topic Re: Zone Based Firewall Deployement in Network Security

Zone Based Firewall Deployement

mellalBrahim — Sat, 07 Jan 2023 21:46:43 GMT

hello all,

acually i'am planing to deploy zone based Firewall policy on some Cisco ISR 4300 series Routers,

i have monitoring all most the traffic flow get in and out of those router,so i have create two ACLS to match the traffic, one the inside and the other for the outside,

the design that i prepare to put in place is as follow:

* define two zones ( inside and outside )

* create a policy map to match the internal traffic in my case a named ACL ( InsideProtocols )

* create a policy-map type inspect

* create the zone-pair and attached the policy-map

* assign interfaces the proper zone ( in my case each router has 5 link to HeadQuarter)

my probleme is when i assign the interface to zone, some traffic flow normally and some no; especially the Voice Over Ip )

does anyone has the same case or he has deployed the zone based firewall, ihope he can give me some advice or the tricks.

thanks in advance.

Re: Zone Based Firewall Deployement

MHM Cisco World — Sat, 07 Jan 2023 21:59:20 GMT

do you config two side or one side zone pair ?

Re: Zone Based Firewall Deployement

mellalBrahim — Sat, 07 Jan 2023 22:37:43 GMT

juste one side, which are the router's branches

Re: Zone Based Firewall Deployement

MHM Cisco World — Sat, 07 Jan 2023 22:40:57 GMT

if traffic OUT to IN and traffic by default drop.
I think you need two sides.

Re: Zone Based Firewall Deployement

Marius Gunnerud — Sat, 07 Jan 2023 23:03:49 GMT

You haven't posted any configuration or described anything about how you VoIP is setup. My first guess is that there is traffic being initiated from the "outside" that is being dropped. This needs to be allowed specifically. Do you see any of these drops in your logging?

Re: Zone Based Firewall Deployement

mellalBrahim — Sun, 08 Jan 2023 08:14:50 GMT

already define an access-list to match the return traffic, and also the traffic generating from the outside such as the users who try to call the branch's phone . and i have change the default class-map to log the dropped traffic.

Re: Zone Based Firewall Deployement

mellalBrahim — Sun, 08 Jan 2023 08:18:26 GMT

hi,

i have 3 call manager and many servers which the braches uses contact them,

i have define an access-list which match the incomming traffic, from the outiside and create a policy-map to pass this traffic without inspection, and also i have made a change on the default-class map to also log the dropped traffic.

when check if there no dropping traffic within the logs.

Re: Zone Based Firewall Deployement

mellalBrahim — Sun, 08 Jan 2023 08:25:37 GMT

an example of the ACL to match the incomming traffic.

ip access-list extended VoIP
10 permit tcp host 10.10.69.121 eq 5060 any
20 permit udp host 10.10.69.121 eq 5060 any
60 permit ip 10.10.111.0 0.0.0.255 any
70 permit ip 10.196.111.0 0.0.0.255 any
80 permit ip 10.10.68.0 0.0.0.255 any
100 permit tcp host 10.10.101.121 eq 5060 any
110 permit udp host 10.10.101.121 eq 5060 any
120 permit ip host 10.10.101.111 any
130 permit ip host 10.10.101.2 any
140 permit ip host 10.10.101.3 any
150 permit ip host 10.10.111.41 any
2000 deny ip any any

---------------------------------------

the class-maps to match the traffic

----------------------------------------

class-map type inspect match-any INSIDE
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-all VoIP
match access-group name VoIP

----------------------------------------------------

the policy-map

-------------------------------

policy-map type inspect OUT-IN
class type inspect VoIP
pass
class class-default
drop log
policy-map type inspect IN-OUT
class type inspect INSIDE
inspect
class class-default
drop

---------------------------------------

the zone-pair

-----------------------------------

Zone-pair name INSIDE_TO_OUTSIDE
Source-Zone INSIDE Destination-Zone OUTSIDE
service-policy IN-OUT
Zone-pair name OUTSIDE_TO_INSIDE
Source-Zone OUTSIDE Destination-Zone INSIDE
service-policy OUT-IN

-------------------------------

interfaces

-----------------------

interface g0/0

zone-member security INSIDE

Interface tun 0

zone-member security OUTSIDE

Re: Zone Based Firewall Deployement

mellalBrahim — Sun, 08 Jan 2023 08:33:17 GMT

in addittion , if apply only the acl for incomming and outoing interfaces every thing works well

Re: Zone Based Firewall Deployement

MHM Cisco World — Sun, 08 Jan 2023 14:06:22 GMT

I am so interest in this case,
you mention only ACL work
can you share both config work and not work

Re: Zone Based Firewall Deployement

Marius Gunnerud — Sun, 08 Jan 2023 15:46:12 GMT

Which ACLs did you apply to which interfaces when this worked. From what I can see from what you posted you only have the VOIP ACL for incoming traffic.

Would be helpful to see the full configuration of the router you are applying this to (remember to remove any public IPs, usernames and passwords.)

Re: Zone Based Firewall Deployement

mellalBrahim — Sun, 08 Jan 2023 17:34:33 GMT

hi all,

there the config that i deployed :

when i just the ACL on the interfaces ( Classic Firewall ) every things Works Fine, Data and Voice

when i tryed to match these acl with class-map ( to use full state firewall ), there many, issue for exemple the IP phones rings but there no voice to here, some application works and other no, for this reason i've this really weired for me, and i wondered if any body here has deploy the ZBF in a production envirement.

thank you all

class-map type inspect match-any INSIDE
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-all VoIP
match access-group name VoIP
!

class-map type inspect match-all INSIDE
match access-group name 100

class-map type inspect match-all OUTSIDE
match access-group name 101

policy-map type inspect OUT-IN
class type inspect OUTSIDE
pass
class class-default
drop log

policy-map type inspect IN-OUT
class type inspect INSIDE
inspect
class class-default
drop

zone security INSIDE
zone security OUTSIDE
zone-pair security INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect IN-OUT
zone-pair security OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
service-policy type inspect OUT-IN

access-list 100 remark this ACL to identify the intressting Traffic
access-list 100 permit tcp any host 10.X.101.121 eq 5060
access-list 100 permit udp any host 10.X.101.121 eq 5060
access-list 100 permit tcp any host 10.X.69.121 eq 5060
access-list 100 permit udp any host 10.X.69.121 eq 5060
access-list 100 permit tcp any host 10.X.101.121 eq 5060
access-list 100 permit udp any host 10.X.101.121 eq 5060
access-list 100 permit ip any 10.X.128.0 0.0.31.255
access-list 100 permit ip any 10.X.111.0 0.0.0.255
access-list 100 permit ip any 10.X.111.0 0.0.0.255
access-list 100 permit ip any 10.X.68.0 0.0.0.255
access-list 100 permit tcp 10.X.116.0 0.0.0.255 host 10.X.101.53 eq 443
access-list 100 permit ip any host 10.X.101.5
access-list 100 permit ip any host 10.X.101.6
access-list 100 permit ip any host 10.X.101.93
access-list 100 permit ip any host 10.X.101.104
access-list 100 permit ip any host 10.X.143.240
access-list 100 permit ip any host 10.X.101.135
access-list 100 permit ip any host 10.X.101.92
access-list 100 permit ip any host 10.X.101.105
access-list 100 permit ip any host 10.X.101.101
access-list 100 permit ip any host 10.X.101.2
access-list 100 permit ip any host 10.X.76.100
access-list 100 permit ip any host 10.X.101.81
access-list 100 permit ip any host 10.X.101.4
access-list 100 permit ip any host 10.X.101.3
access-list 100 permit ip any host 10.X.109.101
access-list 100 permit ip any host 10.X.52.46
access-list 100 permit ip any host 10.X.101.240
access-list 100 permit ip any host 10.X.203.143
access-list 100 permit ip any host 10.X.101.100
access-list 100 permit ip any host 10.X.101.102
access-list 100 permit ip any host 10.X.202.218
access-list 100 permit ip any host 10.X.101.18
access-list 100 permit ip any host 10.X.101.112
access-list 100 permit ip any host 10.X.116.255
access-list 100 permit ip any host 10.X.163.135
access-list 100 permit ip any host 10.X.102.23
access-list 100 permit ip any host 10.X.163.240
access-list 100 permit ip any host 10.X.101.103
access-list 100 permit ip any host 10.X.162.221
access-list 100 permit ip any host 10.X.121.253
access-list 100 permit ip any host 10.X.101.90
access-list 100 permit ip any host 10.X.100.1
access-list 100 permit ip any host 10.X.101.21
access-list 100 permit ip any host 10.X.144.167
access-list 100 permit ip any host 10.X.101.136
access-list 100 permit ip any host 10.X.163.134
access-list 100 permit ip any host 10.X.101.137
access-list 100 permit ip any host 10.X.203.232
access-list 100 permit ip any host 10.X.203.40
access-list 100 permit ip any host 10.X.195.184
access-list 100 permit ip any host 10.X.202.88
access-list 100 permit ip any host 10.X.96.4
access-list 100 permit udp any host 10.X.101.25
access-list 100 permit ip any host 10.X.101.48
access-list 100 permit ip any host 10.X.116.254
access-list 100 permit ip any host 10.X.202.165
access-list 100 permit ip any host 10.X.163.73
access-list 100 permit ip any host 10.X.194.240
access-list 100 permit ip any host 10.X.163.248
access-list 100 permit ip any host 10.X.162.14
access-list 100 permit ip any host 10.X.101.46
access-list 100 permit ip any host 224.0.0.5
access-list 100 permit ip any host 10.X.101.82
access-list 100 permit ip any host 10.X.101.81
access-list 100 permit ip any host 10.X.101.165
access-list 100 permit ip 10.X.143.96 0.0.0.31 any
access-list 100 permit ip any host 10.X.201.45
access-list 100 permit ip any host 10.X.249.97
access-list 100 permit ip any host 10.X.249.106
access-list 100 permit ip any host 10.X.195.239
access-list 100 permit ip any host 10.X.249.9
access-list 100 permit ip any host 10.X.203.254
access-list 100 permit ip any host 10.X.201.46
access-list 100 permit ip any host 10.X.201.94
access-list 100 permit icmp any host 10.X.248.252
access-list 100 permit icmp any host 10.X.43.254
access-list 100 permit ip any host 10.X.195.185
access-list 100 deny ip any any

access-list 101 permit tcp host 10.X.195.185 eq 443 any
access-list 101 permit icmp host 10.X.51.250 any echo-reply
access-list 101 permit tcp host 10.X.201.94 eq www any
access-list 101 permit tcp host 10.X.162.210 eq www any
access-list 101 permit tcp host 10.X.163.51 eq www any
access-list 101 permit tcp host 10.X.52.10 eq 443 any
access-list 101 permit ip host 10.X.101.240 host 10.X.116.189
access-list 101 permit ip host 10.X.51.250 10.X.116.0 0.0.0.255
access-list 101 permit tcp host 10.X.69.114 eq 445 10.X.116.0 0.0.0.255
access-list 101 permit icmp host 10.X.69.114 10.X.116.0 0.0.0.255 echo-reply
access-list 101 permit tcp host 10.X.101.53 10.X.116.0 0.0.0.255 eq 443
access-list 101 permit tcp host 10.X.69.115 eq 445 10.X.116.0 0.0.0.255
access-list 101 permit ip host 10.X.101.5 any
access-list 101 permit tcp host 10.X.69.114 eq 7070 10.X.116.0 0.0.0.255
access-list 101 permit ip host 10.X.101.6 any
access-list 101 permit ip host 10.X.101.129 10.X.116.0 0.0.0.255
access-list 101 permit ip host 10.X.101.93 any
access-list 101 permit ip host 10.X.101.104 any
access-list 101 permit ip host 10.X.143.240 any
access-list 101 permit ip host 10.X.101.135 any
access-list 101 permit ip host 10.X.101.92 any
access-list 101 permit ip host 10.X.101.105 any
access-list 101 permit ip host 10.X.101.101 any
access-list 101 permit ip host 10.X.101.2 any
access-list 101 permit ip host 10.X.76.100 any
access-list 101 permit ip host 10.X.101.81 any
access-list 101 permit ip host 10.X.101.4 any
access-list 101 permit ip host 10.X.101.3 any
access-list 101 permit ip host 10.X.109.101 any
access-list 101 permit ip host 10.X.52.46 any
access-list 101 permit ip host 10.X.101.240 any
access-list 101 permit ip host 10.X.203.143 any
access-list 101 permit ip host 10.X.101.100 any
access-list 101 permit ip host 10.X.101.102 any
access-list 101 permit ip host 10.X.202.218 any
access-list 101 permit ip host 10.X.101.18 any
access-list 101 permit ip host 10.X.101.112 any
access-list 101 permit ip host 10.X.116.255 any
access-list 101 permit ip host 10.X.163.135 any
access-list 101 permit ip host 10.X.102.23 any
access-list 101 permit ip host 10.X.163.240 any
access-list 101 permit ip host 10.X.101.103 any
access-list 101 permit ip host 10.X.162.221 any
access-list 101 permit ip host 10.X.121.253 any
access-list 101 permit ip host 10.X.101.90 any
access-list 101 permit ip host 10.X.100.1 any
access-list 101 permit ip host 10.X.101.21 any
access-list 101 permit ip host 10.X.144.167 any
access-list 101 permit ip host 10.X.101.136 any
access-list 101 permit ip host 10.X.163.134 any
access-list 101 permit ip host 10.X.101.137 any
access-list 101 permit ip host 10.X.203.232 any
access-list 101 permit ip host 10.X.203.40 any
access-list 101 permit ip host 10.X.195.184 any
access-list 101 permit ip host 10.X.202.88 any
access-list 101 permit ip host 10.X.96.4 any
access-list 101 permit ip host 10.X.101.25 any
access-list 101 permit ip host 10.X.101.48 any
access-list 101 permit ip host 10.X.116.254 any
access-list 101 permit ip host 10.X.202.165 any
access-list 101 permit ip host 10.X.163.73 any
access-list 101 permit ip host 10.X.194.240 any
access-list 101 permit ip host 10.X.163.248 any
access-list 101 permit ip host 10.X.162.14 any
access-list 101 permit ip host 10.X.101.46 any
access-list 101 permit ip host 224.0.0.5 any
access-list 101 permit ip host 10.X.101.82 any
access-list 101 permit ip host 10.X.101.81 any
access-list 101 permit ip host 10.X.101.165 any
access-list 101 permit tcp host 10.X.194.239 eq 123 any
access-list 101 permit tcp host 10.X.101.53 eq 443 any
access-list 101 permit tcp host 10.X.194.239 any eq 123
access-list 101 permit udp host 10.X.70.5 any
access-list 101 permit icmp host 10.X.101.111 any echo-reply
access-list 101 permit ospf any any
access-list 101 permit tcp host 10.X.101.111 any
access-list 101 permit udp host 10.X.194.239 eq ntp object-group KBAIPs
access-list 101 permit ip host 10.X.145.34 any
access-list 101 permit ip host 10.X.201.45 any
access-list 101 permit ip host 10.X.249.97 any
access-list 101 permit ip host 10.X.249.106 any
access-list 101 permit ip host 10.X.195.239 any
access-list 101 permit ip host 10.X.249.9 any
access-list 101 permit ip host 10.X.203.254 any
access-list 101 permit ip host 10.X.201.46 any
access-list 101 permit icmp host 10.X.201.94 any
access-list 101 permit icmp host 10.X.248.252 any
access-list 101 permit icmp host 10.X.43.254 any
access-list 101 deny ip any any