topic Re: ip virtual-reassembly and ZBF in Network Security

ip virtual-reassembly and ZBF

Ruterford — Tue, 12 Mar 2019 03:26:48 GMT

Hello,

I am wondering if this is necessary to enable ip virtual-reassembly on the internet facing interface on a VPN router(DMVPN spoke) in case if I don't have any NAT configured on it. I run ZBF and have only policy that allows only VPN traffic for DMVPN spoke, DHCP and management via SSH from some specific host only . I am reluctant to enable it, need expert's comment.

Here is my configuration below, so all far works fine:

interface FastEthernet4

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1492

zone-member security outside

ip tcp adjust-mss 1360

duplex auto

speed auto

no cdp enable

end

ip access-list extended ISAKMP_IPSEC_DHCP_in

permit udp any any eq bootpc

permit esp host <PUBLIC IP OF DMVPN HUB> any

permit udp host <PUBLIC IP OF DMVPN HUB> eq isakmp any eq isakmp

permit udp host <PUBLIC IP OF DMVPN HUB> eq non500-isakmp any eq non500-isakmp

ip access-list extended ISAKMP_IPSEC_DHCP_out

permit udp any any eq bootps

permit esp any host <PUBLIC IP OF DMVPN HUB>

permit udp any eq isakmp host <PUBLIC IP OF DMVPN HUB> eq isakmp

permit udp any eq non500-isakmp host <PUBLIC IP OF DMVPN HUB> eq non500-isakmp

ip access-list extended SSHaccess

permit tcp host <MGMT HOST> any eq 22

class-map type inspect match-all IPSEC-DHCP-IN-cmap

match access-group name ISAKMP_IPSEC_DHCP_in

class-map type inspect match-all SSHaccess-cmap

match access-group name SSHaccess

policy-map type inspect Outside-Router-pmap

class type inspect SSHaccess-cmap

inspect

class type inspect IPSEC-DHCP-IN-cmap

pass

class class-default

drop log

class-map type inspect match-all IPSEC-DHCP-OUT-cmap

match access-group name ISAKMP_IPSEC_DHCP_out

policy-map type inspect Router-Outside-pmap

class type inspect IPSEC-DHCP-OUT-cmap

pass

class class-default

drop log

policy-map type inspect Inside-Outside-pmap

class class-default

drop log

policy-map type inspect Outside-Inside-pmap

class class-default

drop log

policy-map type inspect Outside-Outside-pmap

class class-default

drop log

zone-pair security outside-to-router source outside destination self

service-policy type inspect Outside-Router-pmap

zone-pair security router-to-outside source self destination outside

service-policy type inspect Router-Outside-pmap

zone-pair security inside-to-outside source inside destination outside

service-policy type inspect Inside-Outside-pmap

zone-pair security outside-to-inside source outside destination inside

service-policy type inspect Outside-Inside-pmap

zone-pair security outside-to-outside source outside destination outside

service-policy type inspect Outside-Outside-pmap

ip virtual-reassembly and ZBF

Marcin Latosiewicz — Fri, 10 Jan 2014 09:24:17 GMT

No virtual-reassembly it not required for anything-VPN.

It's only needed for features which might want to have a look at full packets (NAT is one, certain inspection engines as other).

Vide:

http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-cr-i3.html#wp3273051086

ip virtual-reassembly and ZBF

Julio Carvajal — Fri, 10 Jan 2014 16:03:32 GMT

Hello Ruterford,

As Marcin said not related to that.

Now let's talk about the usage of that feature:

It would basically let you configure the router to react to fragmentation attacks where you will deterine how much fragments a packet can have or the maximum amount of IP packets that can be using the reasembly feature at the same time, the time you have to reassemble an IP packet.

So based on how the network behaves, the traffic you receive you can make a desicion about to enable it or not/

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Re: ip virtual-reassembly and ZBF

Ruterford — Tue, 14 Jan 2014 17:13:43 GMT

Thanks for explanations guys!

So the only traffic I receive on the poublic interface(via internet thru ISP) here on this VPN router is

1) VPN related (ESP/ISAKMP/NON-500 ISAKMP)

2) SSH (being allowed on public interface only from some certain host for out of band management to self zone)

3) DHCP client (being allowed on public interface from any to self zone)

4) No NAT enabled at all - internal hosts can talk to networks advertised from VPN tunnel interfaces

Based on that - what would your advise be - do I need to bother enabling ip virtual-reassembly on public interface or not?

Re: ip virtual-reassembly and ZBF

Ruterford — Thu, 16 Jan 2014 16:41:11 GMT

bump

Re: ip virtual-reassembly and ZBF

Julio Carvajal — Fri, 17 Jan 2014 01:49:47 GMT

Hello Ruteford,

No, no need for this.

Just make sure you configure your ZBFW as restrictive as possible using the self-zone to protect the router and make sure you log everything to determine any kind of problems

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com