Topic 'Re: [Config] Working on Home Network and Zone-Pair FW' in forum 'Cisco' - dslreports.com

Re: [Config] Working on Home Network and Zone-Pair FW

Wed, 28 Dec 2011 14:13:44 EDT

HELLFIRE posted : Wonder if Cisco'd ever let us in on what does and doesn't need PASS or not in ZBFW. :D

Thanks for the hints cooldude9919

Regards

Re: [Config] Working on Home Network and Zone-Pair FW

Wed, 28 Dec 2011 13:35:45 EDT

cooldude9919 posted :

said by HELLFIRE:

Glad cooldude9919 got it sorted out for you Bigzizzzle. I guess my question is why PASS works
better than INSPECT for Steam... guess it's just entirely stateless and expects an implicit
trust from users that those packets its passing on those ports is entirely trusted.

Mind reposting your complete config again Bigzizzzle? Figure it'll make good reference material
in the future again.

Regards

Pretty much yes. Inspect works great with things that are fairly simple, or stick to a single or small number of ports. It all has to do with what cisco calls the "initiator" and the "responder". You can see below it breaks it down to the source/dest port level per ip address. So if the remote end tries to talk back on a different port or somtehing else weird it will get dropped by the drop on the class-default on the out to in policy.


show policy-map type inspect zone-pair ses
      Number of Established Sessions = 5
      Established Sessions
        Session 85BF4520 (10.3.130.102:49732)=>(64.4.11.160:80) tcp SIS_OPEN
          Created 00:30:14, Last heard 00:30:13
          Bytes sent (initiator:responder) [508:500]
        Session 8906F180 (10.3.130.102:49735)=>(68.142.123.254:80) tcp SIS_OPEN
          Created 00:30:14, Last heard 00:30:10
          Bytes sent (initiator:responder) [1642:15714]
        Session 85BF86C0 (10.3.130.122:2747)=>(65.55.17.39:80) tcp SIS_OPEN
          Created 00:05:17, Last heard 00:05:16
          Bytes sent (initiator:responder) [651:1774]
        Session 85BF22C0 (10.3.130.122:2751)=>(207.46.216.54:80) tcp SIS_OPEN
          Created 00:05:05, Last heard 00:04:54
          Bytes sent (initiator:responder) [2205:1269]
        Session 85BF9980 (10.3.130.122:2752)=>(65.55.170.235:443) tcp SIS_OPEN
          Created 00:05:05, Last heard 00:05:03
          Bytes sent (initiator:responder) [2265:4169]

A few more things inspect breaks.

TLS encryption for email
Causes problems with DHCP
You must pass isakmp and ESP for cisco dmvpn to work
The last two used to work find on inspect with 12.4.15T, but dont on 15.0.1 M.whatever.

My new project is to convert 2 configs with a LOT of zbfw from working on 12.4.15T12 to 15.0.1.M7 and theres many changes along the way. We got a NME-IPS-K9 and it doesnt work on 12.4 :(.

Re: [Config] Working on Home Network and Zone-Pair FW

Wed, 28 Dec 2011 12:27:36 EDT

HELLFIRE posted : Glad cooldude9919 got it sorted out for you Bigzizzzle. I guess my question is why PASS works
better than INSPECT for Steam... guess it's just entirely stateless and expects an implicit
trust from users that those packets its passing on those ports is entirely trusted.

Mind reposting your complete config again Bigzizzzle? Figure it'll make good reference material
in the future again.

Regards

Re: [Config] Working on Home Network and Zone-Pair FW

Tue, 27 Dec 2011 18:33:26 EDT

Bigzizzzle posted : Good News, your method worked as well as previously dooing a permit ip any any. I have since removed the ip any any and strictly use the following.

 class-map type inspect match-any CM_Voice_Traffic match protocol h323 match protocol sip match protocol skinny match protocol sip-tlsclass-map type inspect match-any Email_Client match protocol pop3 match protocol pop3s match protocol imap match protocol imaps match protocol smtpclass-map type inspect match-any Steam-Firewall-Traffic description Steam Protocols match access-group name Steam match protocol udp match protocol tcpclass-map type inspect match-any sdm-cls-icmp-access match protocol icmp match protocol tcp match protocol udpclass-map type inspect match-any Web_Traffic match protocol http match protocol https match protocol dnsclass-map type inspect match-any CM_IMCP match protocol icmp match protocol tcp match protocol udpclass-map type inspect match-all CM_ICMP_INSPECT match class-map CM_IMCPclass-map type inspect match-any Server-Lab(WebTraffic) match protocol http match protocol https match protocol dns match protocol udp match protocol tcp match protocol icmpclass-map type inspect match-any CM_Internet_Traffic match protocol tcp match protocol udp match protocol http match protocol https match protocol dns match protocol ftp match protocol tftp!!policy-map type inspect Web-Traffic class type inspect Server-Lab(WebTraffic)  inspect class class-defaultpolicy-map type inspect PM_02 class type inspect Steam-Firewall-Traffic  pass class class-defaultpolicy-map type inspect PM_01 class type inspect Steam-Firewall-Traffic  pass class type inspect Email_Client  inspect class type inspect CM_Internet_Traffic  inspect class class-defaultpolicy-map type inspect CM_IMCP description ICMP_Control class type inspect CM_ICMP_INSPECT  drop class class-defaultpolicy-map type inspect PM_ICMP_REPLY class type inspect CM_ICMP_INSPECT  inspect class class-default  pass!zone security out-zonezone security in-zonezone security Server-Labzone-pair security CM_Internet_Traffic source in-zone destination out-zone service-policy type inspect PM_01zone-pair security CM_ICMP_INSPECT source self destination out-zone service-policy type inspect PM_ICMP_REPLYzone-pair security Server_LAB_Webtraffic source Server-Lab destination out-zone description Allowed Web Traffic from Server Lab Lan to Outside service-policy type inspect Web-Trafficzone-pair security CM_IMCP source out-zone destination self service-policy type inspect CM_IMCPzone-pair security ZP_IN_OUT source out-zone destination in-zone service-policy type inspect PM_02

Re: [Config] Working on Home Network and Zone-Pair FW

Tue, 27 Dec 2011 17:58:22 EDT

cooldude9919 posted : I guess im a little confused on your question. The commands i gave would inspect all outbound traffic in a single line of an access-list, but not affect the ability to block all unsolicitedu inbound traffic. In my opinion this would be worth trying first.

If you would like to go ahead and define an out to in pair thats easy enough.
FOr example this would define the out to in pair and also pass your steam traffic both ways. To just define in, make your new policy-map and obviously dont add the steam-firewall-traffic class.

config t
policy-map type inspect PM_02
class Steam-Firewall-Traffic
pass
class-default
drop log
^
*note*
Doing a drop log will log any dropped packets, due to random bots/scanning ect it can be a lot, but it will allow you to look back and see if you can spot any legimitate packets getting dropped that you dont want to.

zone-pair security zp-out-in source out-zone destination in-zone service-policy type inspect PM_02

You would want class Steam-Firewall-Traffic to be at the top in your PM_02, only way i know of to rearrange it is to remove current classes and re-add them.

policy-map type inpsect PM_01
no class CM_Internet_Traffic
no class Steam-Firewall-Traffic
no class Email_Client

class Steam-Firewall-Traffic
pass
class CM_Internet_Traffic
inspect
class Email_Client
inspect

Re: [Config] Working on Home Network and Zone-Pair FW

Tue, 27 Dec 2011 17:19:25 EDT

Bigzizzzle posted : Cooldude9919. I appreciate your reply, prior to your feedback. I tweaked my Zone Based firewall a little and still having issues. I will try your method of "pass" statement. If you wouldn't mind I could use some help make a proper reflexive statement, or Traffic inbound statement.

Question would adding "permit ip any any" be too broad a statement for the existing ACL.

 class-map type inspect match-any CM_Voice_Traffic match protocol h323 match protocol sip match protocol skinny match protocol sip-tlsclass-map type inspect match-any Email_Client match protocol pop3 match protocol pop3s match protocol imap match protocol imaps match protocol smtpclass-map type inspect match-any Steam-Firewall-Traffic description Steam Protocols match access-group name Steam match protocol udp match protocol tcpclass-map type inspect match-any sdm-cls-icmp-access match protocol icmp match protocol tcp match protocol udpclass-map type inspect match-any Web_Traffic match protocol http match protocol https match protocol dnsclass-map type inspect match-any CM_IMCP match protocol icmp match protocol tcp match protocol udpclass-map type inspect match-all CM_ICMP_INSPECT match class-map CM_IMCPclass-map type inspect match-any Server-Lab(WebTraffic) match protocol http match protocol https match protocol dns match protocol udp match protocol tcp match protocol icmpclass-map type inspect match-any CM_Internet_Traffic match protocol tcp match protocol udp match protocol http match protocol https match protocol dns match protocol ftp match protocol tftp!!policy-map type inspect Web-Traffic class type inspect Server-Lab(WebTraffic)  inspect class class-defaultpolicy-map type inspect PM_01 class type inspect CM_Internet_Traffic  inspect class type inspect Steam-Firewall-Traffic  inspect class type inspect Email_Client  inspect class class-defaultpolicy-map type inspect CM_IMCP description ICMP_Control class type inspect CM_ICMP_INSPECT  drop class class-defaultpolicy-map type inspect PM_ICMP_REPLY class type inspect CM_ICMP_INSPECT  inspect class class-default  passpolicy-map type inspect Email_Client_Processing class type inspect Email_Client!zone security out-zonezone security in-zonezone security Server-Labzone-pair security CM_Internet_Traffic source in-zone destination out-zone service-policy type inspect PM_01zone-pair security CM_ICMP_INSPECT source self destination out-zone service-policy type inspect PM_ICMP_REPLYzone-pair security Server_LAB_Webtraffic source Server-Lab destination out-zone description Allowed Web Traffic from Server Lab Lan to Outside service-policy type inspect Web-Trafficzone-pair security CM_IMCP source out-zone destination self service-policy type inspect CM_IMCP

Re: [Config] Working on Home Network and Zone-Pair FW

Tue, 27 Dec 2011 16:57:21 EDT

cooldude9919 posted : OK ive looked things over a bit, here is my understanding of your setupand the parts of the config that matter.


Inside interface: BVI1
Outside Interface: FA0

zone-pair security CM_Internet_Traffic source in-zone destination out-zone  service-policy type inspect PM_01 

policy-map type inspect PM_01  
class type inspect CM_Internet_Traffic   
inspect  
class type inspect CM_Voice_Traffic
  pass  
class class-default

class-map type inspect match-any CM_Internet_Traffic 
*stuff*

ip access-list extended Steam  remark ports required for steam games 
*stuff*

Now is there a reason for just arent inspecting ALL traffic outbound? We use ZBFW and this is how we do it, otherwise you have to put in any and every port you want to allow out, and if you miss something it simply wont work. So unless you have a GOOD reason to do it the way you are you may want to change things around.
You where somewhat on track with the permit ip any any on the steam. There is no security issue with this, as this policy is applied from your Inside zone to your outside zone. You have no zone-pair defined for your outside zone to inside zone, so by default all of this traffic is dropped. The "inspect" portion of the zbfw opens up a session in the firewall that allows bidirectional traffic to be trasmitted between the two parties. This is pretty much how any home router works as well.
BUT given that you did have that in place and it still didnt work right is a little odd, but possibily it was getting hit earlier up the chain or something and causing other issues?
To rule out ZBFW being an issue or not i suggest you simplify your config and see if it helps. If not you may need to pass the steam traffic instead of inspect, but you have to pass in both directions, so you WILL have to create a outside to inside zone and pass the class there as well as your inside to outside zone, i can help with this if we get to that point. The way you have your voice traffic class in place right now seems like it wouldnt work right without also passing from out to in. Is it even getting any hits under the show policy-map type inspect zone-pair command?

For now i suggest the following. (or similar)
config t
access-list 105 permit ip any any
class-map type inspect cls-any
match access-group 105

policy-map type inspect PM_01
no class CM_Internet_Traffic
class cls-any
inspect

Also FYI the order of your class-maps do matter under the policy-map, you always want your pass classes to be first before any inspect classes because if any traffic accidently gets caught in an inspect when you really want to pass it that will obviously cause you problems.

Re: [Config] Working on Home Network and Zone-Pair FW

Mon, 26 Dec 2011 15:20:50 EDT

Bigzizzzle posted : Anyone see any problems in my class maps, policy maps, or even how I have writing my zone-pair statements. Still been having issues with specifically Multiplayer Game traffic / server finding with MW2. Other Items work fine Bad Company 2, TF2, CS-Source with there server browsing. Ill have to confirm left 4 dead.

MW2 Specific Ports per Steam KB

Additional Ports for Call of Duty: Modern Warfare 2 Multiplayer

UDP 1500 (outbound)
UDP 3005 (outbound)
UDP 3101 (outbound)
UDP 28960

Only odd thing I notice is that I never see any NAT translations for the outbound UDP 1500, 3005, 3101.

Re: [Config] Working on Home Network and Zone-Pair FW

Wed, 21 Dec 2011 19:01:14 EDT

Bigzizzzle posted : BUMP

Re: [Config] Working on Home Network and Zone-Pair FW

Sun, 18 Dec 2011 20:24:57 EDT

Bigzizzzle posted : I would prefer staying with zone based firewalls. If you see any ACL misconfigurations let me know.

Re: [Config] Working on Home Network and Zone-Pair FW

Sat, 17 Dec 2011 18:30:16 EDT

ladino posted : Would it be too much to switch to an extended ACLs or even Object groups.

Re: [Config] Working on Home Network and Zone-Pair FW

Sat, 17 Dec 2011 17:40:09 EDT

Bigzizzzle posted : Any Ideas, still having issues primarily with MW2 Server browsing / match making.

I did based on another site do solid port mapping. Then create a class-map based on that.

Re: [Config] Working on Home Network and Zone-Pair FW

Thu, 15 Dec 2011 19:08:04 EDT

Bigzizzzle posted : Also this just in I also removed the extended 110 access list. Apparently I do not need it, traffic still flows thru at this point.

So it appears with ZBFW you don't absolutely have to use ACL's.

Re: [Config] Working on Home Network and Zone-Pair FW

Thu, 15 Dec 2011 18:59:10 EDT

Bigzizzzle posted : At his pointed I kind of abandoned use for the ACL Steam-MW2. Since has been removed the form the configuration file.

Re: [Config] Working on Home Network and Zone-Pair FW

Tue, 13 Dec 2011 19:13:21 EDT

HELLFIRE posted : Even if the ACL isn't applied to an interface, it's being used to match / classify traffic,
so I would think it'd match something...

Also curious if you're using this class-map for something

class-map type inspect match-any Steam-MW2

as you have ACL Steam-MW2, but the above class-map isn't using any match criteria.

said by Bigzizzzle:

I thought if i read how Zone based firewalls they didn't really use ACLS to determine traffic flow.

IIRC, ZBFW config doesn't need ACLs applied on the interfaces at all.

At which point I defer to other board members more versed in ZBFW configs to give a hand.

Regards

Re: [Config] Working on Home Network and Zone-Pair FW

Sun, 11 Dec 2011 18:16:17 EDT

Bigzizzzle posted : For what its worth only time I got hits for steam traffic was when in introduced / removed my ACL list 110 from the WAN interface - FA0.

Doing this killed all my other non destined traffic.

I thought if i read how Zone based firewalls they didn't really use ACLS to determine traffic flow.

Got any ideas to rework my config.

Re: [Config] Working on Home Network and Zone-Pair FW

Sun, 11 Dec 2011 18:01:40 EDT

Bigzizzzle posted : Shows no hits. Keep in mind I don't have this access list applied to any interfaces.

Let me post my full config.

 !version 12.4no service padservice tcp-keepalives-inservice tcp-keepalives-outservice timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezoneservice password-encryptionservice sequence-numbers!hostname MyHappyRouter!boot-start-markerboot system flash c181x-advipservicesk9-mz.124-15.T9.binboot-end-marker!security authentication failure rate 3 logsecurity passwords min-length 6logging buffered 52000enable secret 5 Sanitized!aaa new-model!!aaa authentication login default localaaa authorization exec default local !!aaa session-id commonclock timezone CST -6clock summer-time CDT recurring!###removed the Cryto Self Sized stuff###  quitdot11 syslog!dot11 ssid Sanitized   vlan 1   authentication open    authentication key-management wpa   wpa-psk ascii 7 Sanitized!no ip source-routeno ip gratuitous-arps!!ip cefno ip dhcp use vrf connectedip dhcp excluded-address 192.168.1.10ip dhcp excluded-address 192.168.1.20 192.168.1.254!ip dhcp pool Lan   import all   network 192.168.1.0 255.255.255.0   default-router 192.168.1.1    dns-server 75.75.75.75 75.75.76.76    domain-name home.net   lease 5!!no ip bootp serverno ip ips notify loglogin block-for 300 attempts 3 within 30login on-failure log!multilink bundle-name authenticatedparameter-map type regex sdm-regex-nonascii pattern [^\x00-\x80] !!no memory validate-checksumusername Sanitized privilege 15 password 7 Sanitized! !archive log config  hidekeys!!ip tcp synwait-time 10ip ssh time-out 60ip ssh authentication-retries 2ip ssh version 2!class-map type inspect match-any CM_Voice_Traffic match protocol h323 match protocol sip match protocol skinny match protocol sip-tlsclass-map type inspect match-any Email_Client match protocol pop3 match protocol pop3s match protocol imap match protocol imaps match protocol smtpclass-map type inspect match-any sdm-cls-icmp-access match protocol icmp match protocol tcp match protocol udpclass-map type inspect match-any Web_Traffic match protocol http match protocol https match protocol dnsclass-map type inspect match-any CM_IMCP match protocol icmp match protocol tcp match protocol udpclass-map type inspect match-any Steam-MW2class-map type inspect match-all CM_ICMP_INSPECT match class-map CM_IMCPclass-map type inspect match-any Server-Lab(WebTraffic) match protocol http match protocol https match protocol dnsclass-map type inspect match-all sdm-icmp-access match class-map sdm-cls-icmp-accessclass-map type inspect match-all sdm-invalid-src match access-group 101class-map type inspect match-any CM_Internet_Traffic match protocol tcp match protocol udp match protocol icmp match protocol ftp match protocol tftp match protocol sql-net match protocol sqlserv match protocol sqlsrv match protocol imap match protocol imap3 match protocol imaps match protocol smtp match protocol pop3 match protocol pop3s match protocol http match protocol https match protocol aol match access-group name Steam match protocol dns match protocol cuseeme match protocol netshow match protocol shell match protocol realmedia match protocol rtsp match protocol streamworks match protocol vdolive!!policy-map type inspect Web-Traffic class type inspect Server-Lab(WebTraffic)  inspect class class-defaultpolicy-map type inspect PM_01 class type inspect CM_Internet_Traffic  inspect class type inspect CM_Voice_Traffic  pass class class-defaultpolicy-map type inspect CM_IMCP description ICMP_Controlpolicy-map type inspect PM_ICMP_REPLY class type inspect CM_ICMP_INSPECT  inspect class class-default  passpolicy-map type inspect Email_Client_Processing class type inspect Email_Client!zone security out-zonezone security in-zonezone security Server-Labzone-pair security CM_Internet_Traffic source in-zone destination out-zone service-policy type inspect PM_01zone-pair security CM_ICMP_INSPECT source self destination out-zone service-policy type inspect PM_ICMP_REPLYzone-pair security Server_LAB_Webtraffic source Server-Lab destination out-zone description Allowed Web Traffic from Server Lab Lan to Outside service-policy type inspect Web-Trafficbridge irb!!!interface Null0 no ip unreachables!interface FastEthernet0 description WAN_Comcast ip address dhcp client-id FastEthernet0 ip access-group 110 in no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly zone-member security out-zone ip route-cache flow duplex auto speed auto no cdp enable!interface FastEthernet0.50 encapsulation dot1Q 50 no cdp enable!interface FastEthernet1 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow shutdown duplex auto speed auto no cdp enable!interface FastEthernet2 switchport access vlan 50 no cdp enable spanning-tree portfast!interface FastEthernet3 no cdp enable spanning-tree portfast!interface FastEthernet4 no cdp enable spanning-tree portfast!interface FastEthernet5 no cdp enable spanning-tree portfast!interface FastEthernet6 no cdp enable spanning-tree portfast!interface FastEthernet7 no cdp enable spanning-tree portfast!interface FastEthernet8 no cdp enable spanning-tree portfast!interface FastEthernet9 switchport access vlan 50 no cdp enable spanning-tree portfast!interface Dot11Radio0 no ip address no ip redirects no ip unreachables ip nat inside ip virtual-reassembly ip route-cache flow ! encryption mode ciphers aes-ccm  ! encryption vlan 1 mode ciphers aes-ccm  ! broadcast-key change 3600 ! broadcast-key vlan 1 change 3600 membership-termination capability-change ! ! ssid Sanitized ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 channel 2452 station-role root no cdp enable bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding!interface Dot11Radio0.1 encapsulation dot1Q 1 native no cdp enable bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding!interface Dot11Radio1 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow shutdown speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0 station-role root no cdp enable!interface Vlan1 no ip address bridge-group 1!interface Vlan50 description Server_Lab ip address 10.10.50.254 255.255.255.0 ip nat inside ip virtual-reassembly zone-member security Server-Lab!interface Async1 no ip address no ip redirects no ip unreachables no ip proxy-arp encapsulation slip shutdown!interface BVI1 description $FW_INSIDE$ ip address 192.168.1.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nbar protocol-discovery ip nat inside ip virtual-reassembly zone-member security in-zone ip route-cache flow!ip forward-protocol nd!!no ip http serverip http access-class 6ip http authentication localno ip http secure-serverip nat inside source list 3 interface FastEthernet0 overloadip nat inside source list 50 interface FastEthernet0 overload!ip access-list extended Steam remark ports required for steam games permit udp any range 27000 27015 any permit udp any range 27015 27030 any permit udp any eq 4380 any permit tcp any range 27014 27050 any permit udp any eq 28960 any permit udp any any eq 3478 permit udp any any eq 4379 permit udp any any eq 4380 permit udp any any eq 1500 permit udp any any eq 3005 permit udp any any eq 3101 permit ip any anyip access-list extended Steam-MW2 permit udp any eq 1500 any log-input permit udp any eq 3005 any log-input permit udp any eq 3101 any log-input permit udp any eq 28960 any log-input permit ip any any!access-list 1 remark HTTP Access-class listaccess-list 1 remark SDM_ACL Category=1access-list 1 permit 192.168.1.0 0.0.0.255access-list 1 deny   anyaccess-list 2 remark HTTP Access-class listaccess-list 2 remark SDM_ACL Category=1access-list 2 permit 192.168.1.0 0.0.0.255access-list 2 deny   anyaccess-list 3 remark NAT_Statement_VLAN1access-list 3 permit 192.168.1.0 0.0.0.255access-list 4 remark HTTP Access-class listaccess-list 4 remark SDM_ACL Category=1access-list 4 permit 192.168.1.0 0.0.0.255access-list 4 deny   anyaccess-list 5 remark HTTP Access-class listaccess-list 5 remark SDM_ACL Category=1access-list 5 permit 192.168.1.0 0.0.0.255access-list 5 deny   anyaccess-list 6 remark HTTP Access-class listaccess-list 6 remark SDM_ACL Category=1access-list 6 permit 192.168.1.0 0.0.0.255access-list 6 deny   anyaccess-list 50 permit 10.10.50.0 0.0.0.255access-list 100 remark SDM_ACL Category=1access-list 100 remark VTY Access-class listaccess-list 101 remark SDM_ACL Category=128access-list 101 permit ip host 255.255.255.255 anyaccess-list 101 permit ip 127.0.0.0 0.255.255.255 anyaccess-list 102 remark SDM_ACL Category=0access-list 102 permit ip any host 192.168.1.1access-list 103 remark SDM_ACL Category=0access-list 103 permit ip any host 192.168.1.1access-list 104 remark SDM_ACL Category=0access-list 104 permit ip any host 192.168.1.1access-list 110 remark Inbound_NAT_Permitaccess-list 110 permit udp any eq bootps any eq bootpcaccess-list 110 permit udp host 75.75.75.75 eq domain anyaccess-list 110 permit udp host 75.75.76.76 eq domain anyaccess-list 110 deny   ip 127.0.0.0 0.255.255.255 any logaccess-list 110 deny   ip 10.0.0.0 0.255.255.255 any logaccess-list 110 deny   ip 224.0.0.0 31.255.255.255 any logaccess-list 110 deny   ip host 0.0.0.0 any logaccess-list 110 deny   ip host 255.255.255.255 any logaccess-list 110 deny   ip 192.168.0.0 0.0.255.255 any logaccess-list 110 deny   ip 172.16.0.0 0.0.255.255 any logaccess-list 110 permit ip any anyno cdp run!!!!!!control-plane!bridge 1 protocol ieeebridge 1 route ipbanner login C  NOTICE TO USERSNOTICE TO USERS THIS IS A PRIVATE COMPUTER SYSTEM. It is for authorized use only.Users (authorized or unauthorized) have no explicit or implicitexpectation of privacy. Any or all uses of this system and all files on this system maybe intercepted, monitored, recorded, copied, audited, inspected,and disclosed to authorized site and law enforcement personnel,as well as authorized officials of other agencies, both domesticand foreign.  By using this system, the user consents to suchinterception, monitoring, recording, copying, auditing, inspection,and disclosure at the discretion of authorized site personnel. Unauthorized or improper use of this system may result inadministrative disciplinary action and civil and criminal penalties.By continuing to use this system you indicate your awareness of andconsent to these terms and conditions of use.   LOG OFF IMMEDIATELYif you do not agree to the conditions stated in this warning. !line con 0 transport output telnetline 1 modem InOut stopbits 1 speed 115200 flowcontrol hardwareline aux 0 transport output telnetline vty 0 4 session-timeout 3  output access-class 1 in transport input ssh!scheduler allocate 4000 1000scheduler interval 500!webvpn context Default_context ssl authenticate verify all ! no inservice!end

Re: [Config] Working on Home Network and Zone-Pair FW

Sun, 11 Dec 2011 02:05:55 EDT

HELLFIRE posted : Do a "show ip access-list Steam" and see if you're getting any hits on any of
the lines, as a thought.

Regards

Re: [Config] Working on Home Network and Zone-Pair FW

Sat, 10 Dec 2011 18:26:03 EDT

Bigzizzzle posted : Still doesn't look like its passing/inspecting packets with that ACL i created. Or is it how I formatted my Class Map's thats not helping finding / classifying the traffic.

 Router#show policy-map type inspect zone-pair Zone-pair: CM_Internet_Traffic   Service-policy inspect : PM_01     Class-map: CM_Internet_Traffic (match-any)      Match: protocol tcp        1792646 packets, 62807815 bytes        30 second rate 0 bps      Match: protocol udp        1754929 packets, 120657222 bytes        30 second rate 0 bps      Match: protocol icmp        7761 packets, 168813 bytes        30 second rate 0 bps      Match: protocol ftp        0 packets, 0 bytes        30 second rate 0 bps      Match: protocol tftp        0 packets, 0 bytes        30 second rate 0 bps      Match: protocol sql-net        0 packets, 0 bytes        30 second rate 0 bps      Match: protocol sqlserv        0 packets, 0 bytes        30 second rate 0 bps      Match: protocol sqlsrv        0 packets, 0 bytes        30 second rate 0 bps      Match: protocol imap        0 packets, 0 bytes        30 second rate 0 bps      Match: protocol imap3        0 packets, 0 bytes        30 second rate 0 bps      Match: protocol imaps        0 packets, 0 bytes        30 second rate 0 bps      Match: protocol smtp        0 packets, 0 bytes        30 second rate 0 bps      Match: protocol pop3        0 packets, 0 bytes        30 second rate 0 bps      Match: protocol pop3s        0 packets, 0 bytes        30 second rate 0 bps      Match: protocol http        0 packets, 0 bytes        30 second rate 0 bps      Match: protocol https        0 packets, 0 bytes        30 second rate 0 bps      Match: protocol aol        0 packets, 0 bytes        30 second rate 0 bps      Match: access-group name Steam        0 packets, 0 bytes        30 second rate 0 bps      Match: protocol dns        0 packets, 0 bytes        30 second rate 0 bps      Match: protocol cuseeme        0 packets, 0 bytes        30 second rate 0 bps      Match: protocol netshow        0 packets, 0 bytes        30 second rate 0 bps      Match: protocol shell        0 packets, 0 bytes        30 second rate 0 bps      Match: protocol realmedia        0 packets, 0 bytes        30 second rate 0 bps      Match: protocol rtsp        0 packets, 0 bytes        30 second rate 0 bps      Match: protocol streamworks        0 packets, 0 bytes        30 second rate 0 bps      Match: protocol vdolive        0 packets, 0 bytes        30 second rate 0 bps      Inspect        Packet inspection statistics [process switch:fast switch]        tcp packets: [755839:513276469]        udp packets: [1110195:29053783]        icmp packets: [3991:3120]         Session creations since subsystem startup or last reset 1433730        Current session counts (estab/half-open/terminating) [30:0:0]        Maxever session counts (estab/half-open/terminating) [6612:340:83]        Last session created 00:00:29        Last statistic reset never        Last session creation rate 10        Maxever session creation rate 2168        Last half-open session total 0

Re: [Config] Working on Home Network and Zone-Pair FW

Sat, 10 Dec 2011 18:21:33 EDT

Bigzizzzle posted : removed the permit ip any any.

What next.

Re: [Config] Working on Home Network and Zone-Pair FW

Sat, 10 Dec 2011 17:19:33 EDT

nosx posted : "permit ip any any " is mildly suspicious.
It means that the line "match access-group name Steam " will match all packets, negating any lines below it, and if you are permitting all traffic why bother having a firewall at all.

[Config] Working on Home Network and Zone-Pair FW

Sat, 10 Dec 2011 13:22:26 EDT

Bigzizzzle posted : Problem: Currently is with some steam games.

On select steam games MW2 im having issues with finding servers or server browsing. Per Steam site here are the required ports.

Your network must be configured to allow Steam access to the following ports (in order from highest to lowest priority for QoS users):

Steam Client
UDP 27000 to 27015 inclusive (Game client traffic)
UDP 27015 to 27030 inclusive (Typically Matchmaking and HLTV)
TCP 27014 to 27050 inclusive (Steam downloads)
UDP 4380

Dedicated or Listen Servers
TCP 27015 (SRCDS Rcon port)

Steamworks P2P Networking and Steam Voice Chat
UDP 3478 (Outbound)
UDP 4379 (Outbound)
UDP 4380 (Outbound)

Additional Ports for Call of Duty: Modern Warfare 2 Multiplayer
UDP 1500 (outbound)
UDP 3005 (outbound)
UDP 3101 (outbound)
UDP 28960

Below is a Steam ACL I created not sure if its correct.

 ip access-list extended Steam remark ports required for steam games permit udp any range 27000 27015 any permit udp any range 27015 27030 any permit udp any eq 4380 any permit tcp any range 27014 27050 any permit udp any eq 28960 any permit udp any any eq 3478 permit udp any any eq 4379 permit udp any any eq 4380 permit udp any any eq 1500 permit udp any any eq 3005 permit udp any any eq 3101 permit ip any any

Below Is my current overall Zone-Pair Firewall setup.

 !class-map type inspect match-any CM_Voice_Traffic match protocol h323 match protocol sip match protocol skinny match protocol sip-tlsclass-map type inspect match-any Email_Client match protocol pop3 match protocol pop3s match protocol imap match protocol imaps match protocol smtpclass-map type inspect match-any sdm-cls-icmp-access match protocol icmp match protocol tcp match protocol udpclass-map type inspect match-any Web_Traffic match protocol http match protocol https match protocol dnsclass-map type inspect match-any CM_IMCP match protocol icmp match protocol tcp match protocol udpclass-map type inspect match-any Steam-MW2class-map type inspect match-all CM_ICMP_INSPECT match class-map CM_IMCPclass-map type inspect match-any Server-Lab(WebTraffic) match protocol http match protocol https match protocol dnsclass-map type inspect match-all sdm-icmp-access match class-map sdm-cls-icmp-accessclass-map type inspect match-all sdm-invalid-src match access-group 101class-map type inspect match-any CM_Internet_Traffic match protocol tcp match protocol udp match protocol icmp match protocol ftp match protocol tftp match protocol sql-net match protocol sqlserv match protocol sqlsrv match protocol imap match protocol imap3 match protocol imaps match protocol smtp match protocol pop3 match protocol pop3s match protocol http match protocol https match protocol aol match access-group name Steam match protocol dns match protocol cuseeme match protocol netshow match protocol shell match protocol realmedia match protocol rtsp match protocol streamworks match protocol vdolive!!policy-map type inspect Web-Traffic class type inspect Server-Lab(WebTraffic)  inspect class class-defaultpolicy-map type inspect PM_01 class type inspect CM_Internet_Traffic  inspect class type inspect CM_Voice_Traffic  pass class class-defaultpolicy-map type inspect CM_IMCP description ICMP_Controlpolicy-map type inspect PM_ICMP_REPLY class type inspect CM_ICMP_INSPECT  inspect class class-default  passpolicy-map type inspect Email_Client_Processing class type inspect Email_Client!zone security out-zonezone security in-zonezone security Server-Labzone-pair security CM_Internet_Traffic source in-zone destination out-zone service-policy type inspect PM_01zone-pair security CM_ICMP_INSPECT source self destination out-zone service-policy type inspect PM_ICMP_REPLYzone-pair security Server_LAB_Webtraffic source Server-Lab destination out-zone description Allowed Web Traffic from Server Lab Lan to Outside service-policy type inspect Web-Traffic