There seems be a lot of people interested in CCNA Security so let’s have a brief look at Zone Based Firewalls.
Here is today’s topology, we’ll be trying to lock down the server to server communication from R10.
A Zone based firewall is Cisco’s attempt at bringing the ASA’s inspection logic to a IOS device and is much more modular than a traditional ACL.
First things first we will create zones, these are basically the same thing as a ASA nameif.
R10(config)#zone security R01 R10(config-sec-zone)#description R01 Zone R10(config-sec-zone)#exit R10(config)#zone security R02 R10(config-sec-zone)#description R02 Zone R10(config-sec-zone)#exit
Next we make class-maps to match traffic, you can use match protocol to use NBAR or you can create a ACL and match that instead. We’ll match ICMP and HTTP traffic with NBAR and use an ACL for telnet.
R10(config)#ip access-list extended ACL_TELNET R10(config-ext-nacl)# permit tcp any any eq telnet R10(config-ext-nacl)# permit tcp any eq telnet any R10(config)#class-map type inspect match-all CM_TELNET R10(config-cmap)# match access-group name ACL_TELNET R10(config)#class-map type inspect match-all CM_ICMP R10(config-cmap)# match protocol icmp R10(config-cmap)#exit R10(config)#class-map type inspect match-all CM_HTTP R10(config-cmap)# match protocol http R10(config-cmap)#exit
Next we make a policy-map to match all the class-maps, we can inspect traffic traffic, bypass the firewall by using pass, or drop the traffic. We will allow ICMP and HTTP and explicitly drop telnet. We will also use drop log in the class-default so that all unmatched traffic is logged when it is dropped. The policy-map is processed top down just like a ACL so you may need to change the class-map order in more complex setups.
R10(config)#policy-map type inspect PM_R01_TO_R02 R10(config-pmap)# class type inspect CM_HTTP R10(config-pmap-c)# inspect R10(config-pmap-c)# class type inspect CM_ICMP R10(config-pmap-c)# inspect R10(config-pmap-c)# class type inspect CM_TELNET R10(config-pmap-c)# drop log R10(config-pmap-c)# class class-default R10(config-pmap-c)# drop log
Once that is done we now need to bind the zones together and apply the policy-map, we will apply the firewall so R01 is the source zone and R02 is the destination zone. This means that R01 will be able to talk to R02 but R02 won’t be able to talk to R01 unless its return traffic.
R10(config)#zone-pair security ZP_R01_TO_R02 source R01 destination R02 R10(config-sec-zone-pair)# service-policy type inspect PM_R01_TO_R02 R10(config-sec-zone-pair)#exit
Lastly we need to add the interfaces to their proper zones.
R10(config)#interface GigabitEthernet2.110 R10(config-subif)# zone-member security R01 R10(config-subif)#interface GigabitEthernet2.210 R10(config-subif)# zone-member security R02 R10(config-subif)#exit
On S01 we can access HTTP to the S02
cisco@S01:~$ curl 192.168.20.100 | tail -n 5 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 11510 100 11510 0 0 15010 0 --:--:-- --:--:-- --:--:-- 15045 </p> </div> </body> </html>
And we can ping server S02 as well.
cisco@S01:~$ ping 192.168.20.100 -c 5 PING 192.168.20.100 (192.168.20.100) 56(84) bytes of data. 64 bytes from 192.168.20.100: icmp_seq=1 ttl=61 time=220 ms 64 bytes from 192.168.20.100: icmp_seq=2 ttl=61 time=322 ms 64 bytes from 192.168.20.100: icmp_seq=3 ttl=61 time=250 ms 64 bytes from 192.168.20.100: icmp_seq=4 ttl=61 time=203 ms 64 bytes from 192.168.20.100: icmp_seq=5 ttl=61 time=416 ms --- 192.168.20.100 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4010ms rtt min/avg/max/mdev = 203.221/282.655/416.633/78.396 ms cisco@S01:~$
But if we try to ssh to the server it will be blocked.
cisco@S01:~$ ssh 192.168.20.100 *Jun 3 20:37:51.184: %IOSXE-6-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:000 TS:00000004246156627399 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet2.110 192.168.10.100:41755 => 192.168.20.100:22(target:class)-(ZP_R01_TO_R02:class-default) due to Policy drop:classify result with ip ident 24557 tcp flag 0x2, seq 3211098309, ack 0
From S02 we can’t access S01’s http server because we never permitted the direction.
cisco@S02:~$ curl 192.168.10.100 curl: (7) Failed to connect to 192.168.10.100 port 80: Connection timed out
We can also see various firewall statistics on the router.
R10#show policy-map type inspect zone-pair ZP_R01_TO_R02 Zone-pair: ZP_R01_TO_R02 Service-policy inspect : PM_R01_TO_R02 Class-map: CM_HTTP (match-all) Match: protocol http Inspect Packet inspection statistics [process switch:fast switch] http packets: [0:177] Session creations since subsystem startup or last reset 7 Current session counts (estab/half-open/terminating) [0:0:0] Maxever session counts (estab/half-open/terminating) [0:0:0] Last session created 00:42:18 Last statistic reset never Last session creation rate 0 Last half-open session total 0 Class-map: CM_ICMP (match-all) Match: protocol icmp Inspect Packet inspection statistics [process switch:fast switch] icmp packets: [0:14] Session creations since subsystem startup or last reset 2 Current session counts (estab/half-open/terminating) [0:0:0] Maxever session counts (estab/half-open/terminating) [1:0:0] Last session created 00:41:55 Last statistic reset never Last session creation rate 0 Last half-open session total 0 Class-map: CM_TELNET (match-all) Match: access-group name ACL_TELNET Drop 2 packets, 156 bytes Class-map: class-default (match-any) Match: any Drop 17 packets, 1446 bytes