02-17-2011 01:54 PM - edited 03-11-2019 12:52 PM
Hello folks -
I am confiuring ZFW on a Cisco 2951 Router. The router has the following interfaces:
Type | IP Address | Use |
Port Channel 1.5 | 10.218.4.197/30 | RTR-SW-Inband-MGMT VLAN |
Port Channel 1.10 | 10.218.4.1/26 | User VLAN |
Port Channel 1.15 | 10.218.4.65/26 | DB/Servers VLAN |
Port Channel 1.20 | 10.218.4.194/30 | RTR-FW VLAN |
Gig 0/0 | N/A | Ether Channel (Po1) |
Gig 0/1 | N/A | Ether Channel (Po1) |
Tunnel 0 | 10.16.252.4/24 | DMVPN Tunnel |
Multilink PPP | XX.XX.XX.XX/30 | Two Bundled T1’s for CORP MPLS |
Serial0/0/0:0 | N/A | T1 interface part of MPPP |
Serial0/0/1:0 | N/A | T1 interface part of MPPP |
Port Channel 1, 1.5, 1.10, 1.15, 1.20 have been added to the zone called IN-OUT. All the subinterfaces correspond to an internal VLAN.
The router is connected to a MPLS network and has a BGP peer on interface MPPP. Over the MPLS network, an ecrypted DMVPN tunnel to HQ has been built (tunnel 0). EIGRP is the routing protocol running over the tunnel.
Traffic coming in from HQ has to be firewalled on this router (don't ask me why!!). As a result, I am configuring ZFW on this router.
Questions:
access-l 101 permit ip host 172.16.10.5 10.218.4.0 0.0.0.255
class-map type inspect match-all HQ-2-Remote_office
match access-group 101
match protocol snmp
OR, should I do it this way?
access-l 101 permit tcp host 172.16.10.5 10.218.4.0 0.0.0.255 eq snmp
class-map type inspect match-all HQ-2-Remote_office
match access-group 101
2. The router itself does not need to be protected, only the servers in the remote offices. That being said, I am not planning to create any self zone on this router. I don't want to break BGP, therefore the MPPP interface will NOT belong to any zone. Is this the correct way to do it?
3. The tunnel 0 interface will belong to OUT-IN zone that will protect all incoming traffic into this site from HQ. So when writing class-maps for the traffic coming INTO this site, do I need to write any class-maps for EIGRP or ESP? My guess is no, since that traffic will not be coming into the site, but rather just terminating on the router.
Thanks much for your help.
02-17-2011 03:01 PM
Just a high level comment to start with: once you apply a zone member on 1 interface, your router is ZBFWed, which means, you will need to explicitly configure policy to allow any other communication between any other zone that you need traffic to pass, this includes the self zone (since you are running BGP, DMVPN, etc) --> all of these need to be explicitly configured as it is like (deny ip any any) once you have 1 policy/zone configured for any other ones.
Question 1:
You can configure the class-map either way, both method is correct.
Just a minor correction, are you using TCP or UDP based SNMP? typically default is UDP, so just wondering if you have typo on your ACL 101.
Question 2:
Not correct as per my comment above. Need to explicitly create other zones (including self zone) for any traffic that you want to allow.
Question 3:
Here is an example on ZBFW configurating for DMVPN traffic:
Hope this helps.
02-17-2011 08:56 PM
Jennifer -
Since the self zone is automatically created for all IP's on the router, both the MPPP and the Tunnel interface on the router will reside in the self zone. That being said, I am not using the self zone in any zone pairs. Therefore shouldn't be a need to allow any VPN traffic (ISAKMP, ESP) or GRE traffic. Correct?
In my case, the tunnel interface will be assigned to the OUT-IN security zone.
Thanks for your help.
02-17-2011 09:47 PM
No, as advised earlier, once an interface belongs to a zone, for any other interfaces (including the self zone), you would need to create policy-map for if you would like to pass traffic.
So in your case, you have an outside zone applied to the external interface (interface connected to the internet), if you will need to pass traffic between outside zone and self zone, then you will explicitly need to configure the policy for it.
02-13-2013 02:36 PM
Two years later...
Are you sure that's correct Jennifer? Unless a policy exists e.g. Outzone -> Self then all traffic from outzone to self will be implicitly permitted.
This is outlined in a table showing self -> zone member interface and zone member interface -> self on page 410 of Cisco Press' Implementing Cisco IOS Network Security (IINS 640-554) Foundation Learning Guide.
Ivan Pepelnjak also talks about it here:
"Unless you specify a zone-pair combining self zone with another zone, all traffic from that zone sent to the router itself is allowed (the router is not protected)"
http://blog.ioshints.info/2007/05/self-zone-in-zone-based-firewall.html
...and finally on cisco.com "The self zone is the only exception to the default deny all policy. All traffic to any router interface is allowed until traffic is explicitly denied."
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
So, if the OP has a routing protocol running on the router itself (self zone, traffic generated by the router) and does NOT have a policy for outzone -> self, then the traffic will be permitted.
02-13-2013 08:49 PM
There has been lots of changes to the ZBFW behaviour where the original behaviour is deny all. However, there must have been many complaints and they have made changes to the behaviour and now it's as per the book advised.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide