Jimmy, In your example when you tried to apply 'pass', you were not using a class-map of type inspect. That is the reason for the error message. Now if you do the pass method, it permits the traffic in that direction (based on the application of the zone pairs). You'll also have to create a pass for the replies to come back in the opposite direction based on the zone pairs. I know that it is counter intuitive to use a class-map of "type inspect" to describe traffic that is passed. However, it all goes in a policy-map type inspect. So even though you aren't inspecting, that's the type.
On Wed, Feb 3, 2010 at 4:17 PM, <[email protected]> wrote: > Send CCIE_Security mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > http://onlinestudylist.com/mailman/listinfo/ccie_security > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of CCIE_Security digest..." > > > Today's Topics: > > 1. Zone-based policy firewall and interface acl:s? (Jimmy Larsson) > 2. Re: Zone-based policy firewall and interface acl:s? > (Brandon Carroll) > 3. Re: Zone-based policy firewall and interface acl:s? > (Brandon Carroll) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 3 Feb 2010 21:54:39 +0100 > From: Jimmy Larsson <[email protected]> > Subject: [OSL | CCIE_Security] Zone-based policy firewall and > interface acl:s? > To: [email protected] > Message-ID: > <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > Hi > > I am trying some zone based firewall configurations am getting confused. My > background is that I am very familiar with Pix/ASA and not very familiar at > all with the Firewall-features of IOS. Therefore I always compare these > which gets me confused. > > Now I?ve done a simple 2-zone firewall out of my 3-legged router. My goal is > this: > * Allow all outbound telnet stateful > * Allow all icmp-echos initiated from inside (and ofcourse the corresponding > echo replies) > * Deny everything else between the zones. > > I have configured the two zones and a policy-map that inspects and allows my > outbound telnet. It looks like this: > > > > class-map type inspect match-any class-INSIDE-TO-OUTSIDE > match protocol telnet > ! > ! > policy-map type inspect policy-INSIDE-TO-OUTSIDE > class type inspect class-INSIDE-TO-OUTSIDE > inspect > class class-default > drop > ! > zone security OUTSIDE > zone security INSIDE > zone-pair security INSIDE-TO-OUTSIDE source INSIDE destination OUTSIDE > service-policy type inspect policy-INSIDE-TO-OUTSIDE > > > interface FastEthernet0 > description Outside > zone-member security OUTSIDE > ! > interface FastEthernet1 > description Inside > zone-member security INSIDE > ! > interface Vlan13 > zone-member security INSIDE > ! > > So, now I can telnet from outside to telnet. But what about the icmp:s? My > idea was to create a class-map referring to an acl that defines non-stateful > outbound-traffic that should be allowed. Something like this: > > ip access-list extended acl-INSIDE-TO-OUTSIDE-no-inspect > permit icmp any any eq echo > > class-map class-INSIDE-TO-OUTSIDE-no-inspect > match access-group acl-INSIDE-TO-OUTSIDE-no-inspect > > But when trying to apply this to my policy-map (my goal was to do > "pass"-action on this) I get this error: > r1(config-pmap)#class class-INSIDE-TO-OUTSIDE-no-inspect > % class class-INSIDE-TO-OUTSIDE-no-inspect of type default is not allowed in > policy-map policy-INSIDE-TO-OUTSIDE of type inspect > > In what way am I thinking wrong here? > > Also, in my scenario, how should my interface acl:s look like when doing > this zone-thing? Since traffic between zones are blocked by default and > traffic inside a zone is permitted, I guess that I should?nt have any > interface acl:s since all transit traffic security is taken care of by the > zone-configuration. Right? Can there be any situation where interface acl:s > are needed when doing ZBFW? > > Thanks in advance! > -- > ------- > Jimmy Larsson > Ryavagen 173 > s-26030 Vallakra > Sweden > http://blogg.kvistofta.nu > ------- > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://onlinestudylist.com/pipermail/ccie_security/attachments/20100203/327682f4/attachment-0001.htm > > ------------------------------ > > Message: 2 > Date: Wed, 3 Feb 2010 13:15:59 -0800 > From: Brandon Carroll <[email protected]> > Subject: Re: [OSL | CCIE_Security] Zone-based policy firewall and > interface acl:s? > To: Jimmy Larsson <[email protected]> > Cc: [email protected] > Message-ID: > <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > Hi Jimmy, > > ZBF is always a sticky topic. > > Here is my run down: > > the ICMP is going to be Stateful so you know it needs to be inspected. Try > the following: > > ip access-list extended acl-INSIDE-TO-OUTSIDE-no-inspect > permit icmp any any eq echo > > class-map type inspect class-INSIDE-TO-OUTSIDE-no-inspect > match access-group acl-INSIDE-TO-OUTSIDE-no-inspect > > policy-map type inspect policy-INSIDE-TO-OUTSIDE > class type inspect class-INSIDE-TO-OUTSIDE > inspect > > ! Next the ICMP- it actually does need to be inspected to allow for the > reply. > > class type inspect class-INSIDE-TO-OUTSIDE-no-inspect > inspect > class class-default > drop > > > You don't do any interfaces ACLs, rather they are handled my the class-maps, > in other words you nest them in the policy-map. > > Here is a basic post I did on the ZBF. There is another one coming but I'm > a bit behind. Hopefully this gives you a push in the right direction. > > Also- take a look at the DSG for Lab 2a. Task 2.11 has ICMP allowed in the > ZBF configuration. Perhaps that will help a bit. > > Regards, > > Brandon Carroll - CCIE #23837 > Senior Technical Instructor - IPexpert > Mailto: [email protected] > Telephone: +1.810.326.1444 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130 > > IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, > Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service > Provider) Certification Training with locations throughout the United > States, Europe and Australia. Be sure to check out our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com. > > > > On Wed, Feb 3, 2010 at 12:54 PM, Jimmy Larsson <[email protected]> wrote: > >> >> Hi >> >> I am trying some zone based firewall configurations am getting confused. My >> background is that I am very familiar with Pix/ASA and not very familiar at >> all with the Firewall-features of IOS. Therefore I always compare these >> which gets me confused. >> >> Now I?ve done a simple 2-zone firewall out of my 3-legged router. My goal >> is this: >> * Allow all outbound telnet stateful >> * Allow all icmp-echos initiated from inside (and ofcourse the >> corresponding echo replies) >> * Deny everything else between the zones. >> >> I have configured the two zones and a policy-map that inspects and allows >> my outbound telnet. It looks like this: >> >> >> >> class-map type inspect match-any class-INSIDE-TO-OUTSIDE >> match protocol telnet >> ! >> ! >> policy-map type inspect policy-INSIDE-TO-OUTSIDE >> class type inspect class-INSIDE-TO-OUTSIDE >> inspect >> class class-default >> drop >> ! >> zone security OUTSIDE >> zone security INSIDE >> zone-pair security INSIDE-TO-OUTSIDE source INSIDE destination OUTSIDE >> service-policy type inspect policy-INSIDE-TO-OUTSIDE >> >> >> interface FastEthernet0 >> description Outside >> zone-member security OUTSIDE >> ! >> interface FastEthernet1 >> description Inside >> zone-member security INSIDE >> ! >> interface Vlan13 >> zone-member security INSIDE >> ! >> >> So, now I can telnet from outside to telnet. But what about the icmp:s? My >> idea was to create a class-map referring to an acl that defines non-stateful >> outbound-traffic that should be allowed. Something like this: >> >> ip access-list extended acl-INSIDE-TO-OUTSIDE-no-inspect >> permit icmp any any eq echo >> >> class-map class-INSIDE-TO-OUTSIDE-no-inspect >> match access-group acl-INSIDE-TO-OUTSIDE-no-inspect >> >> But when trying to apply this to my policy-map (my goal was to do >> "pass"-action on this) I get this error: >> r1(config-pmap)#class class-INSIDE-TO-OUTSIDE-no-inspect >> % class class-INSIDE-TO-OUTSIDE-no-inspect of type default is not allowed >> in policy-map policy-INSIDE-TO-OUTSIDE of type inspect >> >> In what way am I thinking wrong here? >> >> Also, in my scenario, how should my interface acl:s look like when doing >> this zone-thing? Since traffic between zones are blocked by default and >> traffic inside a zone is permitted, I guess that I should?nt have any >> interface acl:s since all transit traffic security is taken care of by the >> zone-configuration. Right? Can there be any situation where interface acl:s >> are needed when doing ZBFW? >> >> Thanks in advance! >> -- >> ------- >> Jimmy Larsson >> Ryavagen 173 >> s-26030 Vallakra >> Sweden >> http://blogg.kvistofta.nu >> ------- >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://onlinestudylist.com/pipermail/ccie_security/attachments/20100203/5f3d304e/attachment-0001.htm > > ------------------------------ > > Message: 3 > Date: Wed, 3 Feb 2010 13:16:52 -0800 > From: Brandon Carroll <[email protected]> > Subject: Re: [OSL | CCIE_Security] Zone-based policy firewall and > interface acl:s? > To: Jimmy Larsson <[email protected]> > Cc: [email protected] > Message-ID: > <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > forgot the link to the post: > > http://blog.ipexpert.com/2010/01/18/cisco-ios-zone-based-firewalls/ > > > Regards, > > Brandon Carroll - CCIE #23837 > Senior Technical Instructor - IPexpert > Mailto: [email protected] > Telephone: +1.810.326.1444 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130 > > IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, > Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service > Provider) Certification Training with locations throughout the United > States, Europe and Australia. Be sure to check out our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com. > > > > On Wed, Feb 3, 2010 at 1:15 PM, Brandon Carroll <[email protected]>wrote: > >> Hi Jimmy, >> >> ZBF is always a sticky topic. >> >> Here is my run down: >> >> the ICMP is going to be Stateful so you know it needs to be inspected. Try >> the following: >> >> ip access-list extended acl-INSIDE-TO-OUTSIDE-no-inspect >> permit icmp any any eq echo >> >> class-map type inspect class-INSIDE-TO-OUTSIDE-no-inspect >> match access-group acl-INSIDE-TO-OUTSIDE-no-inspect >> >> policy-map type inspect policy-INSIDE-TO-OUTSIDE >> class type inspect class-INSIDE-TO-OUTSIDE >> inspect >> >> ! Next the ICMP- it actually does need to be inspected to allow for the >> reply. >> >> class type inspect class-INSIDE-TO-OUTSIDE-no-inspect >> inspect >> class class-default >> drop >> >> >> You don't do any interfaces ACLs, rather they are handled my the >> class-maps, in other words you nest them in the policy-map. >> >> Here is a basic post I did on the ZBF. There is another one coming but I'm >> a bit behind. Hopefully this gives you a push in the right direction. >> >> Also- take a look at the DSG for Lab 2a. Task 2.11 has ICMP allowed in the >> ZBF configuration. Perhaps that will help a bit. >> >> Regards, >> >> Brandon Carroll - CCIE #23837 >> Senior Technical Instructor - IPexpert >> Mailto: [email protected] >> Telephone: +1.810.326.1444 >> Live Assistance, Please visit: www.ipexpert.com/chat >> eFax: +1.810.454.0130 >> >> IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, >> Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service >> Provider) Certification Training with locations throughout the United >> States, Europe and Australia. Be sure to check out our online communities at >> www.ipexpert.com/communities and our public website at www.ipexpert.com. >> >> >> >> On Wed, Feb 3, 2010 at 12:54 PM, Jimmy Larsson <[email protected]> wrote: >> >>> >>> Hi >>> >>> I am trying some zone based firewall configurations am getting confused. >>> My background is that I am very familiar with Pix/ASA and not very familiar >>> at all with the Firewall-features of IOS. Therefore I always compare these >>> which gets me confused. >>> >>> Now I?ve done a simple 2-zone firewall out of my 3-legged router. My goal >>> is this: >>> * Allow all outbound telnet stateful >>> * Allow all icmp-echos initiated from inside (and ofcourse the >>> corresponding echo replies) >>> * Deny everything else between the zones. >>> >>> I have configured the two zones and a policy-map that inspects and allows >>> my outbound telnet. It looks like this: >>> >>> >>> >>> class-map type inspect match-any class-INSIDE-TO-OUTSIDE >>> match protocol telnet >>> ! >>> ! >>> policy-map type inspect policy-INSIDE-TO-OUTSIDE >>> class type inspect class-INSIDE-TO-OUTSIDE >>> inspect >>> class class-default >>> drop >>> ! >>> zone security OUTSIDE >>> zone security INSIDE >>> zone-pair security INSIDE-TO-OUTSIDE source INSIDE destination OUTSIDE >>> service-policy type inspect policy-INSIDE-TO-OUTSIDE >>> >>> >>> interface FastEthernet0 >>> description Outside >>> zone-member security OUTSIDE >>> ! >>> interface FastEthernet1 >>> description Inside >>> zone-member security INSIDE >>> ! >>> interface Vlan13 >>> zone-member security INSIDE >>> ! >>> >>> So, now I can telnet from outside to telnet. But what about the icmp:s? My >>> idea was to create a class-map referring to an acl that defines non-stateful >>> outbound-traffic that should be allowed. Something like this: >>> >>> ip access-list extended acl-INSIDE-TO-OUTSIDE-no-inspect >>> permit icmp any any eq echo >>> >>> class-map class-INSIDE-TO-OUTSIDE-no-inspect >>> match access-group acl-INSIDE-TO-OUTSIDE-no-inspect >>> >>> But when trying to apply this to my policy-map (my goal was to do >>> "pass"-action on this) I get this error: >>> r1(config-pmap)#class class-INSIDE-TO-OUTSIDE-no-inspect >>> % class class-INSIDE-TO-OUTSIDE-no-inspect of type default is not allowed >>> in policy-map policy-INSIDE-TO-OUTSIDE of type inspect >>> >>> In what way am I thinking wrong here? >>> >>> Also, in my scenario, how should my interface acl:s look like when doing >>> this zone-thing? Since traffic between zones are blocked by default and >>> traffic inside a zone is permitted, I guess that I should?nt have any >>> interface acl:s since all transit traffic security is taken care of by the >>> zone-configuration. Right? Can there be any situation where interface acl:s >>> are needed when doing ZBFW? >>> >>> Thanks in advance! >>> -- >>> ------- >>> Jimmy Larsson >>> Ryavagen 173 >>> s-26030 Vallakra >>> Sweden >>> http://blogg.kvistofta.nu >>> ------- >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >> > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://onlinestudylist.com/pipermail/ccie_security/attachments/20100203/e0273b7e/attachment.htm > > End of CCIE_Security Digest, Vol 44, Issue 11 > ********************************************* > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
