Cisco Router – CBAC and Zone Based Firewall Setup

KB ID 0000937 

Problem

IOS 11.2 gave us CBAC, and IOS 12.4(6)T gave us the Zone Based Firewall. You can still use either, (providing you are running the correct IOS, or in the case of version 15 and upwards, added the correct license, ‘securityK9’). For older IOS versions usually you want the advipservices version of the IOS).

Solution

Run the following command to see if you have the correct license installed.

[box]

Petes-Router#show license features 

[/box]

Cisco IOS Setup CBAC (IOS Firewall Classic)

1. Declare the protocols you want to inspect.

[box]

Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#ip inspect name IOS-FW tcp
Petes-Router(config)#ip inspect name IOS-FW udp
Petes-Router(config)#ip inspect name IOS-FW icmp

[/box]

2. Apply that inspection inbound on the inside interface (that’s traffic going out).

[box]

Petes-Router(config)#interface FastEthernet 0/1
Petes-Router(config-if)#ip inspect IOS-FW in
Petes-Router(config-if)#exit
Petes-Router(config)#

[/box]

4. Apply the inspection inbound on the outside interface (for traffic coming in). And then save the changes.

Note: If you have VPN traffic this will NOT break it.

[box]

Petes-Router(config)#interface Dialer0
Petes-Router(config-if)#ip inspect IOS-FW in
Petes-Router(config-if)#exit
Petes-Router(config)#exit
*Mar 1 00:05:29.875: %SYS-5-CONFIG_I: Configured from console by console
Petes-Router#wr mem
Building configuration...
[OK]
Petes-Router#

[/box]

Cisco Zone Based Firewall Setup

The config on ZBF can get quite complicated, I’m simply going to allow traffic out, and block all traffic coming in (apart from traffic that will be coming in over VPN).

Note: CBAC Settings (if used), must be removed before configuring ZBF.

1. The first thing to do is setup the zones, I only have a LAN an WAN to worry about.

[box]

Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#zone security SZ-INSIDE
Petes-Router(config-sec-zone)#description Local Area Network
Petes-Router(config-sec-zone)#zone security SZ-OUTSIDE
Petes-Router(config-sec-zone)#description Wide Area Network (Internet)
Petes-Router(config-sec-zone)#exit

[/box]

2. Create two ACLs to decide which traffic you want to allow in and out. Note: I’ve also added the subnets for my remote VPN network. I will allow out www (TCP 80), https (TCP 443), and DNS (TCP 53). Inbound everything is blocked apart from my VPN traffic.

Note: I’m not covering setting up the VPN, if you want to know how to do that, see the following article;

Cisco Router – Configure Site to Site IPSEC VPN

Then for each ACL I’m creating a class-map, it’s the class-map that decides what traffic will be inspected, (by inspected, in ZBF terms we mean allowed).

[box]

Petes-Router(config)#ip access-list extended ACL-OUTBOUND
Petes-Router(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
Petes-Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 any eq www
Petes-Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 any eq 443
Petes-Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 any eq 53
Petes-Router(config-ext-nacl)#class-map type inspect match-all CM-OUTBOUND
Petes-Router(config-cmap)#match access-group name ACL-OUTBOUND
Petes-Router(config-ext-nacl)#exit
Petes-Router(config)#ip access-list extended ACL-INBOUND
Petes-Router(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

[/box]

3. Define what to do with the (matched) traffic with a policy-map, this can be set to inspect, log , or drop. We set it to inspect our traffic, and drop, then log everything else.

[box]

Petes-Router(config)#policy-map type inspect PM-OUTBOUND
Petes-Router(config-pmap)#class type inspect CM-OUTBOUND
Petes-Router(config-pmap-c)#inspect
%No specific protocol configured in class CM-OUTBOUND for inspection. All protocols will be inspected

Note: The Above is not really true - we have defined the port in the ACL

Petes-Router(config-pmap-c)#class class-default
Petes-Router(config-pmap-c)#drop log
Petes-Router(config-pmap-c)#exit
Petes-Router(config-pmap)#exit
Petes-Router(config)#policy-map type inspect PM-INBOUND
Petes-Router(config-pmap)#class type inspect CM-INBOUND
Petes-Router(config-pmap-c)#inspect
%No specific protocol configured in class CM-INBOUND for inspection. All protocols will be inspected

Note: The Above is fine, it drops everything that's not VPN traffic anyway.

Petes-Router(config-pmap-c)#class class-default
Petes-Router(config-pmap-c)#drop log
Petes-Router(config-pmap-c)#exit
Petes-Router(config-pmap)#exit

[/box]

4. The last task is to create zone-pairs for the outbound and inbound traffic, then apply our policy-map to them with a service-policy.

[box]

Petes-Router(config)#security ZP-OUTBOUND source SZ-INSIDE destination SZ-OUTSIDE
Petes-Router(config-sec-zone-pair)#service-policy type inspect PM-OUTBOUND
Petes-Router(config-sec-zone-pair)#exit
Petes-Router(config)#security ZP-INBOUND source SZ-OUTSIDE destination SZ-INSIDE
Petes-Router(config-sec-zone-pair)#service-policy type inspect PM-INBOUND
Petes-Router(config-sec-zone-pair)#exit

[/box]

5. Save the changes, sit back, light your pipe, and admire your handiwork.

[box]

Petes-Router(config)#exit
Petes-Router#write mem
Building configuration...
[OK]

[/box]

 

Related Articles, References, Credits, or External Links

NA

Cisco ASA 5500 Allowing Tracert

KB ID 0000753

Problem

I’d always assumed that as Tracert uses ICMP, and that simply adding ICMP inspection on the ASA would let Tracert commands work. A client of mine is having some comms problems and wanted to test comms from his remote DR site, he had enabled time-exceeded and unreachable on the ASA (for inbound traffic) and that had worked. I checked the default inspection map and found inspect ICMP was there?

As it turns out Tracert does NOT NEED ICMP inspection, though there are a few tweaks you need to do to make it run correctly.

Solution

1. From a Windows client if I try and Tracert to an external IP address, this is what I would see.

2. My first task is to get the ASA itself to reply to me, unlike most network devices the ASA does not decrease the ‘hop count’ as traffic passes through it, to rectify this we need to make a small change to the global inspection policy like so;

[box]

Sent username "pix"
Type help or '?' for a list of available commands.
Petes-ASA>
Petes-ASA> enable
Password: *******
Petes-ASA# configure terminal
Petes-ASA(config)# policy-map global_policy
Petes-ASA(config-pmap)# class class-default
Petes-ASA(config-pmap-c)# set connection decrement-ttl
Petes-ASA(config-pmap-c)# exit
Petes-ASA(config-pmap)# exit
Petes-ASA(config)#

[/box]

3. Now when we re-run our Tracert we see the ASA now responds, nothing else does though, to rectify that we need to allow IN some ICMP traffic.

4. Before you can add an ACL you need to see if you already have one. We are applying an ACL to the outside interface for traffic going in (I call this inbound for obvious reasons). To see if you already have an ACL applied, issue the following command;

[box]

Petes-ASA# show run access-group
 access-group inbound in interface outside
 access-group outbound in interface inside

[/box]

Note: In the example above we have an ACL called inbound that we MUST use. (If you added a new one, all the access list entries for the old one get ‘Un-applied’). If yours has a different name (e.g. outside_access_in then use that instead of the ACL name I’m using here). If you DONT have an access-group entry for inbound traffic then we will do that at the end!

5. At this point you should know if you have an ACL, mines called inbound so I need to add two lines to it like so;

[box]

Petes-ASA(config)# access-list inbound extended permit icmp any any time-exceeded
 Petes-ASA(config)# access-list inbound extended permit icmp any any unreachable

[/box]

Then: Only carry out the following command if you DO NOT HAVE an ACL applied for incoming traffic.

[box]

Petes-ASA(config)# access-group inbound in interface outside

[/box]

6. Try your Tracert again.

7. Don’t forget to save the changes on the ASA.

[box]

 

Petes-ASA(config)# write mem
Building configuration…
Cryptochecksum: b984ffbc dd77cdbf f2cd8d86 0b8f3f96

3965 bytes copied in 1.490 secs (3965 bytes/sec)
[OK]

[/box]

Related Articles, References, Credits, or External Links

Cisco Firewalls and PING