Zone Based Firewall Configuration Example

Yeah it worked. Thanks!

Hi Rene

Great post on Zone Based Firewall

I have a question. I have set up Zone Based Firewall on a Cisco ISR 2921. The router has already been set with a site to site IPSEC VPN connection. However after configuring the router with the policies, zone pairs etc. When I apply the router’s interfaces to be members of the Zones to activate ZBF all the firewall parameters work fine, except one thing even though the VPN tunnel was still up, I was now unable to pass data to the other end of the VPN link and vice versa.

When I take off the interfaces to be members from their respective zones, I was able to pass data again across the VPN tunnel.

Please advise

Thanks

Simon

I have included my (truncated) ZBPF setup on my 1841 with an HWIC-1ADSL for reference if it is of help to anyone. I also have a PIX506E between my 1841 and the wired home network for an extra layer of security. The inside interface on the PIX is in the 192.168.1.0/24 subnet and the outside interface that connects directly to the 1841 is on the 10.1.1.0/24 subnet. The PIX gets very hot in our Australian summers, that’s why the lid is off it.


!
class-map type inspect match-any self-to-outside-cmap
 match access-group name self-to-outside-acl
class-map type inspect match-any outside-to-self-cmap
 match access-group name outside-to-self-acl
class-map type inspect match-any L7-cmap
 match protocol telnet
 match protocol smtp
 match protocol pop3
 match protocol imap
 match protocol http
 match protocol ftp
 match protocol dns
 match protocol tftp
 match protocol https
 match access-group 1
 match access-group 2
class-map type inspect match-any L4-cmap
 match protocol tcp
 match protocol udp
 match protocol icmp
 match access-group 1
 match access-group 2
!
policy-map type inspect inside-to-outside-pmap
 class type inspect L4-cmap
  inspect 
 class type inspect L7-cmap
  inspect 
 class class-default
  drop
policy-map type inspect outside-to-self-pmap
 class class-default
  drop
policy-map type inspect self-to-outside-pmap
 class type inspect self-to-outside-cmap
  inspect 
 class class-default
  drop
!
zone security inside
zone security outside
zone-pair security inside-to-outside source inside destination outside
 service-policy type inspect inside-to-outside-pmap
zone-pair security outside-to-self source outside destination self
 service-policy type inspect outside-to-self-pmap
zone-pair security self-to-outside source self destination outside
 service-policy type inspect self-to-outside-pmap
!
interface Loopback0
 ip address 1.8.4.1 255.255.255.255
 zone-member security inside
!
interface FastEthernet0/0
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security inside
 speed 100
 full-duplex
!
interface FastEthernet0/1
 ip address 172.16.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security inside
 speed 100
 full-duplex
!
interface ATM0/1/0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode adsl2+ 
 dsl noise-margin -1
 dsl bitswap both
!
interface ATM0/1/0.1 point-to-point
 pvc 8/35 
  pppoe-client dial-pool-number 1
!
interface Dialer0
 ip address 103.x.x.x 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 zone-member security outside
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname xxxxxxxxxx
 ppp chap password 0 xxxxxxxxx
 no cdp enable
!
router ospf 1
 router-id 8.8.8.8
 passive-interface Dialer0
 network 1.8.4.0 0.0.0.255 area 0
 network 10.1.1.0 0.0.0.255 area 0
 network 103.x.x.x 0.0.0.0 area 0
 network 172.16.1.0 0.0.0.255 area 0
 network 192.168.1.0 0.0.0.255 area 0
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 2 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
!
ip access-list extended self-to-outside-acl
 permit icmp any any echo
 permit udp any eq ntp any
 permit udp any host 103.x.x.x eq domain
 permit udp any host 8.8.8.8 eq domain
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 10.1.1.0 0.0.0.255
access-list 2 permit 172.16.1.0 0.0.0.255
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 3 permit 10.1.1.0 0.0.0.255
!
line con 0
 exec-timeout 0 0
 logging synchronous
 length 512
 width 100
 stopbits 1
line aux 0
line vty 0 4
 access-class 3 in
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 terminal-type exit
 length 0
 width 250
 transport input ssh
 transport output ssh
 escape-character 3
line vty 5 15
 access-class 3 in
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 terminal-type exit
 length 0
 width 250
 transport input ssh
 transport output ssh
 escape-character 3
!
scheduler allocate 20000 1000
ntp master 3
ntp server 150.203.1.10 prefer source Dialer0
ntp server 150.203.22.28 source Dialer0
end

R1841#

It is a bit untidy still but it works!

Cheers, Matt.

Hi Simon,

There are two things you should check here:

  • You should permit IPsec traffic on the zone-pair for your outside zone to the self zone, this is needed for the security association.
  • Make sure the traffic that goes through the VPN is also permitted in your zone-pair(s).

For example, let’s say your router has an INSIDE, OUTSIDE and SELF zone. Your local network is 192.168.1.0/24 and the remote network is 192.168.2.0/24.

You will need one zone-pair for OUTSIDE_TO_SELF that permits isakmp, something like this:

ip access-list extended ISAKMP_IPSEC
 permit udp any any eq isakmp
 permit ahp any any
 permit esp any any
 permit udp any any eq non500-isakmp

For the VPN traffic, you will need a zone pair for INSIDE_TO_OUTSIDE that inspects traffic. This will only allow VPN traffic if it is originated from the 192.168.1.0/24 network. It might be better to create two zone-pairs:

INSIDE_TO_OUTSIDE
OUTSIDE_TO_INSIDE

Instead of using inspect, use regular permits. Something like:

access-list extended LAN1_LAN2 permit 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list extended LAN2_LAN1 permit 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

Attach LAN1_LAN2 to the INSIDE_TO_OUTSIDE zone-pair with a permit and LAN2_LAN1 to OUTSIDE_TO_INSIDE with a permit.

Hope this helps, if not let me know and I’ll see if I can post a complete configuration example.

Rene

Thanks for the post Rene

I would really appreciate if you could post a configuration example which of course includes ZBF and successful VPN example.

Thanks.

Simon

Hi Simon,

Here’s an example:

class-map type inspect match-all LAN_TO_WAN
 match access-group name LAN_TO_WAN
class-map type inspect match-all WAN_TO_LAN
 match access-group name WAN_TO_LAN
class-map type inspect match-all ISAKMP_IPSEC
 match access-group name ISAKMP_IPSEC
class-map type inspect match-all DHCP
 match access-group name DHCP_CLIENT
!
policy-map type inspect WAN_TO_SELF
 class type inspect ICMP
  pass
 class type inspect ISAKMP_IPSEC
  pass
 class type inspect DHCP
  pass
 class class-default
  drop
policy-map type inspect WAN_TO_LAN
 class type inspect WAN_TO_LAN
  pass
 class class-default
  drop
policy-map type inspect LAN_TO_WAN
 class type inspect LAN_TO_WAN
  pass 
 class class-default
  drop
!
zone security LAN
zone security WAN
zone-pair security LAN_TO_WAN source LAN destination WAN
 description LAN_TO_WAN TRAFFIC
 service-policy type inspect LAN_TO_WAN

zone-pair security WAN_TO_LAN source WAN destination LAN
 description WAN_TO_LAN TRAFFIC
 service-policy type inspect WAN_TO_LAN

zone-pair security WAN_TO_SELF source WAN destination self
 description WAN_TO_SELF TRAFFIC
 service-policy type inspect WAN_TO_SELF
!
ip access-list extended DHCP_CLIENT
 permit udp any eq bootps any

ip access-list extended ICMP
 permit icmp any any

ip access-list extended ISAKMP_IPSEC
 permit udp host <remote_peer> any eq isakmp
 permit esp host <remote_peer> any
 permit udp host <remote_peer> any eq non500-isakmp

ip access-list extended LAN_TO_WAN
 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

ip access-list extended WAN_TO_LAN
 permit ip 192.168.2.0 0.0.0.255 192.168.1.0.0 0.0.0.255

This will allow a remote peer to establish an IPSec tunnel from WAN to the SELF zone (router). ICMP traffic to SELF is permitted and the router can get an IP address from the ISP through DHCP.

Once the VPN is established, traffic between the LAN (192.168.1.0) and a remote subnet (192.168.2.0) is permitted (pass).

Rene

when i should use zone-base or per-interface?

Hi Nelly,

CBAC is the “legacy” firewall on Cisco IOS which works on the interface level. ZBF is the “new” firewall that uses Zones.

The main advantage of using zones is that it’s scalable. With CBAC, when you add a new interface then you’ll have to make changes to the interface. When you use ZBF, the only thing you need to do is add that interface to a zone and that’s it.

ZBF is CBAC’s replacement so I wouldn’t use CBAC anymore.

Rene

Is there any way of incorporating network or service object-groups into a ZBPF? I have been defining them for some ACLs and can’t see any way to use them for firewall setup.

Hi Matt,

ZBF uses policy-maps > class-maps > acls.

So you could include them in your access-lists if you want?

Rene

I realise that but it seems a bit of an inefficiency to not be able to directly integrate them into class-maps. The only things we can match in a class-map are access-groups, class-maps, protocols and user-groups, not object-groups.

Hlw Rene,

How are you ? I am facing a problem on Zone base FW .Actually I want to deploy the below :

  1. Zone pair WAN_TO_LAN all Traffic Allow except SIP and H323

  2. Zone pair LAN_TO_WAN all Traffic Allow

So How will creat multiple Pass/Drop on a Interface ?

br//
zaman

Hi Zaman,

This is no problem. On your LAN_TO_WAN zonepair, I would add an inspect rule for all traffic. This will allow all traffic from LAN to WAN including the permit traffic.

For the WAN_TO_LAN traffic, you can create an access-list that has two permit entries. One for SIP and another one for H323. You can also use the inspect rule for this, it will allow this traffic to go from WAN to LAN including the return traffic.

Rene

19 posts were merged into an existing topic: Zone Based Firewall Configuration Example

Hi Rene,

How do you define the default action for class class-default?

Could you also give us a lesson on parameter-maps and their usage and application please?

Matt.

Hi Matt,

It’s in the policy-map, take a look below:

policy-map type inspect LAN-TO-WAN
 class type inspect ICMP
  inspect 
 class class-default
  drop

The output above is from the running configuration. Here’s how to change it:

R2(config)#policy-map type inspect LAN-TO-WAN
R2(config-pmap)#class class-default                
R2(config-pmap-c)#?
Policy-map class configuration commands:
  drop  Drop the packet
  exit  Exit from class action configuration mode
  no    Negate or set default values of a command
  pass  Pass the packet

R2(config-pmap-c)#pass

The parameters can be used to check for certain DNS/TCP/UDP parameters and such. Here’s a quick example:

class-map type inspect match-all HTTP_TRAFFIC
 match protocol http
!
parameter-map type inspect TCP_PARAMETERS
 tcp idle-time 15
!
policy-map type inspect test
 class type inspect HTTP_TRAFFIC
  inspect TCP_PARAMETERS

Instead of just using “inspect”, we are also refering to a parameter-map where we specify that the TCP idle time is 15 seconds. There’s a bunch of parameters you can choose from:

R1(config-profile)#?   
parameter-map commands:
  alert           Turn on/off alert
  audit-trail     Turn on/off audit trail
  dns-timeout     Specify timeout for DNS
  exit            Exit from parameter-map
  icmp            Config timeout values for icmp
  ipv6            Config IPv6 specific parameters
  max-incomplete  Specify maximum number of incomplete connections before
                  clamping
  no              Negate or set default values of a command
  one-minute      Specify one-minute-sample watermarks for clamping
  sessions        Maximum number of inspect sessions
  tcp             Config timeout values for tcp connections
  udp             Config timeout values for udp flows
  zone-mismatch   Configure Zone mismatch
R1(config-profile)#tcp ?                                    
  finwait-time              Specify timeout for TCP connections after a FIN
  idle-time                 Specify idle timeout for tcp connections
  max-incomplete            Specify max half-open connection per host
  synwait-time              Specify timeout for TCP connections after a SYN and
                            no further data
  window-scale-enforcement  Window scale option for TCP packet

Hope this helps!

Rene

Thanks Rene,

In your example:

policy-map type inspect LAN-TO-WAN
 class type inspect ICMP
  inspect 
 class class-default
  drop

When you specify the drop action for the class-default, does this set the default for all instances of class-default for all policy-maps or is it specific to just that policy-map? Can another policy-map have the class-default of pass concurrently?

Hi Matt,

This only applies to this particular policy-map. For each policy-map, you can set a different action under the class-default class.

You can see it because of the nested structure. The “class type inspect ICMP” and “class class-default” belong under this policy-map. The “drop” command is nested under the class class-default.

Rene

Thanks for clearing that up Rene.

Rene, in the following config lifted from the CCP default policy:


policy-map type inspect ccp-permit
 class class-default 
 
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit

Does not specifying anything as the class-default result in all traffic being dropped? Does the class-default have an implicit drop in this situation?
Since this is the service-policy for traffic from the outside to the inside I’m assuming that a class-default not being defined would result in a drop action.

Matt.