpflags 0x8018 seq.no 31533616 ack 4019135299

10.100.100.1 44: 000050: Nov 22 13:13:45.380 PST: %FW-6-DROP_PKT: Dropping udp session 192.168.1.64:57465 183.16.116.247:51500 on zone-pair DMZ-OUTSIDE class class-default due to policy match failure with ip ident 15786

-----
question is, how Do I get the ZBF to allow my torrent traffic...

thanks,



We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

 

[brianinms]

You can either add

match protocol tcp

or

match protocol bittorrent


To your class map