cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1157
Views
0
Helpful
9
Replies

Zone Based Firewall and Invalid SRC

gareth_r52
Level 1
Level 1

Hi folks,

Just a quick question for you ZBF guru's. I generally manually configure routers and skip CCP express, etc. I noticed from a default CCP config it applies a class for invalid src addresses which is defined as drop, log.

class-map type inspect match-all ccp-invalid-src

match access-group 100

The thing is, I have that many zones it becomes a bit of a nightmare to keep on top of all the class-maps. The way I have done this in the past is the following access-list applied to the WAN interface:

access-list 102 deny   ip 10.0.0.0 0.255.255.255 any

access-list 102 deny   ip 127.0.0.0 0.255.255.255 any

access-list 102 deny   ip 172.16.0.0 0.15.255.255 any

access-list 102 deny   ip 192.168.0.0 0.0.255.255 any

access-list 102 deny   ip any 10.0.0.0 0.255.255.255

access-list 102 deny   ip any 127.0.0.0 0.255.255.255

access-list 102 deny   ip any 172.16.0.0 0.15.255.255

access-list 102 deny   ip any 192.168.0.0 0.0.255.255

Is any specific method better than the other?

1 Accepted Solution

Accepted Solutions

Kureli Sankar
Cisco Employee
Cisco Employee

With ZBF you don't apply acl IN or OUT on the interfaces.  Permission and inspection has to be configured under the policy-map that you apply to the zone-pairs.

Configure one class-map for invalid src and call in under all the policy-maps with a drop action. That is how it is done in ZBF.

-KS

View solution in original post

9 Replies 9

Kureli Sankar
Cisco Employee
Cisco Employee

With ZBF you don't apply acl IN or OUT on the interfaces.  Permission and inspection has to be configured under the policy-map that you apply to the zone-pairs.

Configure one class-map for invalid src and call in under all the policy-maps with a drop action. That is how it is done in ZBF.

-KS

Hi,

Yes, I understand. Just I did the same with a basic ACL before now... do I have to do this on every Policy map then?

Yes.

Exact same ACL needs to be matched in a class-map under all the policy-maps.

-KS

Thank you.

Since we are on the topic of ZBF, what is the best practice for if you have two servers NAT'd...

Example:

NAT RULE 1 PORT 25 EXT > 25 192.168.1.50

NAT RULE 1 PORT 80 EXT > 80 192.168.1.51

! CLASS LAN INBOUND

class-map type inspect match-all lan-inbound-cm

match access-group name lan-inbound-ip-acl

match class-map lan-inbound-protocols-cm

Where lan-inbound-ip-acl contains IP's of internal servers and the protocol class-map contains the services/ports and protocols. This would not be a best practice configuration as a hacker in theory could call up port 80 on 192.168.1.50 if they know enough about NAT.

Is the only solution to create two class-map type inspect match-all, one for HTTP servers and one for SMTP servers?

My method maybe isn't correct as I'm applying class-maps in the same way you would use policy-maps, by using them as traffic zones.. example I have class-maps for lan-inbound, lan-outbound, etc.

Would a better practice be to use http-servers-traffic, smtp-servers-traffic etc?

Thank you for your help, I really appreciate it. I know the concept of ZBF but just need a few pointers in proper application. I must say, I do love the new ZBF firewall - so flexible and logical. Kudos to Cisco for that!

I would change the match-all to a match-any.

There is no way both 80 and 25 can be matched at the same time for one flow.

So, glad to hear someone say they like ZBF.  It could be a little hard to configure at first but gets easy once you get the hang of it.

You can match acl and apply inspection or simply match protocol and apply inspection.

If you need to allow permission for everyone on the internet access to the webserver then, yes hackers can attack port 80 if they know the public address. You can't stop that. You can implement tcp intercept to stop syn attack etc, but, once these packets arrive on the router then damage would have already been done.

Usually people configure it just like you have done, IN --> Out and Out---> in zone pairs.

Pls. refer to these links below:
https://supportforums.cisco.com/docs/DOC-8028 - configuring via CLI

- configuring ZBF via CCP
http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080b2f103.shtml

-KS

Hi,

Yes that makes sense, but if I am correct doesn't the following statement mean if it matches all as in either or...

! CLASS LAN INBOUND

class-map type inspect match-all lan-inbound-cm

match access-group name lan-inbound-ip-acl

match class-map lan-inbound-protocols-cm

So basically, it must match at least one item in the access-group lan-inbound-ap-acl and one item in the class-map inbound-protocols-cm?

So it must match 192.168.1.50 and port 80, or 192.168.1.50 and port 25, etc.?

I wasn't aware that the above class-map makes it match everything in sub-acls and class-maps?

Yes I understand what you are saying, but does everyone do the same with class-maps? I've seen the usual way is to have traffic groups then apply those groups to policies.

The way I have done it is have a group for every zone, and type of zone, so say Inbound, Outbound and Internal I have a class-map for each which is then defined in each policy. It just makes it easier for me to manage because I don't need to check which policies have which traffic assigned to them I can just go ahead and edit the respective class-map for that zone. May be less flexible, but can be extended upon. It may also be slower as I have a class-map for about 7 different zones each with internet, outernal (if that makes sense), inbound and outbound.

Let us say that you have out to self and self to out configured. You want to allow ssh to the router to only a few IP address on the internet.

You would add these IP address to an access-list and you would configure something like this.

class-map type inspect match-all mgmt-access

match access-g  name internet-ip

match protocol ssh

Now, only when both matches are true then IP address can manage the router via ssh.Just because the IP address is in the acl you cannot telnet to the router.

I have been burned many times with the match-all in the class-map so, I am very causious.  Unfotunately, I don't have a setup to test out quickly.

-KS

I see, it does appear to work - not had any issues. Although I was more concerned of the fact that if you had two IPs that you wanted traffic to flow to, with different ports, in theory the safest way is to create two class-maps right? One for one port and IP and another for another port and IP :-)

I guess if you have match-any you can use both ports in one access-list and match that in a  in class-map. If you want to keep them separate you can certainly do that too.

-KS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: