The Router that thought it was an ASA

Standard

There seems be a lot of people interested in CCNA Security so let’s have a brief look at Zone Based Firewalls.

Here is today’s topology,  we’ll be trying to lock down the server to server communication from R10.

A Zone based firewall is Cisco’s attempt at bringing the ASA’s inspection logic to a IOS device and is much more modular than a traditional ACL.

First things first we will create zones, these are basically the same thing as a ASA nameif.

 R10(config)#zone security R01
 R10(config-sec-zone)#description R01 Zone
 R10(config-sec-zone)#exit
 R10(config)#zone security R02 
 R10(config-sec-zone)#description R02 Zone
 R10(config-sec-zone)#exit

Next we make class-maps to match traffic, you can use match protocol to use NBAR or you can create a ACL and match that instead. We’ll match ICMP and HTTP traffic with NBAR and use an ACL for telnet.

R10(config)#ip access-list extended ACL_TELNET
 R10(config-ext-nacl)# permit tcp any any eq telnet
 R10(config-ext-nacl)# permit tcp any eq telnet any

R10(config)#class-map type inspect match-all CM_TELNET
 R10(config-cmap)# match access-group name ACL_TELNET
 
 R10(config)#class-map type inspect match-all CM_ICMP
 R10(config-cmap)# match protocol icmp 
 R10(config-cmap)#exit
 R10(config)#class-map type inspect match-all CM_HTTP
 R10(config-cmap)# match protocol http 
 R10(config-cmap)#exit

Next we make a policy-map to match all the class-maps, we can inspect traffic traffic, bypass the firewall by using pass, or drop the traffic. We will allow ICMP and HTTP and explicitly drop telnet. We will also use drop log in the class-default so that all unmatched traffic is logged when it is dropped. The policy-map is processed top down just like a ACL so you may need to change the class-map order in more complex setups.

  R10(config)#policy-map type inspect PM_R01_TO_R02
 R10(config-pmap)# class type inspect CM_HTTP
 R10(config-pmap-c)# inspect
 R10(config-pmap-c)# class type inspect CM_ICMP
 R10(config-pmap-c)# inspect
 R10(config-pmap-c)# class type inspect CM_TELNET
 R10(config-pmap-c)# drop log
 R10(config-pmap-c)# class class-default
 R10(config-pmap-c)# drop log

Once that is done we now need to bind the zones together and apply the policy-map, we will apply the firewall so R01 is the source zone and R02 is the destination zone. This means that R01 will be able to talk to R02 but R02 won’t be able to talk to R01 unless its return traffic.

 R10(config)#zone-pair security ZP_R01_TO_R02 source R01 destination R02
 R10(config-sec-zone-pair)# service-policy type inspect PM_R01_TO_R02
 R10(config-sec-zone-pair)#exit

Lastly we need to add the interfaces to their proper zones.

 R10(config)#interface GigabitEthernet2.110
 R10(config-subif)# zone-member security R01
 R10(config-subif)#interface GigabitEthernet2.210
 R10(config-subif)# zone-member security R02
 R10(config-subif)#exit

On S01 we can access HTTP to the S02

 cisco@S01:~$ curl 192.168.20.100 | tail -n 5
 % Total % Received % Xferd Average Speed Time Time Time Current
 Dload Upload Total Spent Left Speed
 100 11510 100 11510 0 0 15010 0 --:--:-- --:--:-- --:--:-- 15045
 </p>
 </div>
 </body>
 </html>

And we can ping server S02 as well.

 cisco@S01:~$ ping 192.168.20.100 -c 5
 PING 192.168.20.100 (192.168.20.100) 56(84) bytes of data.
 64 bytes from 192.168.20.100: icmp_seq=1 ttl=61 time=220 ms
 64 bytes from 192.168.20.100: icmp_seq=2 ttl=61 time=322 ms
 64 bytes from 192.168.20.100: icmp_seq=3 ttl=61 time=250 ms
 64 bytes from 192.168.20.100: icmp_seq=4 ttl=61 time=203 ms
 64 bytes from 192.168.20.100: icmp_seq=5 ttl=61 time=416 ms
 
 --- 192.168.20.100 ping statistics ---
 5 packets transmitted, 5 received, 0% packet loss, time 4010ms
 rtt min/avg/max/mdev = 203.221/282.655/416.633/78.396 ms
 cisco@S01:~$ 

But if we try to ssh to the server it will be blocked.

 cisco@S01:~$ ssh 192.168.20.100
 
 *Jun 3 20:37:51.184: %IOSXE-6-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:000 TS:00000004246156627399 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet2.110 192.168.10.100:41755 => 192.168.20.100:22(target:class)-(ZP_R01_TO_R02:class-default) due to Policy drop:classify result with ip ident 24557 tcp flag 0x2, seq 3211098309, ack 0

From S02 we can’t access S01’s http server because we never permitted the direction.

 cisco@S02:~$ curl 192.168.10.100
 curl: (7) Failed to connect to 192.168.10.100 port 80: Connection timed out

We can also see various firewall statistics on the router.

 R10#show policy-map type inspect zone-pair ZP_R01_TO_R02 
 Zone-pair: ZP_R01_TO_R02 
 Service-policy inspect : PM_R01_TO_R02

Class-map: CM_HTTP (match-all) 
 Match: protocol http
 Inspect
 Packet inspection statistics [process switch:fast switch]
 http packets: [0:177]

Session creations since subsystem startup or last reset 7
 Current session counts (estab/half-open/terminating) [0:0:0]
 Maxever session counts (estab/half-open/terminating) [0:0:0]
 Last session created 00:42:18
 Last statistic reset never
 Last session creation rate 0
 Last half-open session total 0

Class-map: CM_ICMP (match-all) 
 Match: protocol icmp
 Inspect
 Packet inspection statistics [process switch:fast switch]
 icmp packets: [0:14]

Session creations since subsystem startup or last reset 2
 Current session counts (estab/half-open/terminating) [0:0:0]
 Maxever session counts (estab/half-open/terminating) [1:0:0]
 Last session created 00:41:55
 Last statistic reset never
 Last session creation rate 0
 Last half-open session total 0

Class-map: CM_TELNET (match-all) 
 Match: access-group name ACL_TELNET
 Drop
 2 packets, 156 bytes

Class-map: class-default (match-any) 
 Match: any 
 Drop
 17 packets, 1446 bytes

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.