Yeah it worked. Thanks!
Great post on Zone Based Firewall
I have a question. I have set up Zone Based Firewall on a Cisco ISR 2921. The router has already been set with a site to site IPSEC VPN connection. However after configuring the router with the policies, zone pairs etc. When I apply the router’s interfaces to be members of the Zones to activate ZBF all the firewall parameters work fine, except one thing even though the VPN tunnel was still up, I was now unable to pass data to the other end of the VPN link and vice versa.
When I take off the interfaces to be members from their respective zones, I was able to pass data again across the VPN tunnel.
I have included my (truncated) ZBPF setup on my 1841 with an HWIC-1ADSL for reference if it is of help to anyone. I also have a PIX506E between my 1841 and the wired home network for an extra layer of security. The inside interface on the PIX is in the 192.168.1.0/24 subnet and the outside interface that connects directly to the 1841 is on the 10.1.1.0/24 subnet. The PIX gets very hot in our Australian summers, that’s why the lid is off it.
! class-map type inspect match-any self-to-outside-cmap match access-group name self-to-outside-acl class-map type inspect match-any outside-to-self-cmap match access-group name outside-to-self-acl class-map type inspect match-any L7-cmap match protocol telnet match protocol smtp match protocol pop3 match protocol imap match protocol http match protocol ftp match protocol dns match protocol tftp match protocol https match access-group 1 match access-group 2 class-map type inspect match-any L4-cmap match protocol tcp match protocol udp match protocol icmp match access-group 1 match access-group 2 ! policy-map type inspect inside-to-outside-pmap class type inspect L4-cmap inspect class type inspect L7-cmap inspect class class-default drop policy-map type inspect outside-to-self-pmap class class-default drop policy-map type inspect self-to-outside-pmap class type inspect self-to-outside-cmap inspect class class-default drop ! zone security inside zone security outside zone-pair security inside-to-outside source inside destination outside service-policy type inspect inside-to-outside-pmap zone-pair security outside-to-self source outside destination self service-policy type inspect outside-to-self-pmap zone-pair security self-to-outside source self destination outside service-policy type inspect self-to-outside-pmap ! interface Loopback0 ip address 220.127.116.11 255.255.255.255 zone-member security inside ! interface FastEthernet0/0 ip address 10.1.1.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security inside speed 100 full-duplex ! interface FastEthernet0/1 ip address 172.16.1.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security inside speed 100 full-duplex ! interface ATM0/1/0 no ip address no atm ilmi-keepalive dsl operating-mode adsl2+ dsl noise-margin -1 dsl bitswap both ! interface ATM0/1/0.1 point-to-point pvc 8/35 pppoe-client dial-pool-number 1 ! interface Dialer0 ip address 103.x.x.x 255.255.255.0 no ip redirects no ip proxy-arp ip nat outside ip virtual-reassembly in zone-member security outside encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap callin ppp chap hostname xxxxxxxxxx ppp chap password 0 xxxxxxxxx no cdp enable ! router ospf 1 router-id 18.104.22.168 passive-interface Dialer0 network 22.214.171.124 0.0.0.255 area 0 network 10.1.1.0 0.0.0.255 area 0 network 103.x.x.x 0.0.0.0 area 0 network 172.16.1.0 0.0.0.255 area 0 network 192.168.1.0 0.0.0.255 area 0 ! ip nat inside source list 1 interface Dialer0 overload ip nat inside source list 2 interface Dialer0 overload ip route 0.0.0.0 0.0.0.0 Dialer0 permanent ! ip access-list extended self-to-outside-acl permit icmp any any echo permit udp any eq ntp any permit udp any host 103.x.x.x eq domain permit udp any host 126.96.36.199 eq domain ! access-list 1 permit 192.168.1.0 0.0.0.255 access-list 2 permit 10.1.1.0 0.0.0.255 access-list 2 permit 172.16.1.0 0.0.0.255 access-list 3 permit 192.168.1.0 0.0.0.255 access-list 3 permit 10.1.1.0 0.0.0.255 ! line con 0 exec-timeout 0 0 logging synchronous length 512 width 100 stopbits 1 line aux 0 line vty 0 4 access-class 3 in exec-timeout 0 0 privilege level 15 logging synchronous terminal-type exit length 0 width 250 transport input ssh transport output ssh escape-character 3 line vty 5 15 access-class 3 in exec-timeout 0 0 privilege level 15 logging synchronous terminal-type exit length 0 width 250 transport input ssh transport output ssh escape-character 3 ! scheduler allocate 20000 1000 ntp master 3 ntp server 188.8.131.52 prefer source Dialer0 ntp server 184.108.40.206 source Dialer0 end R1841#
It is a bit untidy still but it works!
There are two things you should check here:
- You should permit IPsec traffic on the zone-pair for your outside zone to the self zone, this is needed for the security association.
- Make sure the traffic that goes through the VPN is also permitted in your zone-pair(s).
For example, let’s say your router has an INSIDE, OUTSIDE and SELF zone. Your local network is 192.168.1.0/24 and the remote network is 192.168.2.0/24.
You will need one zone-pair for OUTSIDE_TO_SELF that permits isakmp, something like this:
ip access-list extended ISAKMP_IPSEC permit udp any any eq isakmp permit ahp any any permit esp any any permit udp any any eq non500-isakmp
For the VPN traffic, you will need a zone pair for INSIDE_TO_OUTSIDE that inspects traffic. This will only allow VPN traffic if it is originated from the 192.168.1.0/24 network. It might be better to create two zone-pairs:
Instead of using inspect, use regular permits. Something like:
access-list extended LAN1_LAN2 permit 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list extended LAN2_LAN1 permit 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
Attach LAN1_LAN2 to the INSIDE_TO_OUTSIDE zone-pair with a permit and LAN2_LAN1 to OUTSIDE_TO_INSIDE with a permit.
Hope this helps, if not let me know and I’ll see if I can post a complete configuration example.
Thanks for the post Rene
I would really appreciate if you could post a configuration example which of course includes ZBF and successful VPN example.
Here’s an example:
class-map type inspect match-all LAN_TO_WAN match access-group name LAN_TO_WAN class-map type inspect match-all WAN_TO_LAN match access-group name WAN_TO_LAN class-map type inspect match-all ISAKMP_IPSEC match access-group name ISAKMP_IPSEC class-map type inspect match-all DHCP match access-group name DHCP_CLIENT ! policy-map type inspect WAN_TO_SELF class type inspect ICMP pass class type inspect ISAKMP_IPSEC pass class type inspect DHCP pass class class-default drop policy-map type inspect WAN_TO_LAN class type inspect WAN_TO_LAN pass class class-default drop policy-map type inspect LAN_TO_WAN class type inspect LAN_TO_WAN pass class class-default drop ! zone security LAN zone security WAN zone-pair security LAN_TO_WAN source LAN destination WAN description LAN_TO_WAN TRAFFIC service-policy type inspect LAN_TO_WAN zone-pair security WAN_TO_LAN source WAN destination LAN description WAN_TO_LAN TRAFFIC service-policy type inspect WAN_TO_LAN zone-pair security WAN_TO_SELF source WAN destination self description WAN_TO_SELF TRAFFIC service-policy type inspect WAN_TO_SELF ! ip access-list extended DHCP_CLIENT permit udp any eq bootps any ip access-list extended ICMP permit icmp any any ip access-list extended ISAKMP_IPSEC permit udp host <remote_peer> any eq isakmp permit esp host <remote_peer> any permit udp host <remote_peer> any eq non500-isakmp ip access-list extended LAN_TO_WAN permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 ip access-list extended WAN_TO_LAN permit ip 192.168.2.0 0.0.0.255 192.168.1.0.0 0.0.0.255
This will allow a remote peer to establish an IPSec tunnel from WAN to the SELF zone (router). ICMP traffic to SELF is permitted and the router can get an IP address from the ISP through DHCP.
Once the VPN is established, traffic between the LAN (192.168.1.0) and a remote subnet (192.168.2.0) is permitted (pass).
when i should use zone-base or per-interface?
CBAC is the “legacy” firewall on Cisco IOS which works on the interface level. ZBF is the “new” firewall that uses Zones.
The main advantage of using zones is that it’s scalable. With CBAC, when you add a new interface then you’ll have to make changes to the interface. When you use ZBF, the only thing you need to do is add that interface to a zone and that’s it.
ZBF is CBAC’s replacement so I wouldn’t use CBAC anymore.
Is there any way of incorporating network or service object-groups into a ZBPF? I have been defining them for some ACLs and can’t see any way to use them for firewall setup.
ZBF uses policy-maps > class-maps > acls.
So you could include them in your access-lists if you want?
I realise that but it seems a bit of an inefficiency to not be able to directly integrate them into class-maps. The only things we can match in a class-map are access-groups, class-maps, protocols and user-groups, not object-groups.
How are you ? I am facing a problem on Zone base FW .Actually I want to deploy the below :
Zone pair WAN_TO_LAN all Traffic Allow except SIP and H323
Zone pair LAN_TO_WAN all Traffic Allow
So How will creat multiple Pass/Drop on a Interface ?
This is no problem. On your LAN_TO_WAN zonepair, I would add an inspect rule for all traffic. This will allow all traffic from LAN to WAN including the permit traffic.
For the WAN_TO_LAN traffic, you can create an access-list that has two permit entries. One for SIP and another one for H323. You can also use the inspect rule for this, it will allow this traffic to go from WAN to LAN including the return traffic.
19 posts were merged into an existing topic: Zone Based Firewall Configuration Example
How do you define the default action for class class-default?
Could you also give us a lesson on parameter-maps and their usage and application please?
It’s in the policy-map, take a look below:
policy-map type inspect LAN-TO-WAN class type inspect ICMP inspect class class-default drop
The output above is from the running configuration. Here’s how to change it:
R2(config)#policy-map type inspect LAN-TO-WAN R2(config-pmap)#class class-default R2(config-pmap-c)#? Policy-map class configuration commands: drop Drop the packet exit Exit from class action configuration mode no Negate or set default values of a command pass Pass the packet R2(config-pmap-c)#pass
The parameters can be used to check for certain DNS/TCP/UDP parameters and such. Here’s a quick example:
class-map type inspect match-all HTTP_TRAFFIC match protocol http ! parameter-map type inspect TCP_PARAMETERS tcp idle-time 15 ! policy-map type inspect test class type inspect HTTP_TRAFFIC inspect TCP_PARAMETERS
Instead of just using “inspect”, we are also refering to a parameter-map where we specify that the TCP idle time is 15 seconds. There’s a bunch of parameters you can choose from:
R1(config-profile)#? parameter-map commands: alert Turn on/off alert audit-trail Turn on/off audit trail dns-timeout Specify timeout for DNS exit Exit from parameter-map icmp Config timeout values for icmp ipv6 Config IPv6 specific parameters max-incomplete Specify maximum number of incomplete connections before clamping no Negate or set default values of a command one-minute Specify one-minute-sample watermarks for clamping sessions Maximum number of inspect sessions tcp Config timeout values for tcp connections udp Config timeout values for udp flows zone-mismatch Configure Zone mismatch
R1(config-profile)#tcp ? finwait-time Specify timeout for TCP connections after a FIN idle-time Specify idle timeout for tcp connections max-incomplete Specify max half-open connection per host synwait-time Specify timeout for TCP connections after a SYN and no further data window-scale-enforcement Window scale option for TCP packet
Hope this helps!
In your example:
policy-map type inspect LAN-TO-WAN class type inspect ICMP inspect class class-default drop
When you specify the drop action for the class-default, does this set the default for all instances of class-default for all policy-maps or is it specific to just that policy-map? Can another policy-map have the class-default of pass concurrently?
This only applies to this particular policy-map. For each policy-map, you can set a different action under the class-default class.
You can see it because of the nested structure. The “class type inspect ICMP” and “class class-default” belong under this policy-map. The “drop” command is nested under the class class-default.
Thanks for clearing that up Rene.
Rene, in the following config lifted from the CCP default policy:
policy-map type inspect ccp-permit class class-default zone-pair security ccp-zp-out-self source out-zone destination self service-policy type inspect ccp-permit
Does not specifying anything as the class-default result in all traffic being dropped? Does the class-default have an implicit drop in this situation?
Since this is the service-policy for traffic from the outside to the inside I’m assuming that a class-default not being defined would result in a drop action.