Solved: DMZ (192.168.10.179) has access to INSIDE (192.168.2.181) but NO ACL?

TheGoob · ‎03-24-2024

Hello

So I wanna verify if maybe this is normal function or a misconfiguration on ACL or a missing one but a DMZ host is mounting a [Samba Share] from an INSIDE Host, on completely different Network, but NO ACL Permitting it... Any ideas?

ISR C1111

version 17.9
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname HoM
!
boot-start-marker
boot system flash:c1100-universalk9.17.09.04a.SPA.bin
boot-end-marker
!
!
no aaa new-model
!
ip vrf mgmt
!
!
ip name-server 205.171.3.65 205.171.2.65
no ip domain lookup
!
!
!
no ip igmp snooping
login on-success log
!
!
!
subscriber templating
!
!
!
vtp domain ''
vtp mode transparent
vtp version 1
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-4284067838
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4284067838
 revocation-check none
 rsakeypair TP-self-signed-4284067838
!
crypto pki trustpoint SLA-TrustPoint
 enrollment terminal
 revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-4284067838
 certificate self-signed 01
  30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34323834 30363738 3338301E 170D3234 30323037 30303033
  34305A17 0D333430 32303630 30303334 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32383430
  36373833 38308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
  0A028201 0100CF63 E76384AF 6078E295 B087349B E465A89A B84A8E90 D13E52C5
  CB28BEF5 39387B19 1036EE98 89053B3D D42D6EB3 C5F305ED 9B2FD78A C699EA02
  3FE0C2F1 23F4A538 6278551D 3717D703 13024BB1 3D9BD85F 18310A3C 83F38191
  EA11D0D6 E35C16E7 F21E507D 2A94276A 8310E595 C88EB804 05166E4A 251A654B
  82A77BF3 D6AE009A 57B0783A 90D525D3 F6DA5080 7A05528B 1C4455C3 EFFFFBBD
  55859475 D26FCD7C 04F305EB 19733ED2 3FABFF22 5549BD82 2FFF0C8E BD81F2F8
  13615860 BB6EB874 FBBBD392 C0F3EAB8 8CF66214 34354F70 69A52D4F 922DE35E
  8964E54D C946A7E6 142E9C41 0458E6C3 FD6A8FCA A0EBE66B 87FFD40F 06DA3EC0
  CC4B739F BC410203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF
  301F0603 551D2304 18301680 14D5EFD5 A40B0A02 5F830483 14D21A7C A9759BDD
  04301D06 03551D0E 04160414 D5EFD5A4 0B0A025F 83048314 D21A7CA9 759BDD04
  300D0609 2A864886 F70D0101 05050003 82010100 036BBEA4 BDEDE57A 0FD35041
  B30A2394 B79A8A01 2C87EBD4 D9A80DB7 E571FDD7 4275FDA1 55278B72 EF3236AC
  2FC6CDB5 22E67299 6079B347 E8E8F454 48AC7032 312AAC4E 02D415DC DB4D5D91
  C5490AE2 F653B0C4 A32E6369 734DBF79 98263F72 5B5F534E 06AB0049 FAC1D563
  763CB160 74093ACF 549423BB 0F5B5A6B 2B3C0802 E7C83861 ACE6E040 24A3D259
  55BCA7EC F446157C 6A6B270C EB91874B 41A4A2E9 F5C9A5AF 39E34112 EEBFB1C7
  BE0A215B 4586E7ED 20496190 A93FE5E1 63EFA300 B74DED30 E159573C B429A790
  9A2E9F1C E1A2A852 C9DC74C6 935D878A 7785C339 EEA6D219 172B13EE DB79986E
  C98E60B6 7899E8BA 3191ABE3 ED52432E 264B0F12
        quit
crypto pki certificate chain SLA-TrustPoint
 certificate ca 01
  30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
  32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
  6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
  3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
  43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
  526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
  82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
  CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
  1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
  4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
  7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
  68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
  C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
  C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
  DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
  06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
  4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
  03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
  604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
  D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
  467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
  7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
  5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
  80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
  418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
  D697DF7F 28
        quit
!
crypto pki certificate pool
 cabundle nvram:ios_core.p7b
!
!
no license feature hseck9
license udi pid C1111-8PLTEEAWB sn FGL223493AJ
license smart url https://smartreceiver.cisco.com/licservice/license
license smart url smart https://smartreceiver.cisco.com/licservice/license
license smart transport smart
license smart usage interval 365
memory free low-watermark processor 71826
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
enable secret 9 $9$b/g5KPM9Y12dQU$crUmYT6b1Kd47wyvwsA8UgtHlwfVZ6GW21mtMTDrrG6
enable password [password]
!
username admin privilege 15 password 0 [password]
!
redundancy
 mode none
!
!
!
!
controller Cellular 0/2/0
!
!
vlan internal allocation policy ascending
!
vlan 8-9
!
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
 match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
 match access-group name OUTSIDE-TO-INSIDE
class-map type inspect match-all INSIDE-TO-DMZ-CLASS
 match access-group name INSIDE-TO-DMZ
class-map type inspect match-all OUTSIDE-TO-DMZ-CLASS
 match access-group name OUTSIDE-TO-DMZ
!
policy-map type inspect INSIDE-TO-DMZ-POLICY
 class type inspect INSIDE-TO-DMZ-CLASS
  pass
 class class-default
  drop log
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
 class type inspect INSIDE-TO-OUTSIDE-CLASS
  inspect
 class class-default
  drop log
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
 class type inspect OUTSIDE-TO-INSIDE-CLASS
  pass
 class class-default
  drop log
policy-map type inspect OUTSIDE-TO-DMZ-POLICY
 class type inspect OUTSIDE-TO-DMZ-CLASS
  inspect
 class class-default
  drop log
!
zone security INSIDE
zone security OUTSIDE
zone security DMZ
zone-pair security IN-TO-DMZ source INSIDE destination DMZ
 service-policy type inspect INSIDE-TO-DMZ-POLICY
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
 service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-DMZ source OUTSIDE destination DMZ
 service-policy type inspect OUTSIDE-TO-DMZ-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
 service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!
!
!
interface GigabitEthernet0/0/0
 description WAN
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1460
 zone-member security OUTSIDE
 ip tcp adjust-mss 1412
 negotiation auto
 no cdp enable
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/0/1
 no ip address
 negotiation auto
!
interface GigabitEthernet0/1/0
 switchport mode access
!
interface GigabitEthernet0/1/1
 shutdown
!
interface GigabitEthernet0/1/2
 shutdown
!
interface GigabitEthernet0/1/3
 shutdown
!
interface GigabitEthernet0/1/4
 description ceyea
 switchport access vlan 8
 switchport mode access
 zone-member security DMZ
 spanning-tree portfast
!
interface GigabitEthernet0/1/5
 description FPR-WAN
 switchport access vlan 8
 switchport mode access
 zone-member security INSIDE
 spanning-tree portfast
!
interface GigabitEthernet0/1/6
 description Management
 switchport access vlan 9
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/1/7
 shutdown
!
interface Wlan-GigabitEthernet0/1/8
 shutdown
!
interface Cellular0/2/0
 no ip address
 shutdown
!
interface Cellular0/2/1
 no ip address
 shutdown
!
interface Vlan1
 description ISR default LAN
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 no ip virtual-reassembly
!
interface Vlan8
 description Link _To_FPR
 ip address 172.16.1.1 255.255.255.0
 ip nat inside
!
interface Vlan9
 description management
 ip vrf forwarding mgmt
 ip address 10.0.0.1 255.255.255.0
!
interface Dialer1
 mtu 1492
 ip address negotiated
 no ip redirects
 ip mtu 1460
 ip nat outside
 encapsulation ppp
 ip tcp adjust-mss 1412
 dialer pool 1
 dialer idle-timeout 0
 dialer persistent
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname [user]
 ppp chap password 0 [pass]
 ppp pap sent-username [user] password 0 [pass]
 ppp ipcp dns request
 ppp ipcp route default
!
ip http server
ip http authentication local
ip http secure-server
ip http secure-trustpoint TP-self-signed-4284067838
ip forward-protocol nd
ip nat translation tcp-timeout 600
ip nat translation udp-timeout 300
ip nat translation syn-timeout 5
ip nat translation dns-timeout 10
ip nat translation icmp-timeout 30
ip nat translation max-entries 200000
ip nat pool 177 207.108.121.177 207.108.121.177 prefix-length 30
ip nat pool 178 207.108.121.178 207.108.121.178 prefix-length 30
ip nat pool 179 207.108.121.179 207.108.121.179 prefix-length 30
ip nat pool 182 207.108.121.182 207.108.121.182 prefix-length 30
ip nat pool 181 207.108.121.181 207.108.121.181 prefix-length 30
ip nat pool 180 207.108.121.180 207.108.121.180 prefix-length 30
ip nat inside source static tcp 172.16.1.179 22 207.108.121.179 22 extendable
ip nat inside source static tcp 192.168.1.180 25 207.108.121.180 25 extendable
ip nat inside source static tcp 192.168.1.180 993 207.108.121.180 993 extendable
ip nat inside source static tcp 192.168.1.180 2280 207.108.121.180 2280 extendable
ip nat inside source static tcp 192.168.2.181 80 207.108.121.181 80 extendable
ip nat inside source static tcp 192.168.2.181 443 207.108.121.181 443 extendable
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source list 4 pool 179 overload
ip nat inside source list 5 pool 178 overload
ip nat inside source list 6 pool 182 overload
ip nat inside source list 7 pool 177 overload
ip nat inside source list 8 pool 181 overload
ip nat inside source list 9 pool 180 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.1.0 255.255.255.0 172.16.1.2
ip route 192.168.2.0 255.255.255.0 172.16.1.2
ip route 192.168.3.0 255.255.255.0 172.16.1.2
ip route 192.168.4.0 255.255.255.0 172.16.1.2
ip route 192.168.5.0 255.255.255.0 172.16.1.2
ip route 192.168.6.0 255.255.255.0 172.16.1.2
ip route vrf mgmt 192.168.5.0 255.255.255.0 10.0.0.3
!
!
ip access-list extended INSIDE-TO-DMZ
 10 permit tcp 192.168.5.0 0.0.0.255 host 172.16.1.179 eq smtp
 20 permit tcp 192.168.5.0 0.0.0.255 host 172.16.1.179 eq 22
ip access-list extended INSIDE-TO-OUTSIDE
 10 permit ip 192.168.1.0 0.0.0.255 any
 20 permit ip 192.168.2.0 0.0.0.255 any
 30 permit ip 192.168.3.0 0.0.0.255 any
 40 permit ip 192.168.4.0 0.0.0.255 any
 50 permit ip 192.168.5.0 0.0.0.255 any
 60 permit ip 192.168.6.0 0.0.0.255 any
ip access-list extended OUTSIDE-TO-DMZ
 10 permit tcp host 172.16.1.179 any eq smtp
 20 permit tcp host 172.16.1.179 any eq 22
ip access-list extended OUTSIDE-TO-INSIDE
 10 permit icmp any 192.168.0.0 0.0.255.255
 20 permit tcp host 192.168.1.180 any eq smtp
 30 permit tcp host 192.168.1.180 any eq 2280
 40 permit tcp host 192.168.2.181 any eq 443
 50 permit tcp host 192.168.2.181 any eq www
!
ip access-list standard 1
 10 permit 192.168.8.0 0.0.0.255
 20 permit 172.16.1.0 0.0.0.255
ip access-list standard 4
 10 permit 192.168.3.0 0.0.0.255
ip access-list standard 5
 10 permit 192.168.4.0 0.0.0.255
ip access-list standard 6
 10 permit 192.168.5.0 0.0.0.255
ip access-list standard 7
 10 permit 192.168.6.0 0.0.0.255
ip access-list standard 8
 10 permit 192.168.2.0 0.0.0.255
ip access-list standard 9
 10 permit 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
!
snmp-server community public RO
!
!
control-plane
!
!
line con 0
 transport input none
 stopbits 1
line vty 0 4
 password [pass]
 login
 length 0
 transport input ssh
line vty 5 30
 login
 transport input ssh
!
call-home
 ! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
 ! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
 contact-email-addr sch-smart-licensing@cisco.com
 profile "CiscoTAC-1"
  active
  destination transport-method http
!
!
!
!
!
!
netconf-yang
end

liviu.gheorghe · ‎03-31-2024

I didn't observe it until I started configuring... your zone membership assignments are configured on the wrong interfaces - interface Gi0/1/4 and Gi0/1/5 are L2 interfaces. The correct placement for the zone membership is on the Vlan interfaces:

interface Vlan8
 description Link _To_FPR
 ip address 172.16.1.1 255.255.255.0
 ip nat inside
 zone-member security INSIDE
!
interface Vlan10
 description DMZ
 ip address 192.168.10.1 255.255.255.0
 zone-member security DMZ

Remove the zone member commands from interfaces Gi0/1/4 and Gi0/1/5.

Can you reconfigure and repeat the test?

Regards, LG
*** Please Rate All Helpful Responses ***

View solution in original post

liviu.gheorghe · ‎03-24-2024

Hello @TheGoob ,

There are a few things that don't seem right. I said it before in this thread - forth post before the end

https://community.cisco.com/t5/network-management/isr-c1111-zone-based-firewall-configuration/m-p/5045909/highlight/true#M156777 which is about the same subject, ZBF configuration on the ISR.

First of all, interface assignment to zones is not entirely correct. You have the Gi0/0/0 facing the Internet as OUTSIDE which is correct. You have Gi0/1/5 as INSIDE - the interface facing the FPR. You also have Gi0/1/4 which is labeled DMZ. Both Gi0/1/4 and Gi0/1/5 are L2 interfaces sharing the same Vlan 8. From a firewalls point of view, you cannot have two security zone settings on the same interface.

The DMZ interface should be any other interface, besides Gi0/0/0 (OUTSIDE) and Gi0/1/5 (INSIDE). A new Vlan labeled DMZ, interface assigned to DMZ Vlan and services residing in the DMZ connected to that Vlan.

Second thing that doesn't seem right are the zone-pair configurations. In my opinion, you are missing the zones-pairs that define DMZ to INSIDE and DMZ to OUTSIDE communication rules.

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob · ‎03-24-2024

Hi there!

Alright, I see what you mean. I believe I have now fixed this. ASSUMING In some scenarios, there is only ONE WAN IP I simply left the DMZ ;

0/0 OUTSIDE

0/5 INSIDE [vlan 8] [172.16.1.0 the LINK from ISR to FPR]

0/4 DMZ [vlan1] [default vlan, 192.168.10.0]

So at this stage, the 3 Zones should have nothing in common, aside from any NAT/ACL's permitting so.

As far as DMZ to OUT and DMZ to INSIDE, I guess that was a choice I made, unknowingly, following the guide that made no mention of such. I suppose for OUTGOING email purposes I will need to do a DMZ to OUT and then of course to allow DMZ to mount INSIDE Samba share, I would need one as well; those 2 I can do at a later time, now that I realize. I guess what is throwing me off is HOW is the DMZ currently, even with new changes, still mounting the INSIDE Samba share with NO ACL or DMZ to INSIDE rule? Unless I still am overlooking some small thing, here is the "new" config.

!
vlan 1,8-9
!
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
 match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
 match access-group name OUTSIDE-TO-INSIDE
class-map type inspect match-all INSIDE-TO-DMZ-CLASS
 match access-group name INSIDE-TO-DMZ
class-map type inspect match-all OUTSIDE-TO-DMZ-CLASS
 match access-group name OUTSIDE-TO-DMZ
!
policy-map type inspect INSIDE-TO-DMZ-POLICY
 class type inspect INSIDE-TO-DMZ-CLASS
  pass
 class class-default
  drop log
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
 class type inspect INSIDE-TO-OUTSIDE-CLASS
  inspect
 class class-default
  drop log
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
 class type inspect OUTSIDE-TO-INSIDE-CLASS
  pass
 class class-default
  drop log
policy-map type inspect OUTSIDE-TO-DMZ-POLICY
 class type inspect OUTSIDE-TO-DMZ-CLASS
  inspect
 class class-default
  drop log
!
zone security INSIDE
zone security OUTSIDE
zone security DMZ
zone-pair security IN-TO-DMZ source INSIDE destination DMZ
 service-policy type inspect INSIDE-TO-DMZ-POLICY
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
 service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-DMZ source OUTSIDE destination DMZ
 service-policy type inspect OUTSIDE-TO-DMZ-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
 service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!
!
interface GigabitEthernet0/1/4
 description ceyea
 switchport mode access
 zone-member security DMZ
 spanning-tree portfast
!
interface GigabitEthernet0/1/5
 description FPR-WAN
 switchport access vlan 8
 switchport mode access
 zone-member security INSIDE
 spanning-tree portfast
!
interface GigabitEthernet0/1/6
 description Management
 switchport access vlan 9
 switchport mode access
 spanning-tree portfast
!
i
interface Vlan1
 description ISR default LAN
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 no ip virtual-reassembly
!
interface Vlan8
 description Link _To_FPR
 ip address 172.16.1.1 255.255.255.0
 ip nat inside
!
interface Vlan9
 description management
 ip vrf forwarding mgmt
 ip address 10.0.0.1 255.255.255.0
!
ip nat pool 177 207.108.121.177 207.108.121.177 prefix-length 30
ip nat pool 178 207.108.121.178 207.108.121.178 prefix-length 30
ip nat pool 179 207.108.121.179 207.108.121.179 prefix-length 30
ip nat pool 182 207.108.121.182 207.108.121.182 prefix-length 30
ip nat pool 181 207.108.121.181 207.108.121.181 prefix-length 30
ip nat pool 180 207.108.121.180 207.108.121.180 prefix-length 30
ip nat inside source static tcp 192.168.10.179 22 207.108.121.179 22 extendable
ip nat inside source static tcp 192.168.1.180 25 207.108.121.180 25 extendable
ip nat inside source static tcp 192.168.1.180 993 207.108.121.180 993 extendable
ip nat inside source static tcp 192.168.1.180 2280 207.108.121.180 2280 extendable
ip nat inside source static tcp 192.168.2.181 80 207.108.121.181 80 extendable
ip nat inside source static tcp 192.168.2.181 443 207.108.121.181 443 extendable
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source list 4 pool 179 overload
ip nat inside source list 5 pool 178 overload
ip nat inside source list 6 pool 182 overload
ip nat inside source list 7 pool 177 overload
ip nat inside source list 8 pool 181 overload
ip nat inside source list 9 pool 180 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.1.0 255.255.255.0 172.16.1.2
ip route 192.168.2.0 255.255.255.0 172.16.1.2
ip route 192.168.3.0 255.255.255.0 172.16.1.2
ip route 192.168.4.0 255.255.255.0 172.16.1.2
ip route 192.168.5.0 255.255.255.0 172.16.1.2
ip route 192.168.6.0 255.255.255.0 172.16.1.2
ip route vrf mgmt 192.168.5.0 255.255.255.0 10.0.0.3
!
!
ip access-list extended INSIDE-TO-DMZ
 10 permit tcp 192.168.5.0 0.0.0.255 host 192.168.10.179 eq smtp
 20 permit tcp 192.168.5.0 0.0.0.255 host 192.168.10.179 eq 22
ip access-list extended INSIDE-TO-OUTSIDE
 10 permit ip 192.168.1.0 0.0.0.255 any
 20 permit ip 192.168.2.0 0.0.0.255 any
 30 permit ip 192.168.3.0 0.0.0.255 any
 40 permit ip 192.168.4.0 0.0.0.255 any
 50 permit ip 192.168.5.0 0.0.0.255 any
 60 permit ip 192.168.6.0 0.0.0.255 any
ip access-list extended OUTSIDE-TO-DMZ
 10 permit tcp host 192.168.10.179 any eq smtp
 20 permit tcp host 192.168.10.179 any eq 22
ip access-list extended OUTSIDE-TO-INSIDE
 10 permit icmp any 192.168.0.0 0.0.255.255
 20 permit tcp host 192.168.1.180 any eq smtp
 30 permit tcp host 192.168.1.180 any eq 2280
 40 permit tcp host 192.168.2.181 any eq 443
 50 permit tcp host 192.168.2.181 any eq www
!
ip access-list standard 1
 10 permit 192.168.8.0 0.0.0.255
 20 permit 172.16.1.0 0.0.0.255
ip access-list standard 4
 10 permit 192.168.3.0 0.0.0.255
ip access-list standard 5
 10 permit 192.168.4.0 0.0.0.255
ip access-list standard 6
 10 permit 192.168.5.0 0.0.0.255
ip access-list standard 7
 10 permit 192.168.6.0 0.0.0.255
ip access-list standard 8
 10 permit 192.168.2.0 0.0.0.255
ip access-list standard 9
 10 permit 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
!

TheGoob · ‎03-25-2024

It just seems/feels as if even though I have all the "code" there, it is not "activated" or "applied" I say this because on my newly created DMZ-to-INSIDE Zone/pair/acl etc (I even now made vlan10 thinking maybe default vlan1 was an issue) it did not work, I EVEN did a str8 up across the board DENY DENY DENY DENY from DMZ-to-INSIDE, and still it connected.

I wonder if my standard acl's are overwriting the zbfw/extended acl's?

The standard ones were made when I was, pre zbfw, allowing the networks any and all utside access, when I made the Dynamic NAT's.

TheGoob · ‎03-26-2024

Hello

So I am really at a loss here. I changed the correct vlan for DMZ to vlan 10. I created the DMZ-TO-INSIDE and DMZ-TO-OUTSIDE Zone Pairs etc. Below I am posting my whole, minus stuff you do not need running-config.

I really am not sure what is or is not working [correctly] but I do know two things;

I have an ACL for DMZ-TO-OUT for Internet access, yet I have no Internet Access and I have ONE DMZ-TO-INSIDE ACL for 1 Host, and yet DMZ Connects to everything. Like, everything. Please see what you can see that I do not see, and maybe I can then see.. My errors.

version 17.13
!
hostname HoM
!
boot-start-marker
boot system bootflash:c1100-universalk9.17.13.01a.SPA.bin
boot-end-marker
!
!
no aaa new-model
!
ip vrf mgmt
!
ip name-server 205.171.3.65 205.171.2.65
no ip domain lookup
!
!
no ip igmp snooping
login on-success log
!
!
subscriber templating
!
!
vtp domain ''
vtp mode transparent
!
!
!
no license feature hseck9
license udi pid C1111-8PLTEEAWB sn FGL223493AJ
license smart url https://smartreceiver.cisco.com/licservice/license
license smart url smart https://smartreceiver.cisco.com/licservice/license
license smart transport smart
license smart usage interval 365
memory free low-watermark processor 71826
!
spanning-tree extend system-id
!
!
redundancy
 mode none
!
!
vlan internal allocation policy ascending
!
vlan 8-9
!
vlan 10
 name DMZ
!
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
 match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
 match access-group name OUTSIDE-TO-INSIDE
class-map type inspect match-all INSIDE-TO-DMZ-CLASS
 match access-group name INSIDE-TO-DMZ
class-map type inspect match-all DMZ-TO-INSIDE-CLASS
 match access-group name DMZ-TO-INSIDE
class-map type inspect match-all OUTSIDE-TO-DMZ-CLASS
 match access-group name OUTSIDE-TO-DMZ
class-map type inspect match-all DMZ-TO-OUTSIDE-CLASS
 match access-group name DMZ-TO-OUTSIDE
!
policy-map type inspect INSIDE-TO-DMZ-POLICY
 class type inspect INSIDE-TO-DMZ-CLASS
  pass
 class class-default
  drop log
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
 class type inspect INSIDE-TO-OUTSIDE-CLASS
  inspect
 class class-default
  drop log
policy-map type inspect DMZ-TO-OUTSIDE-POLICY
 class type inspect DMZ-TO-OUTSIDE-CLASS
  inspect
 class class-default
  drop log
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
 class type inspect OUTSIDE-TO-INSIDE-CLASS
  pass
 class class-default
  drop log
policy-map type inspect OUTSIDE-TO-DMZ-POLICY
 class type inspect OUTSIDE-TO-DMZ-CLASS
  inspect
 class class-default
  drop log
policy-map type inspect DMZ-TO-INSIDE-POLICY
 class type inspect DMZ-TO-INSIDE-CLASS
  pass
 class class-default
  drop log
!
zone security INSIDE
zone security OUTSIDE
zone security DMZ
zone-pair security DMZ-TO-IN source DMZ destination INSIDE
 service-policy type inspect DMZ-TO-INSIDE-POLICY
zone-pair security DMZ-TO-OUT source DMZ destination OUTSIDE
 service-policy type inspect DMZ-TO-OUTSIDE-POLICY
zone-pair security IN-TO-DMZ source INSIDE destination DMZ
 service-policy type inspect INSIDE-TO-DMZ-POLICY
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
 service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-DMZ source OUTSIDE destination DMZ
 service-policy type inspect OUTSIDE-TO-DMZ-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
 service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!
!
interface GigabitEthernet0/0/0
 description WAN
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1460
 zone-member security OUTSIDE
 ip tcp adjust-mss 1412
 negotiation auto
 no cdp enable
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/0/1
 no ip address
 negotiation auto
!
interface GigabitEthernet0/1/0
 switchport mode access
!
interface GigabitEthernet0/1/1
 shutdown
!
interface GigabitEthernet0/1/2
 shutdown
!
interface GigabitEthernet0/1/3
 shutdown
!
interface GigabitEthernet0/1/4
 description ceyea
 switchport access vlan 10
 switchport mode access
 zone-member security DMZ
 spanning-tree portfast
!
interface GigabitEthernet0/1/5
 description FPR-WAN
 switchport access vlan 8
 switchport mode access
 zone-member security INSIDE
 spanning-tree portfast
!
interface GigabitEthernet0/1/6
 description Management
 switchport
 switchport access vlan 9
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/1/7
 switchport
 shutdown
!
interface Vlan1
 description ISR default LAN
 ip address 192.168.20.1 255.255.255.0
 ip nat inside
 no ip virtual-reassembly
!
interface Vlan8
 description Link _To_FPR
 ip address 172.16.1.1 255.255.255.0
 ip nat inside
!
interface Vlan9
 description management
 ip vrf forwarding mgmt
 ip address 10.0.0.1 255.255.255.0
!
interface Vlan10
 description DMZ
 ip address 192.168.10.1 255.255.255.0
!
interface Dialer1
 mtu 1492
 ip address negotiated
 no ip redirects
 ip mtu 1460
 ip nat outside
 encapsulation ppp
 ip tcp adjust-mss 1412
 dialer pool 1
 dialer idle-timeout 0
 dialer persistent
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp ipcp dns request
 ppp ipcp route default
!
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip http secure-trustpoint TP-self-signed-4284067838
!
ip nat translation tcp-timeout 600
ip nat translation udp-timeout 300
ip nat translation syn-timeout 5
ip nat translation dns-timeout 10
ip nat translation icmp-timeout 30
ip nat translation max-entries 200000
ip nat pool 177 207.108.121.177 207.108.121.177 prefix-length 30
ip nat pool 178 207.108.121.178 207.108.121.178 prefix-length 30
ip nat pool 179 207.108.121.179 207.108.121.179 prefix-length 30
ip nat pool 182 207.108.121.182 207.108.121.182 prefix-length 30
ip nat pool 181 207.108.121.181 207.108.121.181 prefix-length 30
ip nat pool 180 207.108.121.180 207.108.121.180 prefix-length 30
ip nat inside source static tcp 192.168.10.179 22 207.108.121.179 22 extendable
ip nat inside source static tcp 192.168.1.180 25 207.108.121.180 25 extendable
ip nat inside source static tcp 192.168.1.180 993 207.108.121.180 993 extendable
ip nat inside source static tcp 192.168.1.180 2280 207.108.121.180 2280 extendable
ip nat inside source static tcp 192.168.2.181 80 207.108.121.181 80 extendable
ip nat inside source static tcp 192.168.2.181 443 207.108.121.181 443 extendable
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source list 4 pool 179 overload
ip nat inside source list 5 pool 178 overload
ip nat inside source list 6 pool 182 overload
ip nat inside source list 7 pool 177 overload
ip nat inside source list 8 pool 181 overload
ip nat inside source list 9 pool 180 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.1.0 255.255.255.0 172.16.1.2
ip route 192.168.2.0 255.255.255.0 172.16.1.2
ip route 192.168.3.0 255.255.255.0 172.16.1.2
ip route 192.168.4.0 255.255.255.0 172.16.1.2
ip route 192.168.5.0 255.255.255.0 172.16.1.2
ip route 192.168.6.0 255.255.255.0 172.16.1.2
ip route vrf mgmt 192.168.5.0 255.255.255.0 10.0.0.3
ip ssh bulk-mode 131072
!
ip access-list extended DMZ-TO-INSIDE
 10 permit tcp 192.168.10.0 0.0.0.255 host 192.168.2.181 eq 22
ip access-list extended DMZ-TO-OUTSIDE
 10 permit ip 192.168.0.0 0.0.255.255 any
ip access-list extended INSIDE-TO-DMZ
 10 permit tcp 192.168.5.0 0.0.0.255 host 192.168.10.179 eq smtp
 20 permit tcp 192.168.5.0 0.0.0.255 host 192.168.10.179 eq 22
ip access-list extended INSIDE-TO-OUTSIDE
 10 permit ip 192.168.1.0 0.0.0.255 any
 20 permit ip 192.168.2.0 0.0.0.255 any
 30 permit ip 192.168.3.0 0.0.0.255 any
 40 permit ip 192.168.4.0 0.0.0.255 any
 50 permit ip 192.168.5.0 0.0.0.255 any
 60 permit ip 192.168.6.0 0.0.0.255 any
ip access-list extended OUTSIDE-TO-DMZ
 10 permit tcp host 192.168.10.179 any eq smtp
 20 permit tcp host 192.168.10.179 any eq 22
ip access-list extended OUTSIDE-TO-INSIDE
 10 permit icmp any 192.168.0.0 0.0.255.255
 20 permit tcp host 192.168.1.180 any eq smtp
 30 permit tcp host 192.168.1.180 any eq 2280
 40 permit tcp host 192.168.2.181 any eq 443
 50 permit tcp host 192.168.2.181 any eq www
!
ip access-list standard 1
 10 deny 192.168.8.0 0.0.0.255
 20 permit 172.16.1.0 0.0.0.255
ip access-list standard 4
 10 permit 192.168.3.0 0.0.0.255
ip access-list standard 5
 10 permit 192.168.4.0 0.0.0.255
ip access-list standard 6
 10 permit 192.168.5.0 0.0.0.255
ip access-list standard 7
 10 permit 192.168.6.0 0.0.0.255
ip access-list standard 8
 10 permit 192.168.2.0 0.0.0.255
ip access-list standard 9
 10 permit 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
!

TheGoob · ‎03-27-2024

Is it possible my INSPECT/PASS are incorrect for each Zone/Pair? Or my [Original] NAT+ACL Combos for my STATIC WAN IP to LAN Networks overriding the new ZBFW?

liviu.gheorghe · ‎03-27-2024

What is the IP of the host from DMZ? And from this host what resources are you trying to access from the INSIDE zone that it should not have access?

Can you also share the output of the following commands:

show mac address-table

show ip arp

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob · ‎03-27-2024

Hi

As far as the command results, I am not home to get those but;

DMZ, 192.168.10.179 [vlan10] is able to connect to a INSIDE SMB Server 192.168.2.181 [vlan3] on , I believe Ports 445,139,138 and 137... But nowhere anywhere does the ZBFW give it permission to do so. DMZ should have no access to it.. Also, 192.168.10.179 has NO Internet access, but it should, unless that is something different and I simply have the wrong DMZ-TO-OUT ACL implemented. So now I am unsure if my FW simply does not work or if there are several things amiss.

I did post the most current and updated running-config last night, so definitely do not go based off the one from several days ago.

TheGoob · ‎03-27-2024

Hi

As far as the command results, I am not home to get those but;

DMZ, 192.168.10.179 [vlan10] is able to connect to a INSIDE SMB Server 192.168.2.181 [vlan3] on , I believe Ports 445,139,138 and 137... But nowhere anywhere does the ZBFW give it permission to do so. DMZ should have no access to it.. Also, 192.168.10.179 has NO Internet access, but it should, unless that is something different and I simply have the wrong DMZ-TO-OUT ACL implemented. So now I am unsure if my FW simply does not work or if there are several things amiss.

I did post the most current and updated running-config last night, so definitely do not go based off the one from several days ago.

show mac address-table
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
 All    0100.0ccc.cccc    STATIC      CPU
 All    0100.0ccc.cccd    STATIC      CPU
 All    0100.0ccc.ccce    STATIC      CPU
 All    0180.c200.0000    STATIC      CPU
 All    0180.c200.0001    STATIC      CPU
 All    0180.c200.0002    STATIC      CPU
 All    0180.c200.0003    STATIC      CPU
 All    0180.c200.0004    STATIC      CPU
 All    0180.c200.0005    STATIC      CPU
 All    0180.c200.0006    STATIC      CPU
 All    0180.c200.0007    STATIC      CPU
 All    0180.c200.0008    STATIC      CPU
 All    0180.c200.0009    STATIC      CPU
 All    0180.c200.000a    STATIC      CPU
 All    0180.c200.000b    STATIC      CPU
 All    0180.c200.000c    STATIC      CPU
 All    0180.c200.000d    STATIC      CPU
 All    0180.c200.000e    STATIC      CPU
 All    0180.c200.000f    STATIC      CPU
 All    0180.c200.0010    STATIC      CPU
  10    00ea.bded.c4f4    STATIC      CPU
   8    00ea.bded.c4f4    STATIC      CPU
   8    d0e0.42d9.6e48    DYNAMIC     Gi0/1/5
   9    00ea.bded.c4f4    STATIC      CPU
   9    cc8e.71bf.585b    DYNAMIC     Gi0/1/6
Total Mac Addresses for this criterion: 25

show ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  172.16.1.1              -   00ea.bded.c4f4  ARPA   Vlan8
Internet  172.16.1.2            134   d0e0.42d9.6e48  ARPA   Vlan8
Internet  192.168.10.1            -   00ea.bded.c4f4  ARPA   Vlan10
Internet  192.168.20.1            -   00ea.bded.c4f4  ARPA   Vlan1

liviu.gheorghe · ‎03-27-2024

Looking at the outputs, it doesn't seem that you have a host with IP 192.168.10.179 connected to the ISR. If there was one, it's MAC should have appeared in the output of the show mac address-table on vlan 10. The only host in vlan 10 is the ISR itself:

  10    00ea.bded.c4f4    STATIC      CPU

Internet  192.168.10.1            -   00ea.bded.c4f4  ARPA   Vlan10

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob · ‎03-28-2024

Well then I’m just gonna drop the whole ZBFW. Cause 192.168.10.179 is connected to G1/4 and it’s host IP is that and it’s connecting to the devices on the INSIDE.

Ive lost interest in this. I’m just gonna disable the ZBFW.

TheGoob · ‎03-28-2024

My bad, I was pissed off the VM and whole thing was not working, I shut off the VM. Here is the outputs that show it IS active.. SO hopefully by seeing it active you can see why it does not have internet access, and DOES connect t a host on a diff vlan in which it shouldn't.

#show mac address-table
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
 All    0100.0ccc.cccc    STATIC      CPU
 All    0100.0ccc.cccd    STATIC      CPU
 All    0100.0ccc.ccce    STATIC      CPU
 All    0180.c200.0000    STATIC      CPU
 All    0180.c200.0001    STATIC      CPU
 All    0180.c200.0002    STATIC      CPU
 All    0180.c200.0003    STATIC      CPU
 All    0180.c200.0004    STATIC      CPU
 All    0180.c200.0005    STATIC      CPU
 All    0180.c200.0006    STATIC      CPU
 All    0180.c200.0007    STATIC      CPU
 All    0180.c200.0008    STATIC      CPU
 All    0180.c200.0009    STATIC      CPU
 All    0180.c200.000a    STATIC      CPU
 All    0180.c200.000b    STATIC      CPU
 All    0180.c200.000c    STATIC      CPU
 All    0180.c200.000d    STATIC      CPU
 All    0180.c200.000e    STATIC      CPU
 All    0180.c200.000f    STATIC      CPU
 All    0180.c200.0010    STATIC      CPU
  10    00ea.bded.c4f4    STATIC      CPU
  10    5254.00f0.439e    DYNAMIC     Gi0/1/4
   8    00ea.bded.c4f4    STATIC      CPU
   8    d0e0.42d9.6e48    DYNAMIC     Gi0/1/5
   9    00ea.bded.c4f4    STATIC      CPU
   9    cc8e.71bf.585b    DYNAMIC     Gi0/1/6
   9    d0e0.42d9.6e00    DYNAMIC     Gi0/1/6
Total Mac Addresses for this criterion: 27
HoM# show ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  172.16.1.1              -   00ea.bded.c4f4  ARPA   Vlan8
Internet  172.16.1.2            162   d0e0.42d9.6e48  ARPA   Vlan8
Internet  192.168.10.1            -   00ea.bded.c4f4  ARPA   Vlan10
Internet  192.168.10.179          0   5254.00f0.439e  ARPA   Vlan10
Internet  192.168.20.1            -   00ea.bded.c4f4  ARPA   Vlan1

TheGoob · ‎03-31-2024

Hi

Does the ZBFW get “enabled” by itself as I create the Zones and ACL’s etc or do I also need to activate it alongside creating it? Just one example of everything that doesn’t work, I have my DMZ-TO-INSIDE Rule and tried an all out DENY and still DMZ (vlan 10) connected to a host running ssh on each subnet (vlan 2-7). I have scrolled over and over and I just can not see what I am doing wrong. I then have a DMZ-TO-OUTSIDE rule more or less (for 192.168.10.0) any any for internet access and it does not connect to the Internet, now that may also be a NAT issue but still. I want to scrap the whole thing but I despise (self) failure. I know it has to be a simple thing, I mean I more or less “cut and paste” the OFFICIAL guide that’s been posted to be half a dozen times.

liviu.gheorghe · ‎03-31-2024

How did you perform the test? You connected a PC in a port on the ISR configured in Vlan 10, you have the

ip access-list extended DMZ-TO-INSIDE
 deny ip any any

policy-map type inspect DMZ-TO-INSIDE-POLICY
 class type inspect DMZ-TO-INSIDE-CLASS
  inspect
 class class-default
  drop log
!

and the PC in the DMZ can connect to an inside host?

Regards, LG
*** Please Rate All Helpful Responses ***

TheGoob · ‎03-31-2024

Correct. I have a Linux PC connected to 1/4 (vlan 10 DMZ) on ISR and a NAS Linux Server on the INSIDE (vlan 3) running SSH and Samba. DMZ connects to INSIDE SSH and Samba etc. I just can not see how this is possible, other than my configuration being wrong. Also, same DMZ PC can not access Internet, but I feel my ACL saying it can, it should.