Got it

Firewall on subinterfaces

Created: Jun 25, 2018 13:14:06Latest reply: Jun 25, 2018 14:25:22 1452 6 0 0 0
  Rewarded HiCoins: 0 (problem resolved)
Hello,
I have a router AR2200 and I try to set up firewall on it. I have three zones: untrust, trust, mgmt.
All the configuration is on subinterfaces. I try to limit traffic from trust zone to mgmt zone but it doesn't work. Traffic from IPs 10.10.14.X/24 can ping IPs from 10.10.10.X/24.

Config:

interface GigabitEthernet0/0/1
 zone untrust
#
interface GigabitEthernet0/0/1.5
 description MGMT
 dot1q termination vid 5
 ip address 1.1.1.1 255.255.255.252
 zone untrust
#
interface GigabitEthernet0/0/1.10
 description MGMT
 dot1q termination vid 10
 ip address 10.10.10.1 255.255.255.0
 zone mgmt
#
interface GigabitEthernet0/0/1.14
 description LAN
 dot1q termination vid 14
 ip address 10.10.14.1 255.255.255.0
 zone trust
#
firewall zone trust
 priority 15
#
firewall zone untrust
 priority 1
#
firewall zone mgmt
 priority 40
#
firewall interzone mgmt trust
 firewall enable
 packet-filter 3004 inbound
#
acl number 3004
 rule 35 permit ip source 10.10.10.0 0.0.0.255 destination 10.10.14.1 0
 rule 36 permit ip source 10.10.10.0 0.0.0.255 destination 10.10.14.11 0
 rule 40 permit ip source 10.10.14.11 0 destination 10.10.10.0 0.0.0.255
 rule 45 deny ip source 10.10.14.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
 rule 47 deny ip source 10.10.10.0 0.0.0.255 destination 10.10.14.0 0.0.0.255
 rule 100 deny ip
#

Regards,

  • x
  • convention:

Featured Answers
liyajun
Created Jun 25, 2018 14:11:45

Posted by asmolarek at 2018-06-25 13:58 Posted by StarOfWest at 2018-06-25 13:58 it's possible to tell which is the source IP and destination ...
ping from 10.10.14.100 to 10.10.10.1, the ip packet will not go out through G0/0/1.10, that why there's no session.
if a packet destination is router itself, we should use local zone.
in this case, please try firewall interzone trust local
View more
  • x
  • convention:

All Answers
TTTony
TTTony Created Jun 25, 2018 13:22:19

Can you try to set up "firewall interzone trust mgmt " swap the zone :)
View more
  • x
  • convention:

Poland_Arek
Poland_Arek Created Jun 25, 2018 13:38:27

Yes, same result.
View more
  • x
  • convention:

StarOfWest
StarOfWest Created Jun 25, 2018 13:50:16

it's possible to tell which is the source IP and destination IP of the ping?

According to your configuration you allow traffic from 10.10.14.1 towards any host from 10.10.10.0/24 subnet and reverse. Anything else than this, is denied.

Please provide exact source IP and destination IP and checked whether the router is generating any session towards that destination. Run the following command while you are pinging.
display firewall session protocol icmp destination 10.10.14.x verbose
View more
  • x
  • convention:

Poland_Arek
Poland_Arek Created Jun 25, 2018 13:58:05

This post was last edited by asmolarek at 2018-06-25 14:02.
Posted by StarOfWest at 2018-06-25 14:02 it's possible to tell which is the source IP and destination IP of the ping? According to your confi ...

I ping router IP (10.10.10.1) from source IP 10.10.14.100.
I don't see any firewall session when I pinging.
OK, I see that I have to configure interzone mgmt to local zone.
View more
  • x
  • convention:

liyajun
liyajun Created Jun 25, 2018 14:11:45

Posted by asmolarek at 2018-06-25 13:58 Posted by StarOfWest at 2018-06-25 13:58 it's possible to tell which is the source IP and destination ...
ping from 10.10.14.100 to 10.10.10.1, the ip packet will not go out through G0/0/1.10, that why there's no session.
if a packet destination is router itself, we should use local zone.
in this case, please try firewall interzone trust local
View more
  • x
  • convention:

StarOfWest
StarOfWest Created Jun 25, 2018 14:25:22

Posted by asmolarek at 2018-06-25 08:58 Posted by StarOfWest at 2018-06-25 08:58 it's possible to tell which is the source IP and destination ...
Since you ping the router IP address, yes, you have to define a interzone policy towards local zone.
View more
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.