topic Zone Firewall and ACLs in Network Security

Zone Firewall and ACLs

sergo777 — Mon, 12 Aug 2019 20:16:35 GMT

Hi Everybody

I have some problems with new ISR devices (like 4221, 4451 etc), bunch of old routers use same configuration with simple CBAC (ip inspect xxx) and incoming ACL on external interface (permit SSH from specific network, anti-spoofing, VPN and deny any), very simple.

But this configuration doesnt work with ISRs, i created Zone FW, assigned zones, but my old ACL blocks all HTTP traffic (maybe something else, but very easy to see it in HTTP). When i removed it, everything works fine, but i cannot open SSH only for specific addresses, dont know why but it doesnt work with ZBF.

Not sure, ZBF sitting before or after NAT.. maybe this is a issue

thanks

Re: Zone Firewall and ACLs

Rob Ingram — Mon, 12 Aug 2019 20:26:05 GMT

Hi,
Without seeing your configuration I wouldn't be able to identify the exact issue...but you would reference the real (private) IP address in the ZBFW ACLs. Also, if you were referring to connecting the local router itself via SSH then the zone would be "self" rather than outside.

Upload your configuration and some debugs if you'd like some further pointers.
HTH

Re: Zone Firewall and ACLs

sergo777 — Mon, 12 Aug 2019 20:45:28 GMT

Yes sure! this is my config... i think part of it is wrong, just tried to play with zones...

and last part is my access list, when i add it to interface Cell 0/1/0, http traffic blocks... i tried to use it in the Class-map, but in this case it doesnt work at all

class-map type inspect match-any All_Protocols
match protocol tcp
match protocol udp
match protocol icmp
match protocol router
!
policy-map type inspect Trusted_to_Internet
class type inspect All_Protocols
inspect
class class-default
drop

policy-map type inspect OUTSIDE_IN_POLICY
class type inspect OUTSIDE_IN_CLASS
drop
class class-default
!
zone security INSIDE
zone security OUTSIDE

zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect Trusted_to_Internet
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE_IN_POLICY
--------------------------------

interface Cellular0/1/0
description TELUS-LTE
ip address negotiated
ip nat outside
ip access-group OUTSIDE_IN in
zone-member security OUTSIDE
dialer in-band
dialer-group 1
pulse-time 1

------------------------------

interface GigabitEthernet0/0/1
description INTERNAL
ip address 10.1.1.1 255.255.255.0
ip nat inside
zone-member security INSIDE
negotiation auto
--------------------------------

ip access-list extended INTERNET_IN
permit icmp any any echo
permit udp host 8.8.8.8 eq domain any
permit udp any any eq ntp
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit tcp (my network) 0.0.0.7 any eq 22 443
deny ip any any

Re: Zone Firewall and ACLs

Rob Ingram — Mon, 12 Aug 2019 21:04:39 GMT

Hi,
You shouldn't really mix and match using ZBFW for some zones and then an ACL on the Cell0/1/0 interface. You should make a zone pair from self to outside and another for outside to self. When using zones with the self interface they can only be "pass" not inspect".

Example (outside to self):-

ip access-list extended ACL_EXTERNAL-TO-SELF-IPSEC
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any

ip access-list extended ACL_EXTERNAL-TO-SELF-MGMT
permit icmp any any echo
permit icmp any any echo-reply
permit tcp any any eq telnet
permit tcp any any eq 22


class-map type inspect match-any CMAP_EXTERNAL-TO-SELF-IPSEC
match access-group name ACL_EXTERNAL-TO-SELF-IPSEC

class-map type inspect match-any CMAP_EXTERNAL-TO-SELF-MGMT
match access-group name ACL_EXTERNAL-TO-SELF-MGMT

policy-map type inspect PMAP_EXTERNAL-TO-SELF
class type inspect CMAP_EXTERNAL-TO-SELF-IPSEC
pass 
class type inspect CMAP_EXTERNAL-TO-SELF-MGMT
pass
class class-default
drop log

zone-pair security EXTERNAL-TO-SELF source OUTSIDE destination self
service-policy type inspect PMAP_EXTERNAL-TO-SELF

Example (self to outside):-

class-map type inspect match-any CMAP_SELF-OUT-ICMP
match protocol icmp

class-map type inspect match-any CMAP_SELF-OUT-ISAKMP 
match protocol isakmp

policy-map type inspect PMAP_SELF-OUT
class type inspect CMAP_SELF-OUT-ISAKMP 
pass
class type inspect CMAP_SELF-OUT-ICMP
pass
class class-default
drop

zone-pair security self-ext source self destination OUTSIDE
service-policy type inspect PMAP_SELF-OUT

Also you've not included the class-map for OUTSIDE_IN_CLASS, so I can't tell what thats doing.

For testing purposes define a class-default that is last in the policy, that drops and logs traffic, so you can get some hits and determine what is not matching.

HTH

Re: Zone Firewall and ACLs

sergo777 — Mon, 12 Aug 2019 21:25:57 GMT

Thanks! trying now.

and here i can change ANY to network, correct? and allow SSH only from specific address?

ip access-list extended ACL_EXTERNAL-TO-SELF-MGMT
permit icmp any any echo
permit icmp any any echo-reply
permit tcp any any eq telnet
permit tcp any any eq 22

Re: Zone Firewall and ACLs

Rob Ingram — Mon, 12 Aug 2019 21:34:27 GMT

Of course. You could leave it open to begin with for testing and then restrict it further once you know it's working.

Re: Zone Firewall and ACLs

sergo777 — Mon, 12 Aug 2019 22:46:14 GMT

Thanks RJI. looks like problem was in SELF zone. but right now opposite problem, SSH locked from outside 🙂

in your example, when i change PASS to INSPECT, SSH is available

policy-map type inspect PMAP_EXTERNAL-TO-SELF
class type inspect CMAP_EXTERNAL-TO-SELF-IPSEC
pass
class type inspect CMAP_EXTERNAL-TO-SELF-MGMT
pass - (i changed to INSPECT)
class class-default

drop log

--------------------------------------------------

PASS really confused me it doesnt work in any Policy-map... everywhere change to INSPECT...

thanks

Re: Zone Firewall and ACLs

sergo777 — Tue, 13 Aug 2019 16:31:50 GMT

Understood!

we need pairs for router itself and for internal zone!!!!

thanks guys!!!