very nice explanation…now i understand difference between drop,pass and inspect…
1 more question…
i tried to this policy
ip access-list extended ALLOW_ALL
permit ip host 20.20.20.3 any
permit ip host 30.30.30.3 any
permit ip host 40.40.40.3 any
class-map type inspect match-all BOS
match access-group name ALLOW_ALL
policy-map type inspect V1_TO_ALL
class type inspect BOS
inspect
why i get this message, when i type “inspect” in policy-map…
"%No specific protocol configured in class BOS for inspection. All protocols will be inspected"
I have a question. I have set up Zone Based Firewall on a Cisco ISR 2921. The router has already been set with a site to site IPSEC VPN connection. However after configuring the router with the policies, zone pairs etc. When I apply the router’s interfaces to be members of the Zones to activate ZBF all the firewall parameters work fine, except one thing even though the VPN tunnel was still up, I was now unable to pass data to the other end of the VPN link and vice versa.
When I take off the interfaces to be members from their respective zones, I was able to pass data again across the VPN tunnel.
I have included my (truncated) ZBPF setup on my 1841 with an HWIC-1ADSL for reference if it is of help to anyone. I also have a PIX506E between my 1841 and the wired home network for an extra layer of security. The inside interface on the PIX is in the 192.168.1.0/24 subnet and the outside interface that connects directly to the 1841 is on the 10.1.1.0/24 subnet. The PIX gets very hot in our Australian summers, that’s why the lid is off it.
!
class-map type inspect match-any self-to-outside-cmap
match access-group name self-to-outside-acl
class-map type inspect match-any outside-to-self-cmap
match access-group name outside-to-self-acl
class-map type inspect match-any L7-cmap
match protocol telnet
match protocol smtp
match protocol pop3
match protocol imap
match protocol http
match protocol ftp
match protocol dns
match protocol tftp
match protocol https
match access-group 1
match access-group 2
class-map type inspect match-any L4-cmap
match protocol tcp
match protocol udp
match protocol icmp
match access-group 1
match access-group 2
!
policy-map type inspect inside-to-outside-pmap
class type inspect L4-cmap
inspect
class type inspect L7-cmap
inspect
class class-default
drop
policy-map type inspect outside-to-self-pmap
class class-default
drop
policy-map type inspect self-to-outside-pmap
class type inspect self-to-outside-cmap
inspect
class class-default
drop
!
zone security inside
zone security outside
zone-pair security inside-to-outside source inside destination outside
service-policy type inspect inside-to-outside-pmap
zone-pair security outside-to-self source outside destination self
service-policy type inspect outside-to-self-pmap
zone-pair security self-to-outside source self destination outside
service-policy type inspect self-to-outside-pmap
!
interface Loopback0
ip address 1.8.4.1 255.255.255.255
zone-member security inside
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security inside
speed 100
full-duplex
!
interface FastEthernet0/1
ip address 172.16.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security inside
speed 100
full-duplex
!
interface ATM0/1/0
no ip address
no atm ilmi-keepalive
dsl operating-mode adsl2+
dsl noise-margin -1
dsl bitswap both
!
interface ATM0/1/0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
interface Dialer0
ip address 103.x.x.x 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
zone-member security outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxxxxxxx
ppp chap password 0 xxxxxxxxx
no cdp enable
!
router ospf 1
router-id 8.8.8.8
passive-interface Dialer0
network 1.8.4.0 0.0.0.255 area 0
network 10.1.1.0 0.0.0.255 area 0
network 103.x.x.x 0.0.0.0 area 0
network 172.16.1.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 2 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
!
ip access-list extended self-to-outside-acl
permit icmp any any echo
permit udp any eq ntp any
permit udp any host 103.x.x.x eq domain
permit udp any host 8.8.8.8 eq domain
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 10.1.1.0 0.0.0.255
access-list 2 permit 172.16.1.0 0.0.0.255
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 3 permit 10.1.1.0 0.0.0.255
!
line con 0
exec-timeout 0 0
logging synchronous
length 512
width 100
stopbits 1
line aux 0
line vty 0 4
access-class 3 in
exec-timeout 0 0
privilege level 15
logging synchronous
terminal-type exit
length 0
width 250
transport input ssh
transport output ssh
escape-character 3
line vty 5 15
access-class 3 in
exec-timeout 0 0
privilege level 15
logging synchronous
terminal-type exit
length 0
width 250
transport input ssh
transport output ssh
escape-character 3
!
scheduler allocate 20000 1000
ntp master 3
ntp server 150.203.1.10 prefer source Dialer0
ntp server 150.203.22.28 source Dialer0
end
R1841#
You should permit IPsec traffic on the zone-pair for your outside zone to the self zone, this is needed for the security association.
Make sure the traffic that goes through the VPN is also permitted in your zone-pair(s).
For example, let’s say your router has an INSIDE, OUTSIDE and SELF zone. Your local network is 192.168.1.0/24 and the remote network is 192.168.2.0/24.
You will need one zone-pair for OUTSIDE_TO_SELF that permits isakmp, something like this:
ip access-list extended ISAKMP_IPSEC
permit udp any any eq isakmp
permit ahp any any
permit esp any any
permit udp any any eq non500-isakmp
For the VPN traffic, you will need a zone pair for INSIDE_TO_OUTSIDE that inspects traffic. This will only allow VPN traffic if it is originated from the 192.168.1.0/24 network. It might be better to create two zone-pairs:
INSIDE_TO_OUTSIDE
OUTSIDE_TO_INSIDE
Instead of using inspect, use regular permits. Something like:
class-map type inspect match-all LAN_TO_WAN
match access-group name LAN_TO_WAN
class-map type inspect match-all WAN_TO_LAN
match access-group name WAN_TO_LAN
class-map type inspect match-all ISAKMP_IPSEC
match access-group name ISAKMP_IPSEC
class-map type inspect match-all DHCP
match access-group name DHCP_CLIENT
!
policy-map type inspect WAN_TO_SELF
class type inspect ICMP
pass
class type inspect ISAKMP_IPSEC
pass
class type inspect DHCP
pass
class class-default
drop
policy-map type inspect WAN_TO_LAN
class type inspect WAN_TO_LAN
pass
class class-default
drop
policy-map type inspect LAN_TO_WAN
class type inspect LAN_TO_WAN
pass
class class-default
drop
!
zone security LAN
zone security WAN
zone-pair security LAN_TO_WAN source LAN destination WAN
description LAN_TO_WAN TRAFFIC
service-policy type inspect LAN_TO_WAN
zone-pair security WAN_TO_LAN source WAN destination LAN
description WAN_TO_LAN TRAFFIC
service-policy type inspect WAN_TO_LAN
zone-pair security WAN_TO_SELF source WAN destination self
description WAN_TO_SELF TRAFFIC
service-policy type inspect WAN_TO_SELF
!
ip access-list extended DHCP_CLIENT
permit udp any eq bootps any
ip access-list extended ICMP
permit icmp any any
ip access-list extended ISAKMP_IPSEC
permit udp host <remote_peer> any eq isakmp
permit esp host <remote_peer> any
permit udp host <remote_peer> any eq non500-isakmp
ip access-list extended LAN_TO_WAN
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended WAN_TO_LAN
permit ip 192.168.2.0 0.0.0.255 192.168.1.0.0 0.0.0.255
This will allow a remote peer to establish an IPSec tunnel from WAN to the SELF zone (router). ICMP traffic to SELF is permitted and the router can get an IP address from the ISP through DHCP.
Once the VPN is established, traffic between the LAN (192.168.1.0) and a remote subnet (192.168.2.0) is permitted (pass).
CBAC is the “legacy” firewall on Cisco IOS which works on the interface level. ZBF is the “new” firewall that uses Zones.
The main advantage of using zones is that it’s scalable. With CBAC, when you add a new interface then you’ll have to make changes to the interface. When you use ZBF, the only thing you need to do is add that interface to a zone and that’s it.
ZBF is CBAC’s replacement so I wouldn’t use CBAC anymore.
Is there any way of incorporating network or service object-groups into a ZBPF? I have been defining them for some ACLs and can’t see any way to use them for firewall setup.
I realise that but it seems a bit of an inefficiency to not be able to directly integrate them into class-maps. The only things we can match in a class-map are access-groups, class-maps, protocols and user-groups, not object-groups.
This is no problem. On your LAN_TO_WAN zonepair, I would add an inspect rule for all traffic. This will allow all traffic from LAN to WAN including the permit traffic.
For the WAN_TO_LAN traffic, you can create an access-list that has two permit entries. One for SIP and another one for H323. You can also use the inspect rule for this, it will allow this traffic to go from WAN to LAN including the return traffic.
Rene
shantel
(Shantel - Networklessons.com)
Split this topic
39
