Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
389
Views
10
Helpful
2
Replies

Protocol ACL in Zone Based Policy Firewall

m.griffith
Level 1
Level 1

‎01-04-2016 10:31 AM - edited ‎03-12-2019 12:05 AM

Hello,

I am working on developing configurations for IOS Zone Based Firewall and have this question.

When creating a class-map to inspect traffic traversing from my trusted INSIDE zone to the OUTSIDE zone, and I want to inspect all protocols, I would create a class-map such as:

class-map type inspect match-any ALLOWED-PROTOCOLS
match protocol tcp
match protocol udp
match protocol icmp

but I have read that this could create problems with certain protocols under tcp (such as ftp), and that ordering matters, so the more specific protocols need to be put before tcp like so:

class-map type inspect match-any ALLOWED-PROTOCOLS
match protocol ftp
match protocol tcp
match protocol udp
match protocol icmp

Another option I have seen mentioned is to use a permit any any ACL instead like this:

ip access-list extended ALLOW-ALL-PROTOCOLS
permit ip any any

class-map type inspect match-any ALLOWED-PROTOCOLS-CMAP
  match access-group name ALLOW-ALL-PROTOCOLS

policy-map type inspect IN-TO-OUT-POLICY   
 class type inspect ALLOWED-PROTOCOLS-CMAP
  inspect
 class class-default
  drop log

This generates a warning when configuring the policy map that no protocols are defined, and so all protocols will be inspected.

This seems to work fine in the lab, but I am wondering if there is something incorrect about doing it this way that I am missing, and that will come back to bite me later when this starts rolling out to production installations. It seems like a way to avoid any ordering issues if I am trusting all protocols anyway, but I have only seen one example of someone doing it this way instead of matching specific protocols.

Any opinions and input would be appreciated.

Labels:
0 Helpful
2 Replies 2

Maykol Rojas
Cisco Employee
Cisco Employee

‎01-04-2016 12:09 PM

Hello;

Excellent question. So, all 3 are correct, what you need to be very careful is exactly what you mentioned, protocols that open dynamic ports (I.E passive FTP)  where the control channel may not be inspected using the protocol, hence treating it like a normal TCP connection and the secondary connection, if not allowed explicitly, would be dropped. 

Rather than doing this: 

class-map type inspect match-any ALLOWED-PROTOCOLS
match protocol ftp
match protocol tcp
match protocol udp
match protocol icmp

I would probably create different class maps for specific protocols and pile them just like you did, more specific first. 

Many people configure ZBFW but they normally just leave it like wide open, it is very important to be sure you are locking your device down and not just inspecting traffic. 

Cheers. 

Mike. 

Mike

m.griffith
Level 1
Level 1
In response to Maykol Rojas

‎01-04-2016 04:51 PM

Thanks for your response. I am locking down my router with C3PL and the self zone. Just did not include that here to avoid confusion from my main question, which as you pointed out, is protocols which may create a secondary connection.

The crux of the questions is, do you know if you just inspect all protocols without defining them specifically with individual match protocol statements (using a permit any any ACL instead), is the ZBF smart enough to order them correctly on its own and compensate for any situations, such as passive ftp secondary channels? It would make the configuration less error-prone if it did work, but if not, it could have the exact opposite result.

Thanks,

Mark

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card