Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1297
  • Last Modified:

Cisco IOS Zone-based Firewall problems with match-all

I am testing out the Cisco IOS Firewall on an 1841 I have sitting around.  I upgraded the ios to :

Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(24)T3, RELEASE SOFTWARE (fc2)

Everything seems to be going pretty smoothly with configuring the firewall, except for one problem I am having with configuring a policy to allow incoming HTTP traffic to our web server.

Basically, I have configured 2 zones.. OUTSIDE and INSIDE.  I have a web server on the inside (10.120.1.101) that I want to allow http (port 80) connections to come through on.  I have NAT overload configured on the router, and I have a static entry to translate incoming port 80 requests to the web server.  This is all working fine..  My problem is with the firewall inspect config...

I have the following config :


version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname TESTRTR
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 16384
!
aaa new-model
!
!
aaa authentication login localonly local
!
!
aaa session-id common
dot11 syslog
ip source-route
!
!
!
!
ip port-map http port tcp 8080
ip cef
ip domain name
ip name-server 172.16.1.220
!
multilink bundle-name authenticated
!
!
!
username x privilege 15 secret 5 x
archive
 log config
  hidekeys
!
!
!
!
!
!
class-map type inspect match-any HTTP-PROTOCOL
 description HTTP Protocol
 match protocol http
class-map type inspect match-any MSN-MESSENGER
 description MSN-MESSENGER
 match protocol msnmsgr
class-map type inspect match-all HTTP-SERVICES
 match access-group name HTTP-SERVERS
 match protocol http
class-map type inspect match-any DNS
 description DNS
 match protocol dns
class-map type inspect match-any HTTPS-PROTOCOL
 description HTTPS Protocol
 match protocol https
!
!
policy-map type inspect OUT-to-IN
 class type inspect HTTP-SERVICES
  inspect
 class class-default
  drop log
policy-map type inspect General
 description General Firewall
 class type inspect DNS
  inspect
 class type inspect MSN-MESSENGER
  inspect
 class type inspect HTTPS-PROTOCOL
  inspect
 class type inspect HTTP-PROTOCOL
  inspect
 class type inspect ICMP-PROTOCOL
  inspect
 class class-default
  drop log
!
zone security OUTSIDE
 zone security INSIDE
 zone-pair security IN-to-OUT source INSIDE destination OUTSIDE
  service-policy type inspect General
zone-pair security OUT-to-IN source OUTSIDE destination INSIDE
  service-policy type inspect OUT-to-IN
zone-pair security OUT-to-SELF source OUTSIDE destination self
zone-pair security SELF-to-OUT source self destination OUTSIDE
!
!
!
interface FastEthernet0/0
 description OUTSIDE
 bandwidth 3000
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.299
 description OUTSIDE
  encapsulation dot1Q 299 native
 ip address 172.16.253.241 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 zone-member security OUTSIDE
 ip ospf message-digest-key 1 md5 7 xxx
!
interface FastEthernet0/1
 description INSIDE
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/1.4000
 description INSIDE-PRIVATE
 encapsulation dot1Q 4000
 ip address 10.120.1.1 255.255.255.0
 ip nbar protocol-discovery
 ip nat inside
 ip virtual-reassembly
 zone-member security INSIDE
!
interface FastEthernet0/1.4001
 description INSIDE-DMZ
 encapsulation dot1Q 4001
 ip address 10.120.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
router ospf 1
 log-adjacency-changes
 area 0 authentication message-digest
 passive-interface FastEthernet0/1.4000
 passive-interface FastEthernet0/1.4001
 network 10.0.0.0 0.255.255.255 area 0
 network 172.16.0.0 0.0.255.255 area 0
!
ip default-gateway 172.16.253.1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.253.1
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 2 interface FastEthernet0/0.299 overload
ip nat inside source static tcp 10.120.1.101 80 interface FastEthernet0/0.299 80
!
ip access-list extended HTTP-SERVERS
 permit ip any host 10.120.1.101
!
access-list 2 permit 10.120.1.0 0.0.0.255
access-list 2 permit 10.120.2.0 0.0.0.255
!
!
!
!
snmp-server community xxx RO
snmp-server location IT Workbench
snmp-server contact xxx
snmp-server host 172.16.1.190 xxx
!
control-plane
!
banner motd ^C AUTHORIZED USERS ONLY! ^C
!
line con 0
 privilege level 15
 logging synchronous
 login authentication localonly
line aux 0
 login authentication localonly
line vty 0 4
 exec-timeout 30 0
 privilege level 15
 logging synchronous
 login authentication localonly
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login authentication localonly
 transport input telnet ssh
!
scheduler allocate 20000 1000
end


When I attempt to connect to the web server from my desktop (172.16.1.105 off of the OUTSIDE interface), it fails and logs :
*Aug 19 18:31:57.114: %FW-6-LOG_SUMMARY: 3 packets were dropped from 172.16.1.105:28484 => 10.120.1.101:80 (target:class)-(OUT-to-IN:class-default)

The web server (10.120.1.101) is off of the INSIDE interface.

So I am trying to find out why the web connection is coming in as CLASS-DEFAULT, when it should be coming in as class HTTP-SERVICES!  I've seen example configs from other people that have this exact same setup...  If I change it to a class match-any that only has protocol http in it... I am able to connect to the web server fine...

Thanks for any help you can provide cuz I am pulling my hair out as to why this isn't working!
0
cathchar
Asked:
cathchar
  • 5
  • 4
1 Solution
 
Galtar99Commented:
Drop this part of your config, I think http traffic is being classified by this rule before it's hitting your HTTP-SERVICES rule.

class-map type inspect match-any HTTP-PROTOCOL
 description HTTP Protocol
 match protocol http
0
 
anoopkmrCommented:
try the following

ip access-list extended HTTP-SERVERS
no  permit ip any host 10.120.1.101
permit tcp any host 172.16.253.241 eq 80

 

0
 
cathcharAuthor Commented:
Galtar99, I removed the HTTP-PROTOCOL class-map and had no change.  I also tried leaving it, and doing this :

class-map type inspect match-any HTTP-PROTOCOL
 description HTTP Protocol
 match protocol http

class-map type inspect match-all HTTP-SERVICES
 match access-group name HTTP-SERVERS
 match class-map HTTP-PROTOCOL

This had no luck either.  My problem seems to be with the MATCH-ALL statement using an access-group.  I even made an access group that is permit ip any any, and that didn't work.

Tried using a numbered acl (101) instead of a named ACL.. no go..

no matter what I do, the traffic is being categorized as class-default !

Regarding anoopkmrs suggestion, I'm reading on a cisco document :

"Recommended usage is to specify only IP addresses/subnets (and use ‘match protocol’for protocol information); typical usage is in conjunction with ‘match protocol’in a match-all class-map"

This is found at : http://www.cisco.com/en/US/prod/vpndevc/ps5708/ps5710/ps1018/prod_configuration_example0900aecd804f1776.pdf
page 26 of the pdf.

Page 20 has the exact same thing I am trying to do!!
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
anoopkmrCommented:
your first config was correct except the access-list , it was pointing to an inside IP,

but from outside packets are hitting on the Natted IP. thats why I suggested to change the access-list

can u just try my workaroud ?
0
 
cathcharAuthor Commented:
Ahh my bad, I didn't see you changed the ip address... I thought you just added TCP 80 to the ACL..

I actually already tried that earlier, when I was troubleshooting if it was a NAT order of operation issues or not...  I changed it again, and even added the eq 80 and no change..

still getting :

*Aug 19 20:30:24.341: %FW-6-DROP_PKT: Dropping http session 172.16.1.105:29722 10.120.1.101:80 on zone-pair OUT-to-IN class class-default due to  DROP action found in policy-map with ip ident 0


I cleaned the config a bit too, focusing on this problem only :

class-map type inspect match-all HTTP-SERVICES
 match protocol http
 match access-group name ALLOW-ALL
!
!
policy-map type inspect OUT-to-IN
 class type inspect HTTP-SERVICES
  inspect
 class class-default
  drop log
!
zone security OUTSIDE
zone security INSIDE
zone-pair security IN-to-OUT source INSIDE destination OUTSIDE
zone-pair security OUT-to-IN source OUTSIDE destination INSIDE
 service-policy type inspect OUT-to-IN

ip access-list extended HTTP-SERVERS
 permit tcp any host 172.16.253.241 eq www

Thanks again guys!
0
 
anoopkmrCommented:
can u try like this

class-map type inspect match-all HTTP-SERVICES
no match protocol http
0
 
anoopkmrCommented:
sorry u try like this , first try with out matching the protocol, lets see

class-map type inspect match-all HTTP-SERVICES
 no match protocol http
 match access-group name HTTP-SERVERS
0
 
cathcharAuthor Commented:
no go!

the match-all is not working for me !!!!

If I create 2 class maps :

class-map type inspect match-all HTTP-ALL
match protocol http

class-map type inspect match-any HTTP-ANY
match protocol http

and then apply each (1 at a time) to the policy map....  the match-any class works fine and the webpage loads fine from the outside...  but if I apply the match-all class above, it stops working...

Is this is a bug or am I crazy!?  anyone here confirm that they have match-all classes working on their ios firewall and have no problems with it?
0
 
anoopkmrCommented:
hi,

its strange .. I created a lab setup with 3745 advanced sec ios and  one router as web server.
its working for me with match all

I added match protocol and matc access-group in my class and  its working .

actually I made a wrong statement earlier about the access-list , I am just correcting it now .
ur initial config access-list was fine . it has to be like

ip access-list extended HTTP-SERVERS
 permit ip any host 10.120.1.101

( I mean with internal IP , not with the outside  IP)

sorry for that .
 kindly ignore my comment  id : 33478572

0
 
cathcharAuthor Commented:
I turned off NAT to simplify things...  Still had problems...  powercycled the router and it seems to be working ok now.. Not sure why it didn't work previously..  Thanks for all your help guys!
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now