[c-nsp] ZBFW - need help with configuration

false jctx09 at yahoo.com
Thu Feb 13 10:17:50 EST 2014 


I am attempting to migrate from CBAC to ZBFW. I'm having some difficulties. I was hoping to get answers to the following questions.

1) Based on my confing, is udp port 5060 allowed to go into the Self zone and the INSIDE zone?

2) Whenever I try to allow icmp AND dns from the self zone to outside, I get the error below. How do I fix this?
%Protocol configured in class-map SELF-OUT cannot be configured for the self zone with inspect action. Please remove the protocol and retry

3) I had some PCs that were able to browse the internet but I never saw connections when I ran "sh ip nat translation". Why??

4) Is IPSec allowed to come in correctly?

class-map type inspect match-all VoIP
 match access-group name VoIP
 match access-group name VoIP-OUT-TO-IN
class-map type inspect match-any IN-TO-OUT-ALLOW-ALL-CLASS
 match protocol tcp
 match protocol udp
 match protocol icmp
class-map type inspect match-any OUTSIDE-TO-IN-CLASS
 match access-group name VoIP-OUT-TO-IN
class-map type inspect match-all SSH
 match protocol ssh
 match access-group name SSH
class-map type inspect match-all IPSEC
 match access-group name IPSEC
class-map type inspect match-any SELF-OUT
 match protocol icmp
 match protocol dns --> currently removed
!
policy-map type inspect SELF-OUTSIDE-POLICY
 class type inspect SELF-OUT
  inspect
 class class-default
  pass
policy-map type inspect OUT-TO-IN-POLICY
 class type inspect OUTSIDE-TO-IN-CLASS
  pass
 class class-default
  drop log
policy-map type inspect IN-TO-OUT-POLICY
 class type inspect IN-TO-OUT-ALLOW-ALL-CLASS
  inspect
 class class-default
  drop log
policy-map type inspect OUTSIDE-SELF
 class type inspect IPSEC
  pass
 class type inspect SSH
  pass
 class type inspect VoIP
  pass
 class class-default
  drop log
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
 service-policy type inspect IN-TO-OUT-POLICY
zone-pair security OUTSIDE-SELF source OUTSIDE destination self
 service-policy type inspect OUTSIDE-SELF
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
 service-policy type inspect OUT-TO-IN-POLICY
zone-pair security SELF-TO-OUT source self destination OUTSIDE
 service-policy type inspect SELF-OUTSIDE-POLICY
!
ip nat inside source list noNAT interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 10.1.0.0 255.255.0.0 Tunnel32
ip route 192.168.1.0 255.255.255.0 Tunnel31
ip route 192.168.2.0 255.255.255.0 Tunnel32
ip route 192.168.10.0 255.255.255.0 Tunnel31
!
ip access-list extended IPSEC
 permit esp any any
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
ip access-list extended SSH
 permit tcp any any eq 22
ip access-list extended VoIP
 permit udp any host 49.x.x.x eq 5060
ip access-list extended VoIP-OUT-TO-IN
 permit udp any any eq 5060
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 131 permit gre host x.x.x.x host 64.x.x.x.x
access-list 175 deny   ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 175 deny   ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 175 deny   ip 192.168.3.0 0.0.0.255 192.168.41.0 0.0.0.255
access-list 175 permit ip 192.168.3.0 0.0.0.255 any
!
route-map noNAT permit 41
 match ip address 175
!

More information about the cisco-nsp mailing list