[OSL | CCIE_Security] ZBFW

Mon, 23 Aug 2010 05:56:57 -0700 

Guys!

Can anyone see what I am doing wrong here? My router R1 has 4 interfaces and
ongoing OSPF-neighborships. I add ZBFW that simply places 2 interfaces in
zone "INSIDE" and 2 in zone "OUTSIDE". Also, I mess around with the
self-zone. On all policy-maps I have added an "OSPF"-class that right now
matches any traffic since I cannot get it to work. Even then all traffic is
dropped on class-default. Why?

Log messages:

*Aug 23 12:56:47.023: %FW-6-LOG_SUMMARY: 7 packets were dropped from
192.168.12.2:0 => 224.0.0.5:0 (target:class)-(INSIDE->SELF:class-default)
*Aug 23 12:56:47.023: %FW-6-LOG_SUMMARY: 7 packets were dropped from
192.168.14.4:0 => 224.0.0.5:0 (target:class)-(OUTSIDE->SELF:class-default)
*Aug 23 12:56:47.023: %FW-6-LOG_SUMMARY: 7 packets were dropped from
192.168.169.10:0 => 224.0.0.5:0 (target:class)-(SELF->OUTSIDE:class-default)
*Aug 23 12:56:47.027: %FW-6-LOG_SUMMARY: 6 packets were dropped from
192.168.12.2:0 => 192.168.12.1:0 (target:class)-(INSIDE->SELF:class-default)
*Aug 23 12:56:47.027: %FW-6-LOG_SUMMARY: 6 packets were dropped from
192.168.13.3:0 => 192.168.13.1:0 (target:class)-(INSIDE->SELF:class-default)
*Aug 23 12:56:47.027: %FW-6-LOG_SUMMARY: 6 packets were dropped from
192.168.13.3:0 => 224.0.0.5:0 (target:class)-(INSIDE->SELF:class-default)
*Aug 23 12:56:47.027: %FW-6-LOG_SUMMARY: 6 packets were dropped from
192.168.14.1:0 => 224.0.0.5:0 (target:class)-(SELF->OUTSIDE:class-default)
*Aug 23 12:56:47.027: %FW-6-LOG_SUMMARY: 6 packets were dropped from
192.168.169.1:0 => 224.0.0.5:0 (target:class)-(OUTSIDE->SELF:class-default)


One of the policy-maps:

R1#sh policy-map type insp zone-pair INSIDE->SELF

policy exists on zp INSIDE->SELF
 Zone-pair: INSIDE->SELF

  Service-policy inspect : INSIDE->SELF

    Class-map: OSPF (match-all)
      Match: access-group name OSPF
      Pass
        0 packets, 0 bytes

    Class-map: class-default (match-any)
      Match: any
      Drop
        368 packets, 21968 bytes
R1#

My OSPF access-list:

R1#sh access-l OSPF
Extended IP access list OSPF
    20 permit ip any any (107 matches)
R1#

And the full config:

Building configuration...

Current configuration : 5451 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
logging count
logging message-counter syslog
logging buffered 4096
no logging rate-limit
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-2178368166
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2178368166
 revocation-check none
 rsakeypair TP-self-signed-2178368166
!
!
crypto pki certificate chain TP-self-signed-2178368166
 certificate self-signed 01
  3082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32313738 33363831 3636301E 170D3130 30383233 31323238
  30355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31373833
  36383136 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100CFFF 23FB8BBB 4357436C D507EA26 8E823113 1DA9C415 A07CD699 83C72152
  4E07AB9C CE06EB9C 017DF40C D47AF894 97F9EAF3 DE0D3331 C5A432B8 95524CB7
  C6517E90 E4D704B3 0DD3535E EEAC60B3 2680C4CF 187A066B 0982B01E 3C6EC186
  D6221EB7 21A94B63 FAC4324F A06EF53F 4C8EFA73 13366BA7 22A2A952 4C6FFE12
  20810203 010001A3 62306030 0F060355 1D130101 FF040530 030101FF 300D0603
  551D1104 06300482 02523130 1F060355 1D230418 30168014 D87EBD8F FDDDC2D2
  A814D2A6 66A948EE DBDCA738 301D0603 551D0E04 160414D8 7EBD8FFD DDC2D2A8
  14D2A666 A948EEDB DCA73830 0D06092A 864886F7 0D010104 05000381 81007D8B
  601E0E43 E0729D45 F44E0B7D 98283595 126EE6A8 C2A7EAF4 962510DA C90120F2
  82EE7A3F DB267CBA FEBAB878 D87B66B3 B91F37E7 CBAF041B 5E79FF6C 216D2759
  A279A03C 471F2130 5B23C00C BFF62BA6 D8C7D034 BE0C34F6 F773F1BA C8E0389E
  18C4D8D7 0D35C714 90CE8BD9 2B527335 5BC66E78 99F46DE0 F84FBA2B 06FA
        quit
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
ip inspect log drop-pkt
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
vtp domain KVISTOFTA
vtp mode transparent
!
!
!
archive
 log config
  hidekeys
!
!
vlan 4,12,14
!
!
class-map type inspect match-all OSPF
 match access-group name OSPF
!
!
policy-map type inspect INSIDE->SELF
 class type inspect OSPF
  pass
 class class-default
  drop log
policy-map type inspect SELF->INSIDE
 class type inspect OSPF
  pass
 class class-default
  drop log
policy-map type inspect OUTSIDE->INSIDE
 class type inspect OSPF
  pass
 class class-default
  drop log
policy-map type inspect INSIDE->OUTSIDE
 class type inspect OSPF
  pass
 class class-default
  drop log
policy-map type inspect OUTSIDE->SELF
 class type inspect OSPF
  pass
 class class-default
  drop log
policy-map type inspect SELF->OUTSIDE
 class type inspect OSPF
  pass
 class class-default
  drop log
!
zone security INSIDE
zone security OUTSIDE
zone-pair security OUTSIDE->INSIDE source OUTSIDE destination INSIDE
 service-policy type inspect OUTSIDE->INSIDE
zone-pair security INSIDE->OUTSIDE source INSIDE destination OUTSIDE
 service-policy type inspect INSIDE->OUTSIDE
zone-pair security OUTSIDE->SELF source OUTSIDE destination self
 service-policy type inspect OUTSIDE->SELF
zone-pair security SELF->OUTSIDE source self destination OUTSIDE
 service-policy type inspect SELF->OUTSIDE
zone-pair security INSIDE->SELF source INSIDE destination self
 service-policy type inspect INSIDE->SELF
zone-pair security SELF->INSIDE source self destination INSIDE
 service-policy type inspect SELF->INSIDE
!
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface Loopback10
 ip address 10.0.0.1 255.255.255.255
!
interface FastEthernet0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0.12
 encapsulation dot1Q 12
 ip address 192.168.12.1 255.255.255.0
 zone-member security INSIDE
!
interface FastEthernet0.13
 encapsulation dot1Q 13
 ip address 192.168.13.1 255.255.255.0
 zone-member security INSIDE
!
interface FastEthernet0.14
 encapsulation dot1Q 14
 ip address 192.168.14.1 255.255.255.0
 zone-member security OUTSIDE
!
interface FastEthernet0.169
 encapsulation dot1Q 169
 ip address 192.168.169.10 255.255.255.0
 zone-member security OUTSIDE
!
interface FastEthernet1
 no ip address
 no ip unreachables
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet2
 switchport mode trunk
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
 no ip address
!
interface Async1
 no ip address
 encapsulation slip
!
router ospf 1
 log-adjacency-changes
 network 192.168.0.0 0.0.255.255 area 0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1
no ip http server
ip http secure-server
!
!
!
ip access-list extended OSPF
 permit ip any any
!
ip access-list logging interval 1
logging dmvpn
!
!
!
!
!
!
control-plane
!
alias exec srs show run | sect
alias exec siib show ip int brie | excl unass
!
line con 0
 logging synchronous
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 login
!
!
!
end

What is going on? Why is all traffic hitting class-default even when I have
a class that matches all traffic above class-default?

/Jimmy

-- 
-------
Jimmy Larsson
Ryavagen 173
s-26030 Vallakra
Sweden
http://blogg.kvistofta.nu
-------

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to