Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2501
Views
0
Helpful
4
Replies

Default blocking with ZBF

Go to solution
Joe Conklin
Level 1
Level 1

‎08-25-2017 06:56 PM - edited ‎02-21-2020 06:14 AM

I am performing a POC config for a project I am working on. I have configured a ZBF and it works as intended with one exception, traffic in from the Internet is not inheritly blocked, I think, to the self zone. In the below config I am allowing ICMP out from LAN and allowing telnet out from the DMZ. Similarly I am allowing telnet in to simulate traffic being inspected/passed to a server in the DMZ.

 

What I was surprised to see what I could still ping the outside interface 1.1.1.1. I presumed, maybe incorrectly, ZBF would inheritly blocked traffic such as ping to the outside interface because it wasn't specified as an exception. How can I block ping to my outside interface 1.1.1.1 without creating an ACL to allow only icmp echo-reply? If I go the route of allowing just icmp echo-reply I will end up having to specifiy everything else I want to pass which defeats the simplicty of ZBF.

 

My config works as intended. The only thing I want to do is block, or filter icmp allowing only echo-reply, so that my outside interface isn't pingable. I want to do so in the simplest manner possible so I can only worry about adding inspect statements to my ZBF and allowing exceptions for inbound rules per ACL FIREWALL-EXCEPTIONS-ACL.

 

class-map type inspect match-any FIREWALL-EXCEPTIONS
match access-group name FIREWALL-EXCEPTIONS-ACL
class-map type inspect match-any DMZ-ALLOWED-PROTOCOLS
match protocol telnet
class-map type inspect match-any LAN-ALLOWED-PROTOCOLS
match protocol icmp
!
policy-map type inspect FIREWALL-EXCEPTIONS-POLICY
class type inspect FIREWALL-EXCEPTIONS
inspect
class class-default
drop
policy-map type inspect LAN-TO-INTERNET-POLICY
class type inspect LAN-ALLOWED-PROTOCOLS
inspect
class class-default
policy-map type inspect DMZ-TO-INTERNET-POLICY
class type inspect DMZ-ALLOWED-PROTOCOLS
inspect
class class-default
!
zone security INTERNET
zone security LAN
zone security DMZ
zone-pair security ZP-LAN-TO-INTERNET source LAN destination INTERNET
service-policy type inspect LAN-TO-INTERNET-POLICY
zone-pair security ZP-DMZ-TO-INTERNET source DMZ destination INTERNET
service-policy type inspect DMZ-TO-INTERNET-POLICY
zone-pair security ZP-INTERNET-TO-DMZ source INTERNET destination DMZ
service-policy type inspect FIREWALL-EXCEPTIONS-POLICY
!
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.248
ip nat outside
zone-member security INTERNET
!
interface FastEthernet0/1
ip address 10.1.0.1 255.255.255.0
ip nat inside
zone-member security DMZ
!
interface FastEthernet1/0
ip address 10.1.10.1 255.255.255.0
zone-member security LAN
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 10.1.0.3 23 1.1.1.1 2323 extendable
!
ip access-list extended FIREWALL-EXCEPTIONS-ACL
permit tcp any host 10.1.0.2 eq telnet
permit tcp any host 10.1.0.3 eq telnet
!
access-list 1 permit 10.1.10.0 0.0.0.255
access-list 1 permit 10.1.0.0 0.0.0.255
access-list 1 deny any

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Joe Conklin
Level 1
Level 1
In response to Marvin Rhoads

‎08-26-2017 02:31 PM

No frustration, just lacked the right configuration. Yes, a Palo Alto or ASA would make this far easier but that's neither here nor there. I simply needed to confirm the exact steps to limit traffic to the self zone effentiently but now I do without the gratuitous use of ACLs.

 

The below policy-map and zone-pair will do exactly what I wanted which is block all traffic from the Internet by default unless otherwise allowed in as per the exceptions, policy-map type inspect FIREWALL-EXCEPTIONS-POLICY, in the original config in my first post.

 

policy-map type inspect INTERNET-TO-SELF-POLICY
 class class-default
  drop log
!
zone-pair security ZP-INTERNET-TO-SELF source INTERNET destination self
 service-policy type inspect INTERNET-TO-SELF-POLICY

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-25-2017 09:25 PM

You will be able to reach self zone because "Traffic to and from the Self zone is unrestricted until you configure explicit rules to the contrary".

Source

https://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/4-1/user/guide/CSMUserGuide_wrapper/fwzbf.html#pgfId-340286

There is a how-to doc with more details on setting up self zone rules posted here:

https://supportforums.cisco.com/t5/security-documents/zbfw-self-zone-integration/ta-p/3154572

0 Helpful

Go to solution
Joe Conklin
Level 1
Level 1
In response to Marvin Rhoads

‎08-25-2017 11:17 PM - edited ‎08-26-2017 07:58 AM

I appended the below to my configuration I posted in my original post. This seems to work and block traffic the self zone. Is there anything about the below you might change? Since I'm defining traffic for self to inspect I do need to add other inspect rules but per the class-default if its not inspected it dropped so I think the below is rather secure. Any disagreement?

 

object-group network ROUTER-INTERFACES
host 1.1.1.1
host 10.1.10.1
host 10.1.0.1
!
policy-map type inspect INTERNET-TO-SELF-POLICY
class class-default
drop log
!
zone-pair security ZP-INTERNET-TO-SELF source INTERNET destination self
service-policy type inspect INTERNET-TO-SELF-POLICY

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Joe Conklin

‎08-26-2017 09:28 AM

Your frustration with the limitations and complexity of IOS ZBFW are understandable. That's one reason why we don't see many of them in real world implementations. Most customers elect instead to put in a proper firewall, be it from Cisco or a third party vendor.

0 Helpful

Go to solution
Joe Conklin
Level 1
Level 1
In response to Marvin Rhoads

‎08-26-2017 02:31 PM

No frustration, just lacked the right configuration. Yes, a Palo Alto or ASA would make this far easier but that's neither here nor there. I simply needed to confirm the exact steps to limit traffic to the self zone effentiently but now I do without the gratuitous use of ACLs.

 

The below policy-map and zone-pair will do exactly what I wanted which is block all traffic from the Internet by default unless otherwise allowed in as per the exceptions, policy-map type inspect FIREWALL-EXCEPTIONS-POLICY, in the original config in my first post.

 

policy-map type inspect INTERNET-TO-SELF-POLICY
 class class-default
  drop log
!
zone-pair security ZP-INTERNET-TO-SELF source INTERNET destination self
 service-policy type inspect INTERNET-TO-SELF-POLICY

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card