• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 419
  • Last Modified:

Need help defining match protocols for zone based firewall

I have a basic zone based firewall that has a simple inside to outside policy map configured.
I have set the following protocols to be matched. My LAN does not have a DNS server or domain controller locally and I am having troubles changing IP addresses on a SQL Cluster. Is my class map blocking active directory related protocols ? Should I change the drop on the class-default to inspect instead of drop?
!
class-map type inspect match-any allowed-out-cmap
 match protocol telnet
 match protocol ssh
 match protocol icmp
 match protocol http
 match protocol https
 match protocol smtp
 match protocol dns
 match protocol ftp
 match protocol ftps
 match protocol h323
 match protocol imap
 match protocol pop3
 match protocol snmp

policy-map type inspect allowed-out-pmap
 class type inspect allowed-out-cmap
  inspect
 class class-default
  drop
0
jffisher
Asked:
jffisher
  • 3
  • 2
  • 2
1 Solution
 
JDLoanerCommented:
Remove the:
class class-default
  drop

from the policy-map for starters.
0
 
jffisherAuthor Commented:
I have not found any documentation on just what the class-default protocols are ? and why the default is set to drop. Without that information it is hard to determine if I should remove it or set it to inspect.
0
 
JDLoanerCommented:
the Inspect portion of that allows the firewall, which is stateful, to do deep-packet inspection on each of the protocols.. it is there by default.  Drop should not be.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
mr_dirtCommented:
You can't *remove* "drop" from class class-default, you can only change it to "pass", which will allow all traffic in the direction the policy-map is applied.  The traffic in the opposite direction will still be dropped, unless there is a zone-pair with a service-policy applied there that applies a "pass" for everything, as well.  "Inspect" cannot be configured on class class-default.  

Which version of IOS are you running?

Is the problem that you're trying to solve the fact that AD traffic isn't making it through, or that something is causing problems for SQL?  If you're trying to get AD working, you might have better luck by adding msrpc.  



0
 
jffisherAuthor Commented:

Hi
I am running 12.4 IOS on an 881G router.
I am not sure what the problem was for sure. This LAN does not have a DNS server or Domain controller.
When a user when to change the IP on a server it would not take, also Outlook was not working on users desktops trying to connect back to the Corporate office to Exchange. I added TCP and UDP to the class map and it seems to have fixed it for now. I have a zone pair setup as seen below allowing only our other sites to enter in the outside interface.
class-map type inspect match-all ai-outside-to-inside-cmap
 match access-group 100
!policy-map type inspect ai-outside-to-inside-pmap
 class type inspect ai-outside-to-inside-cmap
  inspect
 class class-default
  drop
I am assuming that the only protocols the firewall will pass are the ones being inspected ? All others are dropped?
0
 
JDLoanerCommented:
You can't *remove* "drop" from class class-default

Your right, I was thinking global_policy default inspection
0
 
mr_dirtCommented:
You said, "I am assuming that the only protocols the firewall will pass are the ones being inspected ? All others are dropped?"

That's correct.  If you don't specify that the firewall must "inspect" or "pass" traffic according to the lists of services/protocols in the class-maps, then the firewall will drop it.  Beware, 'inspect' and 'pass' are different actions.

Your addition of TCP and UDP for inspection should handle almost all traffic.  If it works and you're happy with it, that should do the trick for now.  Zone Firewall cannot properly handle Exchange traffic (no inspection for endpoint locator) yet, so if you want Exchange clients to work, the config you have is your best bet.
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now