Zone Based Firewall Question

ksarin123_2 · ‎02-17-2011

Hello folks -

I am confiuring ZFW on a Cisco 2951 Router. The router has the following interfaces:

Type	IP Address	Use
Port Channel 1.5	10.218.4.197/30	RTR-SW-Inband-MGMT VLAN
Port Channel 1.10	10.218.4.1/26	User VLAN
Port Channel 1.15	10.218.4.65/26	DB/Servers VLAN
Port Channel 1.20	10.218.4.194/30	RTR-FW VLAN
Gig 0/0	N/A	Ether Channel (Po1)
Gig 0/1	N/A	Ether Channel (Po1)
Tunnel 0	10.16.252.4/24	DMVPN Tunnel
Multilink PPP	XX.XX.XX.XX/30	Two Bundled T1’s for CORP MPLS
Serial0/0/0:0	N/A	T1 interface part of MPPP
Serial0/0/1:0	N/A	T1 interface part of MPPP

Port Channel 1, 1.5, 1.10, 1.15, 1.20 have been added to the zone called IN-OUT. All the subinterfaces correspond to an internal VLAN.

The router is connected to a MPLS network and has a BGP peer on interface MPPP. Over the MPLS network, an ecrypted DMVPN tunnel to HQ has been built (tunnel 0). EIGRP is the routing protocol running over the tunnel.

Traffic coming in from HQ has to be firewalled on this router (don't ask me why!!). As a result, I am configuring ZFW on this router.

Questions:

This is how I am writing my class-maps. Is this the right way to do it?

access-l 101 permit ip host 172.16.10.5 10.218.4.0 0.0.0.255

class-map type inspect match-all HQ-2-Remote_office

match access-group 101

match protocol snmp

OR, should I do it this way?

access-l 101 permit tcp host 172.16.10.5 10.218.4.0 0.0.0.255 eq snmp

class-map type inspect match-all HQ-2-Remote_office

match access-group 101

2. The router itself does not need to be protected, only the servers in the remote offices. That being said, I am not planning to create any self zone on this router. I don't want to break BGP, therefore the MPPP interface will NOT belong to any zone. Is this the correct way to do it?

3. The tunnel 0 interface will belong to OUT-IN zone that will protect all incoming traffic into this site from HQ. So when writing class-maps for the traffic coming INTO this site, do I need to write any class-maps for EIGRP or ESP? My guess is no, since that traffic will not be coming into the site, but rather just terminating on the router.

Thanks much for your help.

Jennifer Halim · ‎02-17-2011

Just a high level comment to start with: once you apply a zone member on 1 interface, your router is ZBFWed, which means, you will need to explicitly configure policy to allow any other communication between any other zone that you need traffic to pass, this includes the self zone (since you are running BGP, DMVPN, etc) --> all of these need to be explicitly configured as it is like (deny ip any any) once you have 1 policy/zone configured for any other ones.

Question 1:

You can configure the class-map either way, both method is correct.

Just a minor correction, are you using TCP or UDP based SNMP? typically default is UDP, so just wondering if you have typo on your ACL 101.

Question 2:

Not correct as per my comment above. Need to explicitly create other zones (including self zone) for any traffic that you want to allow.

Question 3:

Here is an example on ZBFW configurating for DMVPN traffic:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_white_paper0900aecd8062a909.html

Hope this helps.

ksarin123_2 · ‎02-17-2011

Jennifer -

Since the self zone is automatically created for all IP's on the router, both the MPPP and the Tunnel interface on the router will reside in the self zone. That being said, I am not using the self zone in any zone pairs. Therefore shouldn't be a need to allow any VPN traffic (ISAKMP, ESP) or GRE traffic. Correct?

In my case, the tunnel interface will be assigned to the OUT-IN security zone.

Thanks for your help.

Jennifer Halim · ‎02-17-2011

No, as advised earlier, once an interface belongs to a zone, for any other interfaces (including the self zone), you would need to create policy-map for if you would like to pass traffic.

So in your case, you have an outside zone applied to the external interface (interface connected to the internet), if you will need to pass traffic between outside zone and self zone, then you will explicitly need to configure the policy for it.

edwardyardley · ‎02-13-2013

Two years later...

Are you sure that's correct Jennifer? Unless a policy exists e.g. Outzone -> Self then all traffic from outzone to self will be implicitly permitted.

This is outlined in a table showing self -> zone member interface and zone member interface -> self on page 410 of Cisco Press' Implementing Cisco IOS Network Security (IINS 640-554) Foundation Learning Guide.

Ivan Pepelnjak also talks about it here:

"Unless you specify a zone-pair combining self zone with another zone, all traffic from that zone sent to the router itself is allowed (the router is not protected)"

http://blog.ioshints.info/2007/05/self-zone-in-zone-based-firewall.html

...and finally on cisco.com "The self zone is the only exception to the default deny all policy. All traffic to any router interface is allowed until traffic is explicitly denied."

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

So, if the OP has a routing protocol running on the router itself (self zone, traffic generated by the router) and does NOT have a policy for outzone -> self, then the traffic will be permitted.

Jennifer Halim · ‎02-13-2013

There has been lots of changes to the ZBFW behaviour where the original behaviour is deny all. However, there must have been many complaints and they have made changes to the behaviour and now it's as per the book advised.