Solved

Cisco IOS Zone-based Firewall problems with match-all

Posted on 2010-08-19
10
1,241 Views
Last Modified: 2012-05-10
I am testing out the Cisco IOS Firewall on an 1841 I have sitting around.  I upgraded the ios to :

Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(24)T3, RELEASE SOFTWARE (fc2)

Everything seems to be going pretty smoothly with configuring the firewall, except for one problem I am having with configuring a policy to allow incoming HTTP traffic to our web server.

Basically, I have configured 2 zones.. OUTSIDE and INSIDE.  I have a web server on the inside (10.120.1.101) that I want to allow http (port 80) connections to come through on.  I have NAT overload configured on the router, and I have a static entry to translate incoming port 80 requests to the web server.  This is all working fine..  My problem is with the firewall inspect config...

I have the following config :


version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname TESTRTR
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 16384
!
aaa new-model
!
!
aaa authentication login localonly local
!
!
aaa session-id common
dot11 syslog
ip source-route
!
!
!
!
ip port-map http port tcp 8080
ip cef
ip domain name
ip name-server 172.16.1.220
!
multilink bundle-name authenticated
!
!
!
username x privilege 15 secret 5 x
archive
 log config
  hidekeys
!
!
!
!
!
!
class-map type inspect match-any HTTP-PROTOCOL
 description HTTP Protocol
 match protocol http
class-map type inspect match-any MSN-MESSENGER
 description MSN-MESSENGER
 match protocol msnmsgr
class-map type inspect match-all HTTP-SERVICES
 match access-group name HTTP-SERVERS
 match protocol http
class-map type inspect match-any DNS
 description DNS
 match protocol dns
class-map type inspect match-any HTTPS-PROTOCOL
 description HTTPS Protocol
 match protocol https
!
!
policy-map type inspect OUT-to-IN
 class type inspect HTTP-SERVICES
  inspect
 class class-default
  drop log
policy-map type inspect General
 description General Firewall
 class type inspect DNS
  inspect
 class type inspect MSN-MESSENGER
  inspect
 class type inspect HTTPS-PROTOCOL
  inspect
 class type inspect HTTP-PROTOCOL
  inspect
 class type inspect ICMP-PROTOCOL
  inspect
 class class-default
  drop log
!
zone security OUTSIDE
 zone security INSIDE
 zone-pair security IN-to-OUT source INSIDE destination OUTSIDE
  service-policy type inspect General
zone-pair security OUT-to-IN source OUTSIDE destination INSIDE
  service-policy type inspect OUT-to-IN
zone-pair security OUT-to-SELF source OUTSIDE destination self
zone-pair security SELF-to-OUT source self destination OUTSIDE
!
!
!
interface FastEthernet0/0
 description OUTSIDE
 bandwidth 3000
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.299
 description OUTSIDE
  encapsulation dot1Q 299 native
 ip address 172.16.253.241 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 zone-member security OUTSIDE
 ip ospf message-digest-key 1 md5 7 xxx
!
interface FastEthernet0/1
 description INSIDE
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/1.4000
 description INSIDE-PRIVATE
 encapsulation dot1Q 4000
 ip address 10.120.1.1 255.255.255.0
 ip nbar protocol-discovery
 ip nat inside
 ip virtual-reassembly
 zone-member security INSIDE
!
interface FastEthernet0/1.4001
 description INSIDE-DMZ
 encapsulation dot1Q 4001
 ip address 10.120.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
router ospf 1
 log-adjacency-changes
 area 0 authentication message-digest
 passive-interface FastEthernet0/1.4000
 passive-interface FastEthernet0/1.4001
 network 10.0.0.0 0.255.255.255 area 0
 network 172.16.0.0 0.0.255.255 area 0
!
ip default-gateway 172.16.253.1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.253.1
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 2 interface FastEthernet0/0.299 overload
ip nat inside source static tcp 10.120.1.101 80 interface FastEthernet0/0.299 80
!
ip access-list extended HTTP-SERVERS
 permit ip any host 10.120.1.101
!
access-list 2 permit 10.120.1.0 0.0.0.255
access-list 2 permit 10.120.2.0 0.0.0.255
!
!
!
!
snmp-server community xxx RO
snmp-server location IT Workbench
snmp-server contact xxx
snmp-server host 172.16.1.190 xxx
!
control-plane
!
banner motd ^C AUTHORIZED USERS ONLY! ^C
!
line con 0
 privilege level 15
 logging synchronous
 login authentication localonly
line aux 0
 login authentication localonly
line vty 0 4
 exec-timeout 30 0
 privilege level 15
 logging synchronous
 login authentication localonly
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login authentication localonly
 transport input telnet ssh
!
scheduler allocate 20000 1000
end


When I attempt to connect to the web server from my desktop (172.16.1.105 off of the OUTSIDE interface), it fails and logs :
*Aug 19 18:31:57.114: %FW-6-LOG_SUMMARY: 3 packets were dropped from 172.16.1.105:28484 => 10.120.1.101:80 (target:class)-(OUT-to-IN:class-default)

The web server (10.120.1.101) is off of the INSIDE interface.

So I am trying to find out why the web connection is coming in as CLASS-DEFAULT, when it should be coming in as class HTTP-SERVICES!  I've seen example configs from other people that have this exact same setup...  If I change it to a class match-any that only has protocol http in it... I am able to connect to the web server fine...

Thanks for any help you can provide cuz I am pulling my hair out as to why this isn't working!
0
Comment
Question by:cathchar
  • 5
  • 4
10 Comments
 
LVL 6

Expert Comment

by:Galtar99
ID: 33478497
Drop this part of your config, I think http traffic is being classified by this rule before it's hitting your HTTP-SERVICES rule.

class-map type inspect match-any HTTP-PROTOCOL
 description HTTP Protocol
 match protocol http
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33478572
try the following

ip access-list extended HTTP-SERVERS
no  permit ip any host 10.120.1.101
permit tcp any host 172.16.253.241 eq 80

 

0
 

Author Comment

by:cathchar
ID: 33478917
Galtar99, I removed the HTTP-PROTOCOL class-map and had no change.  I also tried leaving it, and doing this :

class-map type inspect match-any HTTP-PROTOCOL
 description HTTP Protocol
 match protocol http

class-map type inspect match-all HTTP-SERVICES
 match access-group name HTTP-SERVERS
 match class-map HTTP-PROTOCOL

This had no luck either.  My problem seems to be with the MATCH-ALL statement using an access-group.  I even made an access group that is permit ip any any, and that didn't work.

Tried using a numbered acl (101) instead of a named ACL.. no go..

no matter what I do, the traffic is being categorized as class-default !

Regarding anoopkmrs suggestion, I'm reading on a cisco document :

"Recommended usage is to specify only IP addresses/subnets (and use ‘match protocol’for protocol information); typical usage is in conjunction with ‘match protocol’in a match-all class-map"

This is found at : http://www.cisco.com/en/US/prod/vpndevc/ps5708/ps5710/ps1018/prod_configuration_example0900aecd804f1776.pdf
page 26 of the pdf.

Page 20 has the exact same thing I am trying to do!!
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 14

Expert Comment

by:anoopkmr
ID: 33479048
your first config was correct except the access-list , it was pointing to an inside IP,

but from outside packets are hitting on the Natted IP. thats why I suggested to change the access-list

can u just try my workaroud ?
0
 

Author Comment

by:cathchar
ID: 33479143
Ahh my bad, I didn't see you changed the ip address... I thought you just added TCP 80 to the ACL..

I actually already tried that earlier, when I was troubleshooting if it was a NAT order of operation issues or not...  I changed it again, and even added the eq 80 and no change..

still getting :

*Aug 19 20:30:24.341: %FW-6-DROP_PKT: Dropping http session 172.16.1.105:29722 10.120.1.101:80 on zone-pair OUT-to-IN class class-default due to  DROP action found in policy-map with ip ident 0


I cleaned the config a bit too, focusing on this problem only :

class-map type inspect match-all HTTP-SERVICES
 match protocol http
 match access-group name ALLOW-ALL
!
!
policy-map type inspect OUT-to-IN
 class type inspect HTTP-SERVICES
  inspect
 class class-default
  drop log
!
zone security OUTSIDE
zone security INSIDE
zone-pair security IN-to-OUT source INSIDE destination OUTSIDE
zone-pair security OUT-to-IN source OUTSIDE destination INSIDE
 service-policy type inspect OUT-to-IN

ip access-list extended HTTP-SERVERS
 permit tcp any host 172.16.253.241 eq www

Thanks again guys!
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33479159
can u try like this

class-map type inspect match-all HTTP-SERVICES
no match protocol http
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33479234
sorry u try like this , first try with out matching the protocol, lets see

class-map type inspect match-all HTTP-SERVICES
 no match protocol http
 match access-group name HTTP-SERVERS
0
 

Author Comment

by:cathchar
ID: 33480875
no go!

the match-all is not working for me !!!!

If I create 2 class maps :

class-map type inspect match-all HTTP-ALL
match protocol http

class-map type inspect match-any HTTP-ANY
match protocol http

and then apply each (1 at a time) to the policy map....  the match-any class works fine and the webpage loads fine from the outside...  but if I apply the match-all class above, it stops working...

Is this is a bug or am I crazy!?  anyone here confirm that they have match-all classes working on their ios firewall and have no problems with it?
0
 
LVL 14

Accepted Solution

by:
anoopkmr earned 500 total points
ID: 33484646
hi,

its strange .. I created a lab setup with 3745 advanced sec ios and  one router as web server.
its working for me with match all

I added match protocol and matc access-group in my class and  its working .

actually I made a wrong statement earlier about the access-list , I am just correcting it now .
ur initial config access-list was fine . it has to be like

ip access-list extended HTTP-SERVERS
 permit ip any host 10.120.1.101

( I mean with internal IP , not with the outside  IP)

sorry for that .
 kindly ignore my comment  id : 33478572

0
 

Author Closing Comment

by:cathchar
ID: 33543393
I turned off NAT to simplify things...  Still had problems...  powercycled the router and it seems to be working ok now.. Not sure why it didn't work previously..  Thanks for all your help guys!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question