Traditional ACL vs Zone Based FW
I have a 3845 ISR that I have been managing for a couple years that has a traditional ACL based config. We just purchased a new 3845 for redundancy and it arrived with the zone based config from Cisco. Any opinions on whether I should take the existing router to a zone based config or should I configure the new router with traditional ACL config that I am more comforatable with?
If there was the option to use a Zone based FW or just straight access lists then surely the Zone based FW would be considered a better option as it has more features than just permit or deny. The Zoned based FW will also inspect traffic and block any traffic with malicous code for example. I am not an expert in this arena, but based on Security exam topics and other publications, the FW approach seems to be gaining traction versus managing ACLs alone. Although, ACLs will always have their place in the network...
The choice is based on your comfort level, but both are viable options...
BR,
Cary
Sent from Cisco Technical Support iPad App
Similar Messages
-
CSS Zone based DNS solution question
I have a css at the main site configured as a stand alone unit at the moment.
I have the advanced feature set and want to use our second CSS for a dynamic failover sceanario in the DR site.
At the moment in the event of Internet access interruption of the Main site, the DR site is configured to advertise the main site Internet subnet out it's edge router to BGP.
The DR edge router receives updates from the Main site edge router through everything end to end and distributes this into BGP.
The DR PIX has static mappings to the main site servers.
But this is only if the link drops and everything else is up.
If the site gets wiped out, there is no failover plan.
I am thinking this will be a problem if I set up the Zone Based DNS scenario.
I have the CSS devices, is this a huge problem to work around?
Any thoughts?Anyone? Gilles, any words of advice?
I found this in the documentation for acl's, it states...
"If you configure a CSS with the dns-server command, and the CSS receives a
DNS query for a domain name that you configured on the CSS using the host
command, the DNS query will not match on an ACL that is configured with the
apply dns command.
However, if you configure a domain name on a content rule on a CSS using the
add dns domain_ name command, a DNS query for that domain name will match
on an ACL that is configured with the apply dns command."
The problem with this statement is I am not using the "host" command and I am also not using the "add dns" command. I am using the "dns-record a" command. -
CSS Zone based DNS for Site Redundancy?
I am in the process of changing from rules based dns to zone based dns. I had used the document below to provide redundancy between 2 sites.
http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_example09186a00801dcd75.shtml
The is an acl in the document which says
"If the primary site is up, then this ACL will tell requests landing on this site to prefer the Primary site.
clause 10 permit any any destination content owner_backup/WWW-backup prefer hacked_redirectt
clause 99 permit any any destination any
apply circuit-(VLAN1)
apply dns
Once I implemented a dns-server zone, this acl no longer has an effect. The requests are round robbining unless I set the dns-server zone to preferlocal. Unfortunately this does not solve my problem, if the main site is up both css's should prefer the main site.
How is this same thing accomplished with zone based dns, or is it even possible? Thanks.Anyone? Gilles, any words of advice?
I found this in the documentation for acl's, it states...
"If you configure a CSS with the dns-server command, and the CSS receives a
DNS query for a domain name that you configured on the CSS using the host
command, the DNS query will not match on an ACL that is configured with the
apply dns command.
However, if you configure a domain name on a content rule on a CSS using the
add dns domain_ name command, a DNS query for that domain name will match
on an ACL that is configured with the apply dns command."
The problem with this statement is I am not using the "host" command and I am also not using the "add dns" command. I am using the "dns-record a" command. -
Nearest time zones based on user time zone
Hi,
In my application, user accesses the applet in the browser and based on the user time zone I need to display the list of available server which are near to his time zone.
Please provide me some hints on how to sort the time zones based on the time zone offset.
Thanks
AravindHi,
In my application, user accesses the applet in the browser and based on the user time zone I need to display the list of available server which are near to his time zone.
Please provide me some hints on how to sort the time zones based on the time zone offset.
Thanks
Aravind -
Look-up java time zone based on location?
I have a test app where I can assign a java timezone and return time info - However, I don't see a way to look-up a java time zone based on location (combination of city/province/state/country).
Is this possible?Has any one found a way to lookup a timezone based on a city/region in the world? So one could be able to type any city and state/province and country combination and get the corresponding timezone for that region. Is there a place where one can buy this data?
Thank you -
Cisco Zone-based firewall issue/ not receiving return traffic
Hi,
I have created a Cisoc IOS Zone based firewall on my cisco 3945 router. I have an issue receiving any returning traffic. Here is a simplified version of my issue.
I have two zone pairs: Internal to Outside and Outside to Internal.
In the zone pair Out-to-Int I have a few rules allowing connections to specific servers on specific ports. The default class-map drops any non-matching packets.
In the zone pair Int-to-Out I have a rule saying internal PCs can access any destination on the internet over “any” service. When I put the action as “Inspect” I cannot connect to the internet. It’s as if my return traffic is not detected by the firewall and instead gets dropped by the default class map in the Out-to-Int pair.
To make it work I need to do two changes. I need to choose Allow instead of Inspect and I need to change the default class-map on the Out-to-Int pair to “allow” for unmatched traffic. But this is not good because I have a default allow on my out-to-int pair.
Am I misunderstanding something? Shouldn’t the inspect action on the Int-to-Out zone allow for return traffic no matter what rules I applied on the Out-to-Int pair? Thank you in advance for your help.Please share your config. Then we can see what's wrong there.
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
Renumbering with ACL-Friendly Role-Based Addressing or...?
We are a mid-sized manufacturing firm operating out of three locations and we are in the process of making plans to restructure and renumber our networks so as to better facilitate automated configuration management and security, in addition to easing our deployment of IPv6. Currently, at each site the L3/L2 boundary resides at the network core, but increasing traffic/chatter has us considering moving the L3/L2 boundary to the access layer(s), which consist of 3560-X units in the wiring closets that are supporting edge devices either directly or via 8-port 3560-C compact switches in the further reaches of our manufacturing and warehouse spaces.
As we contemplate moving to a completely routed network, the big unknown we're struggling with is whether or not it is safe or even desirable to abandon ACL-friendly addressing, and whether, in doing so, we can expect to run into hardware limitations resulting from longer ACLs.
Currently, each of our site-wide VLANs gets a subnet of the form 10.x.y.0/24, where x identifies the site and y identifies the class of equipment connected to said VLAN. This allows us to match internal traffic of a given type with just a single ACE, irrespective of where the end-point device resides geographically. Moving L3 routing decisions out to the access switches will require that we adopt smaller prefix assignments, with as many as 8 distinct subnets on each of our standard-issue 3560CG-8PC compact switches. Why so many, you ask? We currently have more than 30 ACL-relevant classifications of devices/hosts - a number that will only grow with time, and to maximize the availability of all services, it is our policy to physically distribute edge devices of a given class (eg. printers, access points, etc) over as many access switches as possible.
From what I can see, we have three options, each of which present trade-offs in terms of management complexity and address utilization efficiency:
Option 1: Stick with ACL-friendly addressing, both for IPv4 and IPv6, and allocate uniform prefixes to each access switch. For IPv4, within the 10.0.0.0/8 block we would probably allocate 8 bits to the site ID (/16), followed by 6 bits as the switch ID (/22), and 7 bits to identify the equipment/host classification (/29), for a maximum of 5 available addresses for a given class of devices on a given access switch. For IPv6, assuming we have a /48 block for each site, we would use the first two bits to identify the type of allocation, the following 6 as the switch ID (/56), and the following 8 as the equipment/host classification (/64).
Option 2: Abandon ACL-friendly addressing and dynamically allocate standard-sized prefixes from a common pool to each VLAN on a given switch. The advantages of this approach are increased utilization efficiency and more addresses available within each VLAN, but it comes at the cost of non-summarizable routing tables and ACLs, and even if the hardware can handle this, it means we're talking about a more complex configuration management system and less ease in troubleshooting problems.
Option 3: Do something similar to option 1, but with the L2/L3 boundary positioned at the distribution layer rather than the access layer. I'm disinclined to go this route, as it seems to require the same, if not more, management complexity than we'll encounter with option 1, with only marginal benefits over keeping things the way they are currently (L2/L3 boundary at the network core).
Thoughts? What issues have we neglected to consider? No matter which approach we select, it shall be assumed that we will be building a system to track all of these prefix assignments, provision switches, and manage their configurations. From a standpoint of routing protocols, we would probably be looking at OSPFv2/v3. It can also be assumed that if we encounter legacy devices requiring direct L2 connectivity to one another that we already have ways of bridging their traffic using external devices, so as far as this discussion is concerned, they aren't an issue.
Thanks in advance for your ideas!
-AaronHi David,
Permissions based on GUI components is a simple & neat idea. But is it rugged? Really secure? It might fall short of Grady Booch's idea of Responsibilities of objects. Also that your Roles and Access components are coupled well with Views!!!!!!!
My suggestion regarding the Management Beans is only to do with the dynamic modification which our discussion was giong forward.
If we go back to our fundamental objective of implementing a Role based access control,let me put some basic questions.
We have taken the roles data from a static XML file during the start up of the container. The Roles or Access are wanted to be changed dynamically during the running of the container. You would scrutinize the changes of Roles and access before permission during the case of dynamic modification.
Do you want this change to happen only for that particular session? Don't you want these changes to persist??? When the container is restarted, don't you want the changes to stay back?
If the answer to the above is YES(yes I want to persist changes), how about doing a write operation(update role/access) of the XML file and continue your operation? After all, you can get the request to a web or session bean and keep going.
If the answer to the above is NO(no, i don't want to persist), you can still get the change role request to a web or session bean and keep going.
Either way, there is going to be an intense scrutiny of the operator before giving her permissions!!!
One hurdle could be that how to get all neighbouring servers know about the changes in roles and access??? An MBean or App Server API could help you in this.
May I request all who see this direction to pour in more comments/ideas ? I would like to hear from David, duffymo, komone and jschell.
Rajesh -
Introduction:
There is a date’s type field in the database. When using the field in the report, clients want to convert the field’s values based on own Time Zone to show the date field.
Workaround:
Currently, Reporting Services doesn’t provide the function that can get the Time Zone of a client machine. To work around the issue, you need to add a custom code in the report to convert Time Zone and create a parameter through which the client users can
select his/her Time Zone, and then pass the parameter value to the custom function. Please see the details as follows:
1. Click the Report, select Report Properties and add the custom code as the screenshot shown:
Custom code:
Shared Function FromUTC (ByVal d As Date, ByVal tz As String) As Date
Return (TimeZoneInfo.ConvertTimeBySystemTimeZoneId(d, TimeZoneInfo.Utc.Id, tz))
End Function
2. Create a parameter named TimeZone (you can name the parameter according to your requirement), select Available value and click Specify values.
Label
Value
China Standard Time
China Standard Time
Central European Time Zone Central European Time Zone
India Time Zone
India Time Zone
United States of America Time zones United States of America Time zones
3. Call the custom code and type the expression to convert the Time Zone as follows:
=Code.FromUTC(Fields!UTCDateFromDatabase.Value,Parameters!TimeZone.Value)
Note: If you use the expression “=Code.FromUTC(Fields!UTCDateFromDatabase.Value,TimeZone.CurrentTimeZone.StandardName)”, it cannot achieve the goal because TimeZone.CurrentTimeZone.StandardName gets the TimeZone of Report Server side rather than Client side.
More information:
TimeZone Class
http://msdn.microsoft.com/en-us/library/system.timezone(v=vs.110).aspx
Applies to
Microsoft SQL Server 2005
Microsoft SQL Server 2008
Microsoft SQL Server 2008 R2
Microsoft SQL Server 2012Hello,
Please read the answer provided by Kalman on the following thread:
http://social.technet.microsoft.com/Forums/es-ES/446df85a-7ad8-4891-8748-478a26350c5c/how-to-compare-tables-in-two-different-servers-while-one-of-the-server-name-has-a-?forum=transactsql
Hope this helps.
Regards,
Alberto Morillo
SQLCoffee.com -
Problems with Zone based Firewall and mtr (mytraceroute)
We are using ZFW on an ASR1001 and have experienced a problem: when I try to use mtr (mytraceroute, see
http://en.wikipedia.org/wiki/MTR_%28software%29), I am getting packetloss on all hops between the source and the destination. e.g.:
<code>
Packets Pings
Host Loss% Snt Last Avg Best Wrst StDev
1. Stuttgart-I28-1.belwue.de 100.0 8 0.0 0.0 0.0 0.0 0.0
2. Stuttgart-AL30-1-gi0-0-0-3.belwue.net 100.0 7 0.0 0.0 0.0 0.0 0.0
3. Karlsruhe-RZ-1-10GE-0-1-0-1.belwue.net 100.0 7 0.0 0.0 0.0 0.0 0.0
4. Karlsruhe1-10GE-4-0-0.belwue.net 100.0 7 0.0 0.0 0.0 0.0 0.0
5. Mannheim1-10GE-3-0-0.belwue.net 100.0 7 0.0 0.0 0.0 0.0 0.0
6. Frankfurt-DECIX-1-10GE-0-0-0-0.belwue.net 100.0 7 0.0 0.0 0.0 0.0 0.0
7. de-cix20.net.google.com 100.0 7 0.0 0.0 0.0 0.0 0.0
8. 72.14.238.230 100.0 7 0.0 0.0 0.0 0.0 0.0
9. 72.14.239.62 100.0 7 0.0 0.0 0.0 0.0 0.0
10. 209.85.242.187 100.0 7 0.0 0.0 0.0 0.0 0.0
11. ???
12. ???
13. ???
14. bk-in-f94.1e100.net 0.0% 7 20.0 20.6 20.0 21.2 0.4
</code>
So it seems that the Firewall on my asr1001 is throwing away all packets with ttl-exceeded coming back from hops in between, they have another destination address.
At the moment I am inspecting all kind of traffic from my network outgoing:
ip access-list extended 101
permit ip any any
class-map type inspect match-all cmap1
match access-group name 101
policy-map type inspect pmap1
class type inspect cmap1
inspect
etc... (zones, zone-pair in-out with policies applied)
So I tried to let pass all icmp-traffic from the outside to my network:
class-map type inspect match-all cmap_icmp
match protocol icmp
policy-map type inspect pmap2
class type inspect cmap_icmp
pass
etc... (zones, zone-pair out-in with policies applied)
So this has no effect, but I tested and I could figure out, that when I pass all icmp-traffic from my network to the outside, THEN mtr does work.
BUT then normal ping does not work anymore, because it will not be inspected any more.
But I want to have a secure Firewall with inspecting echo-replys and working mtr anyway.
Has anyone the same problem or can even solve this issue?
Thanks in advance,
StefanHi Andrew, thanks for Your answer...
So I have now:
class-map type inspect match-any cmap_icmp
match access-group name icmp_types
ip access-list extended icmp_types
permit icmp any any ttl-exceeded
PMAP IN--> OUT
(don't be confused, my "vlanxxx_pmap_in" is the pmap FROM my network TO the outside...)
policy-map type inspect vlan664_pmap_in
class type inspect vlan664_cmap_in (this is an extended ACL "permit ip x.x.x.x any")
inspect
class type inspect ipsec_cmap_in (this is because I have problems with VPN when inspected, another problem...)
pass log
class class-default
drop log
PMAP OUT-->IN
policy-map type inspect vlan664_pmap_out
class type inspect cmap_icmp (here comes the "ttl-exceeded"-ACL)
pass log
class type inspect vlan664_cmap_out (some open ports for some clients)
inspect
class type inspect ipsec_cmap_out (same problem with VPN when inspected)
pass log
class class-default
drop log
But unfortunately, the same problem occurs. Curiously, the first two packets seem to go "through" the firewall, but with 3rd packet the packetloss comes up:
Packets Pings
Host Loss% Snt Last Avg Best Wrst StDev
1. Stuttgart-I28-1.belwue.de 50.0% 3 0.3 0.3 0.3 0.3 0.0
2. Stuttgart-AL30-1-gi0-0-0-3.belwue.net 50.0% 3 0.9 0.9 0.9 0.9 0.0
3. Karlsruhe-RZ-1-10GE-0-1-0-1.belwue.net 0.0% 2 2.7 2.7 2.7 2.7 0.0
4. Karlsruhe1-10GE-4-0-0.belwue.net 0.0% 2 1.5 1.5 1.5 1.5 0.0
5. Mannheim1-10GE-3-0-0.belwue.net 0.0% 2 2.5 2.5 2.5 2.5 0.0
6. Frankfurt-DECIX-1-10GE-0-0-0-0.belwue.net 0.0% 2 4.1 4.1 4.1 4.1 0.0
7. de-cix20.net.google.com 0.0% 2 5.0 5.0 5.0 5.0 0.0
8. 72.14.238.44 0.0% 2 39.2 39.2 39.2 39.2 0.0
9. 72.14.236.68 0.0% 2 5.4 5.4 5.4 5.4 0.0
10. 209.85.254.118 0.0% 2 5.4 5.4 5.4 5.4 0.0
11. ???
12. google-public-dns-a.google.com 0.0% 2 5.5 5.3 5.2 5.5 0.2
Packets Pings
Host Loss% Snt Last Avg Best Wrst StDev
1. Stuttgart-I28-1.belwue.de 66.7% 4 0.3 0.3 0.3 0.3 0.0
2. Stuttgart-AL30-1-gi0-0-0-3.belwue.net 66.7% 4 0.8 0.8 0.8 0.8 0.0
3. Karlsruhe-RZ-1-10GE-0-1-0-1.belwue.net 66.7% 4 2.1 2.1 2.1 2.1 0.0
4. Karlsruhe1-10GE-4-0-0.belwue.net 66.7% 4 1.5 1.5 1.5 1.5 0.0
5. Mannheim1-10GE-3-0-0.belwue.net 66.7% 4 2.6 2.6 2.6 2.6 0.0
6. Frankfurt-DECIX-1-10GE-0-0-0-0.belwue.net 66.7% 4 4.2 4.2 4.2 4.2 0.0
7. de-cix20.net.google.com 66.7% 4 5.3 5.3 5.3 5.3 0.0
8. 72.14.238.44 66.7% 4 70.3 70.3 70.3 70.3 0.0
9. 72.14.239.60 66.7% 4 5.8 5.8 5.8 5.8 0.0
10. 209.85.254.116 66.7% 4 5.8 5.8 5.8 5.8 0.0
11. ???
12. google-public-dns-a.google.com 0.0% 4 6.3 5.7 5.2 6.3 0.5
In the sessions on the routers, I see only this entry:
Session 206F66C (129.143.6.89:8)=>(8.8.8.8:0) icmp SIS_OPEN
Any other suggestions? -
ACL on controller-based wireless
We're trying to put an ACL on our wireless guest subnets on a controller-based wireless system. We're using 2 of the WiSMs. The ACL I used to use in WLSM allowed the guest subnet to the dhcp servers and out to the internet and dropped everything else, but I don't know where I would apply that list now for it to work with all the different vlans and addresses for the WiSMs.
Hi Brian,
Perhaps this doc will help;
ACLs on Wireless LAN Controller Configuration Example
From this doc;
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807810d1.shtml
Hope this helps!
Rob -
Websense web filtering not working with 2911 with zone based firewall
Hi,
Any one ran into this issue
We use websense for guest wifi but i dont see requests hitting websense server
config is below
class-map type inspect match-any test-1
match protocol http
policy-map type inspect Wifi-test
class type inspect test-1
inspect
urlfilter websense-parmap
class class-default
drop
parameter-map type urlfilter websense-parmap
server vendor websense 10.10.1.4
source-interface GigabitEthernet0/2
allow-mode on
cache 100
zone-pair security Wifi-in-out source Wifi destination outside
service-policy type inspect Wifi-test
interface GigabitEthernet0/1
description Internet
ip address 192.168.10.1 255.255.255.0
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly in
zone-member security Wifi
interface GigabitEthernet0/2
description LAN
ip address 10.10.4.1 255.255.255.0
zone-member security insideHi Stan,
You should be able to adapt this config example to your environment.
Andy-
class-map type inspect match-any http-cm
match protocol http
parameter-map type urlfpolicy websense websense-parm
server <websense server IP>
source-interface <lan interface>
allow-mode on
truncate hostname
class-map type urlfilter websense match-any websense-cm
match server-response any
policy-map type inspect urlfilter websense-pm
parameter type urlfpolicy websense websense-parm
class type urlfilter websense websense-cm
server-specified-action
policy-map type inspect Inside->Internet-pm
description Inside trusted to Internet
class type inspect http-cm
inspect
service-policy urlfilter websense-pm
class type inspect Inside->Internet-cm
inspect
class class-default
drop
zone-pair security Inside->Internet source Inside destination Internet
service-policy type inspect Inside->Internet-pm
! to check status & url block counts
show policy-map type inspect zone-pair Inside->Internet urlfilter -
Problem in Zone Based FW Config
Could anyone see why the below config is making http downloads/streaming hang. Cant watch any streaming as it hangs in various parts but also downloading MS service packs, it will sometimes not start at all or get a few percent then cut off.
Downloading off newsgroups though is not an issue.
It is deffo router in some way. Tried a bog standard one and no issues. Seems to be since I adjusted the FW config through the CCP wizard and might of selected the medium security option.
Any ideas please?
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any Incoming-XBL-Traffic
match access-group name XBOX-Live
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
policy-map type inspect Incoming-XBL-Policy
class type inspect Incoming-XBL-Traffic
pass
class class-default
drop
zone security in-zone
zone security out-zone
zone security private-in-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-private-in-out source private-in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-private-in source out-zone destination private-in-zone
service-policy type inspect Incoming-XBL-Policy
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any Incoming-XBL-Traffic
match access-group name XBOX-Live
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
policy-map type inspect Incoming-XBL-Policy
class type inspect Incoming-XBL-Traffic
pass
class class-default
drop
zone security in-zone
zone security out-zone
zone security private-in-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-private-in-out source private-in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-private-in source out-zone destination private-in-zone
service-policy type inspect Incoming-XBL-PolicyThis is the current running config:
HOME_RTR#sho term len 0
HOME_RTR#show run
Building configuration...
Current configuration : 8216 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname
logging message-counter syslog
enable secret 5
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
crypto pki trustpoint TP-self-signed-2045468537
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2045468537
revocation-check none
rsakeypair TP-self-signed-2045468537
crypto pki certificate chain TP-self-signed
certificate self-signed 01
quit
dot11 syslog
ip source-route
ip dhcp pool PRIVATE
import all
network 192.168.10.0 255.255.255.0
default-router 192.168.10.254
ip dhcp pool WORK
import all
network 192.168.20.0 255.255.255.0
default-router 192.168.20.254
ip dhcp pool SERVER
host 192.168.10.200 255.255.255.0
client-identifier 0100.248c.3fdb.a9
client-name SERVER
ip dhcp pool XBOX
host 192.168.10.210 255.255.255.0
client-identifier 0100.25ae.eae4.88
client-name XBOX
ip cef
ip domain name home.local
no ipv6 cef
multilink bundle-name authenticated
archive
log config
hidekeys
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any Incoming-XBL-Traffic
match access-group name XBOX-Live
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
policy-map type inspect Incoming-XBL-Policy
class type inspect Incoming-XBL-Traffic
pass
class class-default
drop
zone security in-zone
zone security out-zone
zone security private-in-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-private-in-out source private-in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-private-in source out-zone destination private-in-zone
service-policy type inspect Incoming-XBL-Policy
interface ATM0
no ip address
no ip redirects
no ip proxy-arp
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface ATM0.1 point-to-point
description WAN via ADSL
pvc 0/35
pppoe-client dial-pool-number 1
interface FastEthernet0
switchport mode trunk
interface FastEthernet1
shutdown
interface FastEthernet2
shutdown
interface FastEthernet3
shutdown
interface Vlan1
description $FW_INSIDE$
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security private-in-zone
ip tcp adjust-mss 1412
interface Vlan10
description $FW_INSIDE$
ip address 192.168.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security private-in-zone
ip tcp adjust-mss 1412
interface Vlan20
description $FW_INSIDE$
ip address 192.168.20.254 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1412
interface Dialer0
description ADSL Dialup
ip address negotiated
no ip redirects
ip mtu 1452
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname
ppp chap password
ppp ipcp dns request
ppp ipcp address accept
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static udp 192.168.10.210 88 interface Dialer0 88
ip nat inside source static udp 192.168.10.210 3074 interface Dialer0 3074
ip nat inside source static tcp 192.168.10.210 3074 interface Dialer0 3074
ip access-list extended XBOX-Live
permit udp any host 192.168.10.210 eq 88
permit udp any host 192.168.10.210 eq 3074
permit tcp any host 192.168.10.210 eq 3074
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
snmp-server community public RO
control-plane
banner login ^CHOME
^C
line con 0
no modem enable
line aux 0
line vty 0 4
transport input ssh
scheduler max-task-time 5000
end
HOME_RTR#exit -
Cisco IOS Zone Based Firewall and IPv6
Hello,
I am trying to setup IPv6 tunnel to tunnel-broker Hurrican Electrics. IPv6 connection is working OK only if I disable zone security on WAN interface (Fe0 - IPv4 interface).
Which protocols must be alloved to and from router?
IOS version: 15.1.2T1 (Adv.ip services)
Setup:
HE (tunnel-broker) --- Internet (IPv4) ---- Cisco 1812 (Fe0 (IPv4) and interface tunnel 1 (IPv6))
Config on router:
IPv4 (self to internet and internet to self)
policy-map type inspect Outside2Router-pmap
class type inspect SSHaccess-cmap
inspect
class type inspect ICMP-cmap
inspect
class type inspect IPSEC-cmap
pass
class type inspect Protocol41-cmap
pass log
class class-default
drop
interface Tunnel1
description Hurricane Electric IPv6 Tunnel Broker
no ip address
zone-member security IPv6tunnel
ipv6 address 2001:47:25:105B::2/64
ipv6 enable
ipv6 mtu 1300
tunnel source FastEthernet0
tunnel mode ipv6ip
tunnel destination xxx.66.80.98
interface FastEthernet0
description WAN interface
ip address xxx.xxx.252.84 255.255.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
zone-member security WAN
duplex auto
speed auto
zone-pair security IPv6Tunnel_2_WAN source IPv6tunnel destination WAN
service-policy type inspect IPv6-out-pmap
zone-pair security WAN_2_IPv6tunnel source WAN destination IPv6tunnel
service-policy type inspect IPv6-out-pmap
policy-map type inspect IPv6-out-pmap
class type inspect IPv6-internet-class
inspect
class class-default
drop
class-map type inspect match-all IPv6-internet-class
match protocol tcp
match protocol udp
match protocol icmp
match protocol ftp
ipv6 route ::/0 Tunnel1
ipv6 unicast-routing
ipv6 cef
parameter-map type inspect v6-param-map
ipv6 routing-header-enforcement loose
sessions maximum 10000OK, removed the cmap the packet was getting dropped on, so the current self to wan zone-pair policy map looks like this:
policy-map type inspect pm-selftowan
class type inspect cm-selftowan-he-out
inspect
class type inspect cm-dhcpwan
pass
class class-default
drop
class-map type inspect match-all cm-selftowan-he-out
match access-group name HETunnelOutbound
ip access-list extended HETunnelOutbound
permit 41 any any
permit ip any host 64.62.200.2
permit ip any host 66.220.2.74
permit ip any host 216.66.80.26
Now we see the same error, just on the 'new' first cmap in the pmap:
*Oct 5 02:39:31.316 GMT: %FW-6-DROP_PKT: Dropping Unknown-l4 session :0 216.66.80.26:0 on zone-pair selftowan class cm-selftowan-he-out due to Invalid Segment with ip ident 0
Yet as you can see above, we are allowing proto 41 any any.
I didn't expect any other result really since the previous cmap had 'permit ip any any' but still
any ideas?
Thanks,
//TrX
EDIT: Out of curiosity after reading this post: https://supportforums.cisco.com/thread/2043222?decorator=print&displayFullThread=true
I decided to change the outbound cm-selftowan-he-out action to 'pass'.
I suddently noticed the following log:
*Oct 5 02:39:31.316 GMT: %FW-6-DROP_PKT: Dropping Unknown-l4 session 216.66.80.26:0 :0 on zone-pair wantoself class cm-wantoself-he-in due to Invalid Segment with ip ident 0
Notice this is now inbound having trouble where as before was outbound.
I changed the inbound pmap policy for cmap cm-wantoself-he-in to pass also and IPv6 PACKETS ARE GETTING ICMP6 REPLIES FROM GOOGLE!
Looking at the original outbound PMAP:
policy-map type inspect pm-selftowan
class type inspect cm-selftowan
inspect
class type inspect cm-selftowan-he-out
inspect
class type inspect cm-dhcpwan
pass
class class-default
drop
cm-selftowan has always been infront of cm-selftowan-he-out, and because that is ip any any, it has been 'grabbing' the IP proto 41 packets and doing ip inspect on them (which fails as it seems ip inspect only handles a handful of proto's).
This is why setting cm-selftowan-he-out and cm-wantoself-he-in both to 'pass' instead of 'inspect' in the past has not been doing anything, because the outbound packets were never getting to the cm-selftowan-he-out cmap.
Would never have got to this without ip inspect log. Why didn't I think of just trying ip inspect logging two days ago!
Anyway, thank you, I have now restored my faith in my own knowledge of ZBF!
Hope this helps the OP too
//TrX -
GSLB Zone-Based DNS Payment Gw - Config Active-Active: Not Failing Over
Hello All:
Currently having a bit of a problem, have exhausted all resources and brain power dwindling.
Brief:
Two geographically diverse sites. Different AS's, different front ends. Migrated from one site with two CSS 11506's to two sites with one 11506 each.
Flow of connection is as follows:
Client --> FW Public Destination NAT --> CSS Private content VIP/destination NAT --> server/service --> CSS Source VIP/NAT --> FW Public Source NAT --> client.
Using Load Balancers as DNS servers, authoritative for zones due to the requirement for second level Domain DNS load balancing (i.e xxxx.com, AND FQDNs http://www.xxxx.com). Thus, CSS is configured to respond as authoritative for xxxx.com, http://www.xxxx.com, postxx.xxxx.com, tmx.xxxx.com, etc..., but of course cannot do MX records, so is also configured with dns-forwarders which consequently were the original DNS servers for the domains. Those DNS servers have had their zone files changed to reflect that the new DNS servers are in fact the CSS'. Domain records (i.e. NS records in the zone file), and the records at the registrar (i.e. tucows, which I believe resells .com, .net and .org for netsol) have been changed to reflect the same. That part of the equation has already been tested and is true to DNS Workings. The reason for the forwarders is of course for things such as non load balanced Domain Names, as well as MX records, etc...
Due to design, which unfortunately cannot be changed, dns-record configuration uses kal-ap, example:
dns-record a http://www.xxxx.com 0 111.222.333.444 multiple kal-ap 10.xx.1.xx 254 sticky-enabled weightedrr 10
So, to explain so we're absolutely clear:
- 111.222.333.444 is the public address returned to the client.
- multiple is configured so we return both site addresses for redundancy (unless I'm misunderstanding that configuration option)
- kal-ap and the 10.xx.1.xx address because due to the configuration we have no other way of knowing the content rule/service is down and to stop advertising the address for said server/rule
- sticky-enabled because we don't want to lose a payment and have it go through twice or something crazy like that
- weighterr 10 (and on the other side weightedrr 1) because we want to keep most of the traffic on the site that is closer to where the bulk of the clients are
So, now, the problem becomes, that the clients (i.e. something like an interac machine, RFID tags...) need to be able to fail over almost instantly to either of the sites should one lose connectivity and/or servers/services. However, this does not happen. The CSS changes it's advertisement, and this has been confirmed by running "nslookups/digs" directly against the CSSs... however, the client does not recognize this and ends up returning a "DNS Error/Page not found".
Thinking this may have something to do with the "sticky-enabled" and/or the fact that DNS doesn't necessarily react very well to a TTL of "0".
Any thoughts... comments... suggestions... experiences???
Much appreciated in advance for any responses!!!
Oh... should probably add:
nslookups to some DNS servers consistently - ALWAYS the same ones - take 3 lookups before getting a reply. Other DNS servers are instant....
Cheers,
Ben Shellrude
Sr. Network Analyst
MTS AllStream IncHi Ben,
if I got your posting right the CSSes are doing their job and do advertise the correct IP for a DNS-query right?
If some of your clients are having a problem this might be related to DNS-caching. Some clients are caching the DNS-response and do not do a refresh until they fail or this timeout is gone.
Even worse if the request fails you sometimes have to reset the clients DNS-demon so that they are requesting IP-addresses from scratch. I had this issue with some Unixboxes. If I remeber it corretly you can configure the DNS behaviour for unix boxes and can forbidd them to cache DNS responsed.
Kind Regards,
joerg -
Can't getting layer 7 app filtering in ZONE based policy FW
Hi all,
I am trying to get layer 7 application protocol to work in a simple test setup, I need to get this working to filter roommate traffric . Simple configuration with two interface(inside and outside). With layer application configured, everything works fine, but when applied layer 7 it does not block the web site i want... URL filter and parameter map don't work either...
Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(24)T1, RELEASE SOFTWARE (fc3)
parameter-map type urlfilter URL-FILTER
audit-trail on
parameter-map type regex humoron
pattern [Hh][Uu][Mm][Oo][Rr][Oo][Nn][.][Cc][Oo][Mm]
parameter-map type regex LAPOSTE1
pattern LAPOSTE.NET
class-map type inspect match-any EXPRESSION
match access-group 105
match protocol tcp
match protocol udp
match protocol dns
match protocol http
match protocol https
class-map type inspect match-any HTTP
match access-group 105
match protocol tcp
match protocol udp
match protocol ftp
match protocol icmp
class-map type inspect http match-any HUMORON
match request body regex humoron
match request header regex humoron
match request port-misuse im
match request port-misuse p2p
match request port-misuse tunneling
match request port-misuse any
match request arg regex humoron
match request uri regex humoron
match response status-line regex humoron
match req-resp header regex humoron
match req-resp protocol-violation
class-map type inspect http match-any LAPOSTE
match request body regex LAPOSTE1
match request header regex LAPOSTE1
match request port-misuse p2p
match request port-misuse tunneling
match request arg regex LAPOSTE1
match request uri regex LAPOSTE1
match response body regex LAPOSTE1
match response body java-applet
match response status-line regex LAPOSTE1
match req-resp protocol-violation
policy-map type inspect HTTP_POL
class type inspect HTTP
inspect
class type inspect EXPRESSION
inspect
class class-default
drop
policy-map type inspect http Adult_site
class type inspect http HUMORON
log
reset
policy-map type access-control out2inside_policy
zone security INSIDE_ZONE
description inside interface f0/2
zone security OUTSIDE_ZONE
description outside interface f0/0
zone-pair security outside2inside source OUTSIDE_ZONE destination INSIDE_ZONE
zone-pair security INSIDE2OUTSIDE source INSIDE_ZONE destination OUTSIDE_ZONE
description web traffic
service-policy type inspect HTTP_POL
IOS_VPN#sh policy-map type inspect
Policy Map type inspect HTTP_POL
Class HTTP
Inspect
Class EXPRESSION
Drop
Class class-default
Pass
Thanks,Any ideas??
Thanks,
Eddy
Maybe you are looking for
-
Hello Everyone In PLD i have a requirement whereby if the layout goes into more than a page says 2 pages,then the total should display "Continued in next page" in the 1st page and in the last page(in our case 2nd page) total should print the document
-
TtyS4 and ttyS5 how do I activate using 'setserial' or some other way
Is there a 'setserial' expert in the house? I've got a daughter board/card that has a bunch of I/O on it. All devices work except the two serial ports. I have 4 serial ports on the main board plus these two on the daughter board for a total of 6 se
-
BEA-Documentum integration: Image links do not appear
Hello World, I have installed both WLCS v3.2 and Documentum's WCM Starter Kit and got the WLCS to retrieve content from the Documentum, but... How do I get the links to be visible in the portal? I've tried (and failed) with the information in the Doc
-
Thousands of photos are missing ever since I upgraded to Lion. Please tell me they are hidden somewhere and not lost
-
Missing Admin Console Tasks items BPC Administration
Hi All, We use BPC version 5 for Microsoft. I have a user who has a problem with missing Admin Console Tasks items. Previously, she was able to access the items. Then she was assigned a new computer. After installing BPC (administration and Excel), n