Contest #1 – Win N1,500 Airtime: Cisco IOS ZBF and NAT

Posted: June 28, 2015 in Contests
Tags: , , , , ,
4

In the network diagram below, there are no routes configured on the routers, yet there should be connectivity among all the routers; therefore, NAT is configured on R1. Zone-based policy firewall (ZBF) is also enabled on R1. TCP, UDP and ICMP traffic should be inspected from the inside to the outside. ICMP from R3 to R2 is the only traffic that should be inspected from the outside to the inside. All other traffic should be dropped.

Contest#1
There are a couple of configuration errors on R1, can you spot them and fix the config? The winner gets 1,500 Naira airtime to any Nigerian phone number. Please read contest rules here.

ip access-list extended OUT_TO_IN_ACL
 permit icmp host 192.168.13.3 host 192.168.13.2
!
class-map type inspect match-all IN_TO_OUT_CMAP
 match protocol tcp
 match protocol udp
 match protocol icmp
class-map type inspect match-all OUT_TO_IN_CMAP
 match access-group name OUT_TO_IN_ACL
!
policy-map type inspect IN_TO_OUT_PMAP
 class type inspect IN_TO_OUT_CMAP
  drop
 class class-default
  inspect
policy-map type inspect OUT_TO_IN_PMAP
 class type inspect OUT_TO_IN_CMAP
  inspect
 class class-default
  drop
!
zone security inside
zone security outside
!
zone-pair security ZP_IN_TO_OUT source inside destination outside
 service-policy type inspect IN_TO_OUT_PMAP
zone-pair security ZP_OUT_TO_IN source outside destination inside
 service-policy type inspect OUT_TO_IN_PMAP
!
interface fa0/0
 ip address 192.168.12.1 255.255.255.0
 ip nat outside
 zone-member security inside
!
interface fa0/1
 ip address 192.168.13.1 255.255.255.0
 ip nat inside
 zone-member security outside
!
ip nat source static 192.168.12.2 192.168.13.2
ip nat source static 192.168.13.3 192.168.12.3

Hint: R2 has an IP address of 192.168.12.2. R3 has an IP address of 192.168.13.3.

Note: You don’t have to paste the entire working config. Just highlight the parts with the errors and the fix for those errors.

Update: This contest is now closed. The solution has been posted here.

Comments
  1. Michael says:
    June 28, 2015 at 8:31 pm

    The permit icmp host command on the second line is configured with the wrong IP address.

    Liked by 1 person

    Reply
  2. Mr Sturvs says:
    June 29, 2015 at 4:33 am

    Okay, Since no one cares abt the recharge card.. I think i found a few fixes.

    ip access-list extended OUT_TO_IN_ACL
    permit icmp host 192.168.13.3 host 192.168.12.2

    policy-map type inspect IN_TO_OUT_PMAP
    class type inspect IN_TO_OUT_CMAP
    INSPECT
    class class-default
    DROP

    interface fa0/0
    ip address 192.168.12.1 255.255.255.0
    ip nat INSIDE
    zone-member security inside
    !
    interface fa0/1
    ip address 192.168.13.1 255.255.255.0
    ip nat OUTSIDE
    zone-member security outside

    ip nat INSIDE source static 192.168.12.2 192.168.13.1

    Like

    Reply
  3. Olu says:
    June 29, 2015 at 5:29 pm

    1) Wrong IP destination IP address in access list
    ip access-list extended OUT_TO_IN_ACL
    permit icmp host 192.168.13.3 host 192.168.12.2

    2) Wrong action in policy map
    policy-map type inspect IN_TO_OUT_PMAP
    class type inspect IN_TO_OUT_CMAP
    inspect
    class class-default
    drop

    3) Wrong NAT tags on interfaces
    interface fa0/0
    ip nat inside
    !
    interface fa0/1
    ip nat outside

    4) Wrong NATing
    ip nat source static 192.168.12.2 192.168.13.1
    ip nat source static 192.168.13.3 192.168.12.1

    Like

    Reply
  4. Leke Oluwatosin (Laykay) says:
    June 30, 2015 at 12:34 pm

    in the class-map :
    class-map type inspect match-all OUT_TO_IN_CMAP
    match access-group name OUT_TO_IN_ACL

    It shouldn’t match access-group, it should match access-list name

    Like

    Reply

Leave a comment