Zone Based Firewall Configuration Example


(Jefri A) #21

very nice explanation…now i understand difference between drop,pass and inspect…

1 more question…
i tried to this policy

ip access-list extended ALLOW_ALL
 permit ip host 20.20.20.3 any
 permit ip host 30.30.30.3 any
 permit ip host 40.40.40.3 any

class-map type inspect match-all BOS
 match access-group name ALLOW_ALL

policy-map type inspect V1_TO_ALL
 class type inspect BOS
  inspect

why i get this message, when i type “inspect” in policy-map…

"%No specific protocol configured in class BOS for inspection. All protocols will be inspected"


(Rene Molenaar) #22

Hi John,

You used an access-list that matches on IP addresses, not a specific protocol.

Rene


(Raed A) #23

Thank you very much , I like how you explain things easily and in a professional way .

Appreciated.

Regards,
Raed


(Sean M) #24

If I want edit a policy-map, should I remove the zone-pair first? Would that look something like this:

#conf t
#no zone-pair security “name of zone pair”

Thanks!


(Rene Molenaar) #25

Hi Sean,

I’d have to check it but I think you can edit it without removing the zone-pair. It should work right away.

Rene


(Sean M) #26

Yeah it worked. Thanks!


(simon w) #27

Hi Rene

Great post on Zone Based Firewall

I have a question. I have set up Zone Based Firewall on a Cisco ISR 2921. The router has already been set with a site to site IPSEC VPN connection. However after configuring the router with the policies, zone pairs etc. When I apply the router’s interfaces to be members of the Zones to activate ZBF all the firewall parameters work fine, except one thing even though the VPN tunnel was still up, I was now unable to pass data to the other end of the VPN link and vice versa.

When I take off the interfaces to be members from their respective zones, I was able to pass data again across the VPN tunnel.

Please advise

Thanks

Simon


(Matt W) #28

I have included my (truncated) ZBPF setup on my 1841 with an HWIC-1ADSL for reference if it is of help to anyone. I also have a PIX506E between my 1841 and the wired home network for an extra layer of security. The inside interface on the PIX is in the 192.168.1.0/24 subnet and the outside interface that connects directly to the 1841 is on the 10.1.1.0/24 subnet. The PIX gets very hot in our Australian summers, that’s why the lid is off it.


!
class-map type inspect match-any self-to-outside-cmap
 match access-group name self-to-outside-acl
class-map type inspect match-any outside-to-self-cmap
 match access-group name outside-to-self-acl
class-map type inspect match-any L7-cmap
 match protocol telnet
 match protocol smtp
 match protocol pop3
 match protocol imap
 match protocol http
 match protocol ftp
 match protocol dns
 match protocol tftp
 match protocol https
 match access-group 1
 match access-group 2
class-map type inspect match-any L4-cmap
 match protocol tcp
 match protocol udp
 match protocol icmp
 match access-group 1
 match access-group 2
!
policy-map type inspect inside-to-outside-pmap
 class type inspect L4-cmap
  inspect 
 class type inspect L7-cmap
  inspect 
 class class-default
  drop
policy-map type inspect outside-to-self-pmap
 class class-default
  drop
policy-map type inspect self-to-outside-pmap
 class type inspect self-to-outside-cmap
  inspect 
 class class-default
  drop
!
zone security inside
zone security outside
zone-pair security inside-to-outside source inside destination outside
 service-policy type inspect inside-to-outside-pmap
zone-pair security outside-to-self source outside destination self
 service-policy type inspect outside-to-self-pmap
zone-pair security self-to-outside source self destination outside
 service-policy type inspect self-to-outside-pmap
!
interface Loopback0
 ip address 1.8.4.1 255.255.255.255
 zone-member security inside
!
interface FastEthernet0/0
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security inside
 speed 100
 full-duplex
!
interface FastEthernet0/1
 ip address 172.16.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security inside
 speed 100
 full-duplex
!
interface ATM0/1/0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode adsl2+ 
 dsl noise-margin -1
 dsl bitswap both
!
interface ATM0/1/0.1 point-to-point
 pvc 8/35 
  pppoe-client dial-pool-number 1
!
interface Dialer0
 ip address 103.x.x.x 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 zone-member security outside
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname xxxxxxxxxx
 ppp chap password 0 xxxxxxxxx
 no cdp enable
!
router ospf 1
 router-id 8.8.8.8
 passive-interface Dialer0
 network 1.8.4.0 0.0.0.255 area 0
 network 10.1.1.0 0.0.0.255 area 0
 network 103.x.x.x 0.0.0.0 area 0
 network 172.16.1.0 0.0.0.255 area 0
 network 192.168.1.0 0.0.0.255 area 0
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 2 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
!
ip access-list extended self-to-outside-acl
 permit icmp any any echo
 permit udp any eq ntp any
 permit udp any host 103.x.x.x eq domain
 permit udp any host 8.8.8.8 eq domain
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 10.1.1.0 0.0.0.255
access-list 2 permit 172.16.1.0 0.0.0.255
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 3 permit 10.1.1.0 0.0.0.255
!
line con 0
 exec-timeout 0 0
 logging synchronous
 length 512
 width 100
 stopbits 1
line aux 0
line vty 0 4
 access-class 3 in
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 terminal-type exit
 length 0
 width 250
 transport input ssh
 transport output ssh
 escape-character 3
line vty 5 15
 access-class 3 in
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 terminal-type exit
 length 0
 width 250
 transport input ssh
 transport output ssh
 escape-character 3
!
scheduler allocate 20000 1000
ntp master 3
ntp server 150.203.1.10 prefer source Dialer0
ntp server 150.203.22.28 source Dialer0
end

R1841#

It is a bit untidy still but it works!

Cheers, Matt.


(Rene Molenaar) #29

Hi Simon,

There are two things you should check here:

  • You should permit IPsec traffic on the zone-pair for your outside zone to the self zone, this is needed for the security association.
  • Make sure the traffic that goes through the VPN is also permitted in your zone-pair(s).

For example, let’s say your router has an INSIDE, OUTSIDE and SELF zone. Your local network is 192.168.1.0/24 and the remote network is 192.168.2.0/24.

You will need one zone-pair for OUTSIDE_TO_SELF that permits isakmp, something like this:

ip access-list extended ISAKMP_IPSEC
 permit udp any any eq isakmp
 permit ahp any any
 permit esp any any
 permit udp any any eq non500-isakmp

For the VPN traffic, you will need a zone pair for INSIDE_TO_OUTSIDE that inspects traffic. This will only allow VPN traffic if it is originated from the 192.168.1.0/24 network. It might be better to create two zone-pairs:

INSIDE_TO_OUTSIDE
OUTSIDE_TO_INSIDE

Instead of using inspect, use regular permits. Something like:

access-list extended LAN1_LAN2 permit 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list extended LAN2_LAN1 permit 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

Attach LAN1_LAN2 to the INSIDE_TO_OUTSIDE zone-pair with a permit and LAN2_LAN1 to OUTSIDE_TO_INSIDE with a permit.

Hope this helps, if not let me know and I’ll see if I can post a complete configuration example.

Rene


(simon w) #30

Thanks for the post Rene

I would really appreciate if you could post a configuration example which of course includes ZBF and successful VPN example.

Thanks.

Simon


(Rene Molenaar) #31

Hi Simon,

Here’s an example:

class-map type inspect match-all LAN_TO_WAN
 match access-group name LAN_TO_WAN
class-map type inspect match-all WAN_TO_LAN
 match access-group name WAN_TO_LAN
class-map type inspect match-all ISAKMP_IPSEC
 match access-group name ISAKMP_IPSEC
class-map type inspect match-all DHCP
 match access-group name DHCP_CLIENT
!
policy-map type inspect WAN_TO_SELF
 class type inspect ICMP
  pass
 class type inspect ISAKMP_IPSEC
  pass
 class type inspect DHCP
  pass
 class class-default
  drop
policy-map type inspect WAN_TO_LAN
 class type inspect WAN_TO_LAN
  pass
 class class-default
  drop
policy-map type inspect LAN_TO_WAN
 class type inspect LAN_TO_WAN
  pass 
 class class-default
  drop
!
zone security LAN
zone security WAN
zone-pair security LAN_TO_WAN source LAN destination WAN
 description LAN_TO_WAN TRAFFIC
 service-policy type inspect LAN_TO_WAN

zone-pair security WAN_TO_LAN source WAN destination LAN
 description WAN_TO_LAN TRAFFIC
 service-policy type inspect WAN_TO_LAN

zone-pair security WAN_TO_SELF source WAN destination self
 description WAN_TO_SELF TRAFFIC
 service-policy type inspect WAN_TO_SELF
!
ip access-list extended DHCP_CLIENT
 permit udp any eq bootps any

ip access-list extended ICMP
 permit icmp any any

ip access-list extended ISAKMP_IPSEC
 permit udp host <remote_peer> any eq isakmp
 permit esp host <remote_peer> any
 permit udp host <remote_peer> any eq non500-isakmp

ip access-list extended LAN_TO_WAN
 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

ip access-list extended WAN_TO_LAN
 permit ip 192.168.2.0 0.0.0.255 192.168.1.0.0 0.0.0.255

This will allow a remote peer to establish an IPSec tunnel from WAN to the SELF zone (router). ICMP traffic to SELF is permitted and the router can get an IP address from the ISP through DHCP.

Once the VPN is established, traffic between the LAN (192.168.1.0) and a remote subnet (192.168.2.0) is permitted (pass).

Rene


(Nelly V) #32

when i should use zone-base or per-interface?


(Rene Molenaar) #33

Hi Nelly,

CBAC is the “legacy” firewall on Cisco IOS which works on the interface level. ZBF is the “new” firewall that uses Zones.

The main advantage of using zones is that it’s scalable. With CBAC, when you add a new interface then you’ll have to make changes to the interface. When you use ZBF, the only thing you need to do is add that interface to a zone and that’s it.

ZBF is CBAC’s replacement so I wouldn’t use CBAC anymore.

Rene


(Matt W) #34

Is there any way of incorporating network or service object-groups into a ZBPF? I have been defining them for some ACLs and can’t see any way to use them for firewall setup.


(Rene Molenaar) #35

Hi Matt,

ZBF uses policy-maps > class-maps > acls.

So you could include them in your access-lists if you want?

Rene


(Matt W) #36

I realise that but it seems a bit of an inefficiency to not be able to directly integrate them into class-maps. The only things we can match in a class-map are access-groups, class-maps, protocols and user-groups, not object-groups.


(Mohammad Hasanuz Zaman) #37

Hlw Rene,

How are you ? I am facing a problem on Zone base FW .Actually I want to deploy the below :

  1. Zone pair WAN_TO_LAN all Traffic Allow except SIP and H323

  2. Zone pair LAN_TO_WAN all Traffic Allow

So How will creat multiple Pass/Drop on a Interface ?

br//
zaman


(Rene Molenaar) #38

Hi Zaman,

This is no problem. On your LAN_TO_WAN zonepair, I would add an inspect rule for all traffic. This will allow all traffic from LAN to WAN including the permit traffic.

For the WAN_TO_LAN traffic, you can create an access-list that has two permit entries. One for SIP and another one for H323. You can also use the inspect rule for this, it will allow this traffic to go from WAN to LAN including the return traffic.

Rene


(Networklessons Admin) split this topic #39

19 posts were merged into an existing topic: Zone Based Firewall Configuration Example


(Matt W) #40

Hi Rene,

How do you define the default action for class class-default?

Could you also give us a lesson on parameter-maps and their usage and application please?

Matt.