I have seen several times that transparent firewall doesn't work for IOS. Where are you using this. Dynamips? Real equipment? What version? etc.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] From: [email protected] [mailto:[email protected]] On Behalf Of Paul Stewart Sent: Saturday, October 24, 2009 1:17 PM To: Mack, David A (Dave) Cc: [email protected] Subject: Re: [OSL | CCIE_Security] LAb2A Zone Based Firewall I don't see any issues with the config, but it shouldn't behave like that. I will try to lab that up when I get some time on my equipment. This question is to both Dave and Brian. Are either or both of you running this on Dynamips? I guess I am curious if it could be a minor glitch with how that works. On Sat, Oct 24, 2009 at 12:40 PM, Mack, David A (Dave) <[email protected]> wrote: Paul, Ok, so restored the config I had saved prior to the erase and reload. I also added the ip inspect log drop-pkt. Traffic is flowing through R8 just fine but there are no counters incrementing or sessions: SEC-R8# sh policy-map type inspect zone-pair Zone-pair: IN->OUT Service-policy inspect : FW-IN->OUT Class-map: IN->OUT-PROTO (match-any) Match: protocol ssh 0 packets, 0 bytes 30 second rate 0 bps Match: protocol http 0 packets, 0 bytes 30 second rate 0 bps Match: protocol https 0 packets, 0 bytes 30 second rate 0 bps Match: protocol dns 0 packets, 0 bytes 30 second rate 0 bps Match: protocol smtp 0 packets, 0 bytes 30 second rate 0 bps Match: protocol bootps 0 packets, 0 bytes 30 second rate 0 bps Inspect Session creations since subsystem startup or last reset 0 Current session counts (estab/half-open/terminating) [0:0:0] Maxever session counts (estab/half-open/terminating) [0:0:0] Last session created never Last statistic reset never Last session creation rate 0 Maxever session creation rate 0 Last half-open session total 0 Class-map: IN->OUT-ICMP (match-all) Match: access-group name ICMP Inspect Session creations since subsystem startup or last reset 0 Current session counts (estab/half-open/terminating) [0:0:0] Maxever session counts (estab/half-open/terminating) [0:0:0] Last session created never Last statistic reset never Last session creation rate 0 Maxever session creation rate 0 Last half-open session total 0 Class-map: IN->OUT-ICMP-REPLY (match-all) Match: access-group name IN->OUT Pass 0 packets, 0 bytes Class-map: class-default (match-any) Match: any Pass 0 packets, 0 bytes Zone-pair: OUT->IN Service-policy inspect : FW-OUT->IN Class-map: OUT-IN (match-all) Match: access-group name FW-IN Pass 0 packets, 0 bytes Class-map: class-default (match-any) Match: any Drop 0 packets, 0 bytes SEC-R8# The logs don't show anything: SEC-R8# sh log Syslog logging: enabled (12 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled) No Active Message Discriminator. No Inactive Message Discriminator. Console logging: level emergencies, 56 messages logged, xml disabled, filtering disabled Monitor logging: level debugging, 0 messages logged, xml disabled, filtering disabled Buffer logging: level debugging, 9 messages logged, xml disabled, filtering disabled Logging Exception size (8192 bytes) Count and timestamp logging messages: disabled Persistent logging: disabled No active filter modules. ESM: 0 messages dropped Trap logging: level informational, 69 message lines logged Logging to 9.2.1.101 (udp port 514, audit disabled, authentication disabled, encryption disabled, link up), 5 message lines logged, 0 message lines rate-limited, 0 message lines dropped-by-MD, xml disabled, sequence number disabled filtering disabled Log Buffer (10000 bytes): *Oct 24 15:08:29.615: %SYS-6-CLOCKUPDATE: System clock has been updated from 15:08:29 UTC Sat Oct 24 2009 to 10:08:29 EST Sat Oct 24 2009, configured from console by console. *Oct 24 15:08:29.643: %SYS-6-CLOCKUPDATE: System clock has been updated from 10:08:29 EST Sat Oct 24 2009 to 11:08:29 EDT Sat Oct 24 2009, configured from console by console. *Oct 24 15:08:32.835: %LINK-3-UPDOWN: Interface Serial1/0:0, changed state to up *Oct 24 15:08:33.835: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0:0, changed state to up *Oct 24 15:08:37.479: %SYS-5-CONFIG_I: Configured from console by console *Oct 24 15:08:38.479: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 9.2.1.101 port 514 started - CLI initiated Oct 24 16:01:25.063: %SYS-5-CONFIG_I: Configured from console by console Oct 24 16:02:38.544: %SYS-5-CONFIG_I: Configured from console by console Oct 24 16:06:51.457: %SYS-5-CONFIG_I: Configured from console by console SEC-R8# So here is the full config: SEC-R8#sh run Building configuration... Current configuration : 3930 bytes ! ! Last configuration change at 12:06:51 EDT Sat Oct 24 2009 ! upgrade fpd auto version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname SEC-R8 ! boot-start-marker boot system disk0:c7200-adventerprisek9-mz.124-15.T1.bin boot-end-marker ! logging buffered 10000 logging console emergencies ! no aaa new-model clock timezone EST -5 clock summer-time EDT recurring ip cef ! ! ! ! no ip domain lookup ip inspect log drop-pkt ! multilink bundle-name authenticated ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! archive log config hidekeys ! ! controller T1 1/0 framing esf clock source internal linecode b8zs cablelength short 133 channel-group 0 timeslots 1-24 ! controller T1 1/1 framing esf linecode b8zs ! controller T1 1/2 framing esf linecode b8zs ! controller T1 1/3 framing esf linecode b8zs ! controller T1 1/4 framing esf linecode b8zs ! controller T1 1/5 framing esf linecode b8zs ! controller T1 1/6 framing esf linecode b8zs ! controller T1 1/7 framing esf linecode b8zs ! ip tcp synwait-time 7 ! class-map type inspect match-all IN->OUT-ICMP-REPLY match access-group name IN->OUT class-map type inspect match-any IN->OUT-PROTO match protocol ssh match protocol http match protocol https match protocol dns match protocol smtp match protocol bootps class-map type inspect match-all IN->OUT-ICMP match access-group name ICMP class-map type inspect match-all OUT-IN match access-group name FW-IN ! ! policy-map type inspect FW-OUT->IN class type inspect OUT-IN pass class class-default drop policy-map type inspect FW-IN->OUT class type inspect IN->OUT-PROTO inspect class type inspect IN->OUT-ICMP inspect class type inspect IN->OUT-ICMP-REPLY pass class class-default pass ! zone security INSIDE zone security OUTSIDE zone-pair security IN->OUT source INSIDE destination OUTSIDE service-policy type inspect FW-IN->OUT zone-pair security OUT->IN source OUTSIDE destination INSIDE service-policy type inspect FW-OUT->IN bridge irb ! ! ! ! interface FastEthernet0/0 ip address 192.168.144.158 255.255.255.0 shutdown duplex auto speed auto ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial1/0:0 no ip address ! interface FastEthernet2/0 no ip address zone-member security OUTSIDE duplex full speed 100 bridge-group 1 ! interface FastEthernet2/1 no ip address zone-member security INSIDE duplex full speed 100 bridge-group 1 ! interface BVI1 ip address 9.9.156.8 255.255.255.0 ! ip route 0.0.0.0 0.0.0.0 192.168.144.1 ip route 0.0.0.0 0.0.0.0 9.9.156.9 ip route 192.168.4.0 255.255.255.0 192.168.144.1 ip route 192.168.5.0 255.255.255.0 192.168.144.1 no ip http server no ip http secure-server ! ip bgp-community new-format ! ! ip access-list extended FW-IN permit icmp any any echo permit icmp any any unreachable permit udp host 9.9.156.9 eq ntp host 7.7.7.7 eq ntp permit tcp host 9.9.156.9 gt 1024 host 9.9.156.7 eq bgp permit tcp host 9.9.156.9 eq bgp host 9.9.156.7 gt 1024 ip access-list extended ICMP permit icmp any any echo ip access-list extended IN->OUT permit icmp any any echo-reply ! logging alarm informational logging 9.2.1.101 ! ! ! ! ! ! control-plane ! bridge 1 protocol ieee bridge 1 route ip ! ! ! ! ! gatekeeper shutdown ! alias configure a access-list alias exec c conf t alias exec i sh ip route alias exec ib sh ip int brief alias exec b sh ip bgp alias exec bs sh ip bgp summ alias exec clb clear ip bgp * alias exec oi sh ip ospf int alias exec on sh ip ospf neigh alias exec s sh run ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1 line aux 0 stopbits 1 line vty 0 4 exec-timeout 0 0 privilege level 15 no login ! ntp authentication-key 1 md5 020F145E13160A3358 7 ntp authenticate ntp trusted-key 1 ntp clock-period 17179178 ntp server 9.9.156.9 key 1 ! webvpn cef ! end SEC-R8# and the sh ver SEC-R8#sh ver Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 12.4(15)T1, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Wed 18-Jul-07 13:29 by prod_rel_team ROM: System Bootstrap, Version 12.2(4r)B2, RELEASE SOFTWARE (fc2) BOOTLDR: Cisco IOS Software, 7200 Software (C7200-KBOOT-M), Version 12.3(7)T, RELEASE SOFTWARE (fc1) SEC-R8 uptime is 3 hours, 36 minutes System returned to ROM by reload at 08:59:14 EDT Sat Oct 24 2009 System restarted at 09:01:22 EDT Sat Oct 24 2009 System image file is "disk0:c7200-adventerprisek9-mz.124-15.T1.bin" Last reload reason: Reload Command This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to [email protected]. Cisco 7206VXR (NPE400) processor (revision B) with 491520K/32768K bytes of memory. Processor board ID 16066293 R7000 CPU at 350MHz, Implementation 39, Rev 3.3, 256KB L2 Cache 6 slot VXR midplane, Version 2.0 Last reset from power-on PCI bus mb0_mb1 (Slots 0, 1, 3 and 5) has a capacity of 600 bandwidth points. Current configuration on bus mb0_mb1 has a total of 400 bandwidth points. This configuration is within the PCI bus capacity and is supported. PCI bus mb2 (Slots 2, 4, 6) has a capacity of 600 bandwidth points. Current configuration on bus mb2 has a total of 400 bandwidth points This configuration is within the PCI bus capacity and is supported. Please refer to the following document "Cisco 7200 Series Port Adaptor Hardware Configuration Guidelines" on Cisco.com <http://www.cisco.com> for c7200 bandwidth points oversubscription and usage guidelines. 4 FastEthernet interfaces 1 Serial interface 8 Channelized T1/PRI ports 125K bytes of NVRAM. 500377K bytes of ATA PCMCIA card at slot 0 (Sector size 512 bytes). 8192K bytes of Flash internal SIMM (Sector size 256K). Configuration register is 0x2102 SEC-R8# Thanks! Dave
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
