Solved: Ive included the full self

Mike Buyarski · ‎06-15-2015

I just started setting up my first Zone based firewall and would like some info on how i would secure access into the router. Specifically how i would set the router to only allow access from specific IP's (i.e. the static IP's that we have at our Corp office)? My first thought was to maybe adding the permits to the ACL Like i did for the older CBAC FW's but that seemed to do nothing. I attached the ZBFW config i have on the router.

johnd2310 · ‎06-15-2015

Hi,

Traffic to the router itself is controlled self zone. You need to configure policies between other zones and the self zone.

Have a look at the following doc:

http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html

Thanks

John

**Please rate posts you find helpful**

View solution in original post

johnd2310 · ‎06-15-2015

Hi,

Traffic to the router itself is controlled self zone. You need to configure policies between other zones and the self zone.

Have a look at the following doc:

http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html

Thanks

John

**Please rate posts you find helpful**

Mike Buyarski · ‎06-16-2015

Yea that seemed to work well when i tested it on a router.

Paul Morgan · ‎06-17-2015

I have followed all the guidelines in this document and tested but the connection to the self zone using SSH (or anything really) doesn't seem to work. The identification of the self zone traffic takes place fine on the way in but doesn't work on the return path. I get a drop log for the return traffic (seen on console session)

Im not sure how else to identify the traffic outside of the ACL since it covers everything anyway

eg

access-list 123 permit esp any any
access-list 123 permit udp any any eq 4500
access-list 123 permit ah any any
access-list 123 permit udp any any eq 500

Mike Buyarski · ‎06-17-2015

I attached what i added to the ZBFW. i few points you have to setup zone pairs going from internet to self and reverse so self to internet. The setup i have does not have the VPN part but i will be adding later on when i get a chance to test it.

Mike Buyarski · ‎06-17-2015

i was able to configure the vpn on our router with the setting i have for zone based and it is connecting just fine with out having to change anything on the acl. just as a note i did put the tunnel in the same zone as the inside interface. i dont know if that means anything for your setup but i figured i mention it.

Paul Morgan · ‎06-18-2015

Ive included the full self zone config Ive used below. It is total overkill but I couldn't find the error so I over did it on the maps. There are bidirectional rules for both interfaces ie all zones. And Ive included the log I get which shows that the traffic is not hitting a class which picks it up. But this is on the way out (SELFIN=outbound from router) and the sh policy-map output shows the INSELF policy picking up the SSH inbound connection packets just fine

ip access-list ext TFTP
permit tcp any any eq 8099
permit udp any any eq 69

ip access-list ext SSH
permit tcp any any eq 22
permit tcp any any eq 443

ip access-list ext SNMP
permit udp any any eq 161
permit udp any any eq 162

ip access-list extended ESP
permit esp any any
permit ah any any
permit udp any any eq 500
permit udp any any eq non500-isakmp

class-map type inspect match-any SELFCLASS1
match access-group name ESP
match access-group name SSH
match access-group name SNMP
match access-group name TFTP
class-map type inspect match-any SELFCLASS2
match protocol h323
match protocol icmp
match protocol tcp
match protocol udp

policy-map type inspect OUTSELF
class type inspect SELFCLASS1
pass
class type inspect SELFCLASS2
inspect
class class-default
drop log

policy-map type inspect SELFOUT
class type inspect SELFCLASS1
pass
class type inspect SELFCLASS2
inspect
class class-default
drop log

policy-map type inspect INSELF
class type inspect SELFCLASS1
pass
class type inspect SELFCLASS2
inspect
class class-default
drop log

policy-map type inspect SELFIN
class type inspect SELFCLASS1
pass
class type inspect SELFCLASS2
inspect
class class-default
drop log

zone-pair security OUTSELF source OUTSIDE destination self
service-policy type inspect OUTSELF
zone-pair security SELFOUT source self destination OUTSIDE
service-policy type inspect SELFOUT
zone-pair security INSELF source INSIDE destination self
service-policy type inspect INSELF
zone-pair security SELFIN source self destination INSIDE
service-policy type inspect SELFIN

Syslogs

Jun 17 16:28:04.612: %FW-6-DROP_PKT: Dropping Unknown-l4 session 192.168.178.50:0 192.168.178.53:0 on zone-pair SELFIN class class-default due to DROP action found in policy-map with ip ident 0

UPDATE

Ive fixed it - the ACLs need the inverse port identification specifying.

ie

ip access-list ext TFTP
permit tcp any any eq 8099
permit tcp any eq 8099 any
permit udp any any eq 69
permit udp any eq 69 any

ip access-list ext SSH
permit tcp any any eq 22
permit tcp any eq 22 any
permit tcp any any eq 443
permit tcp any eq 443 any

ZBFW and secure access