cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1249
Views
0
Helpful
17
Replies

Basic router security / NAT question

an_ho
Level 1
Level 1

Hi everyone,

 

In my setup, I have a cisco ISR1000 router servicing a small LAN (DHCP and static IPs for a few servers, private address range) and connecting it to the WAN using NAT. There is a dedicated (transparent) firewall filtering all network traffic from the router to the LAN and vice versa.

 

Now, I have the option to activate Zone-based firewalling (ZBF) in the router, but have a few questions prior to doing so:

- I want to drop any unsolicited traffic from the WAN before entering the LAN. Since all hosts in the LAN have private IP addresses and NAT is active, I wonder if I would actually need to activatre ZBF to achieve this...what would be the added benefit of activating ZBF (and thus decreasing network throughput)?

- I do not want the external/WAN interface to allow access to the WebGUI/CLR via SSH/HTTP(S) - this should only be able from the local network. Is there a way to configure the management interface this way or do I need to set an ACL?

 

Thanks!

 

Andrew

 

 

 

17 Replies 17

Hello


@an_ho wrote:

Now, I have the option to activate Zone-based firewalling (ZBF) in the router, but have a few questions prior to doing so:

- I want to drop any unsolicited traffic from the WAN before entering the LAN. Since all hosts in the LAN have private IP addresses and NAT is active,

 

I wonder if I would actually need to activatre ZBF to achieve this...what would be the added benefit of activating ZBF (and thus decreasing network throughput)?


NAT isnt a dedicated FW feature, it just hides you local network addressing, Its easy to see why its thought of its a security feature but it isn't, However ZBFW is a "software" firewall and can add protection towards hardening your rtr.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Thanks for your reply! Generally, I do not want to block any traffic originating from the LAN, just drop unsolicited traffic on the WAN interface. I have configured two zones (in and out) with "inspect any protocol from anyhwere" policies in place. The problem is, that performance takes a big hit (approx. 50%) with this configuration, though it should be a powerful router (C1111X-8P).

 

From what I gathered from the (rather outdated) documentation provided by Cisco, the only benefit I would get in this setting would be that every packet is checked for adherence to its protocol, right?

Hello,

 

the ZBF definitely decreases your performance. If you want to, post the running configuration of the ISR, maybe we can spot something that can be improved...

Hi,

 

sure, please see below:

 

Using 5828 out of 33554432 bytes
!
! Last configuration change at 17:20:45 GMT Sun Mar 13 2022 by andreas
!
version 17.6
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname CiscoRouter
!
boot-start-marker
boot system bootflash:c1100-universalk9.17.07.01a.SPA.bin
boot system bootflash:c1100-universalk9.17.06.01a.SPA.bin
boot-end-marker
!
!
!
no aaa new-model
clock timezone GMT 1 0
!
!
!
!
ip nbar http-services
!
!
!
!
!
ip name-server 8.8.8.8 8.8.4.4
ip domain name localdomain.local
ip dhcp excluded-address 192.168.1.0 192.168.1.99
!
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4
lease 7
!
!
!
login on-success log
!
!

[...]

!
!
no license feature hseck9
license udi pid C1111X-8P sn XXXXX
license boot level securityk9
license smart transport callhome
memory free low-watermark processor 73242
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
[...]
!
redundancy
mode none
!
!
!
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-any DHCP_app
match protocol udp
match protocol bootpc
class-map type inspect match-any Allow_DHCP_app
match protocol udp
class-map type inspect match-all INSIDE_TO_OUTSIDE
match access-group name INSIDE_TO_OUTSIDE_acl
class-map match-any DHCP_nbar_app
match protocol dhcp
class-map match-any Allow_DHCP_nbar_app
match protocol dhcp
class-map type inspect match-all Allow_DHCP
match class-map Allow_DHCP_app
match access-group name Allow_DHCP_acl
class-map type inspect match-all DHCP
match class-map DHCP_app
match access-group name DHCP_acl
!
policy-map type inspect avc Allow_DHCP_app_policy
class Allow_DHCP_nbar_app
allow
class class-default
allow
policy-map type inspect avc DHCP_app_policy
class DHCP_nbar_app
allow
class class-default
allow
policy-map type inspect OUTSIDE-SELF-POLICY
class type inspect DHCP
inspect
service-policy avc DHCP_app_policy
class class-default
drop log
policy-map type inspect INSIDE-OUTSIDE-POLICY
class type inspect INSIDE_TO_OUTSIDE
inspect
class class-default
drop log
policy-map type inspect SELF-OUTSIDE-POLICY
class type inspect Allow_DHCP
inspect
service-policy avc Allow_DHCP_app_policy
class class-default
drop log
!
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone security default
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-OUTSIDE-POLICY
zone-pair security OUTSIDE-SELF source OUTSIDE destination self
service-policy type inspect OUTSIDE-SELF-POLICY
zone-pair security SELF-OUTSIDE source self destination OUTSIDE
service-policy type inspect SELF-OUTSIDE-POLICY
!

!
interface GigabitEthernet0/0/0
ip dhcp client client-id ascii XXXXX
ip address dhcp
ip nbar protocol-discovery
ip nat outside
zone-member security OUTSIDE
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
zone-member security OUTSIDE
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
zone-member security INSIDE
!
interface GigabitEthernet0/1/1
zone-member security INSIDE
!
interface GigabitEthernet0/1/2
zone-member security INSIDE
!
interface GigabitEthernet0/1/3
zone-member security INSIDE
!
interface GigabitEthernet0/1/4
zone-member security INSIDE
!
interface GigabitEthernet0/1/5
zone-member security INSIDE
!
interface GigabitEthernet0/1/6
zone-member security INSIDE
!
interface GigabitEthernet0/1/7
zone-member security INSIDE
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
zone-member security INSIDE
!
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/0
ip forward-protocol nd
ip dns server
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
!
!
ip access-list extended Allow_DHCP_acl
10 permit ip any any
ip access-list extended DHCP_acl
10 permit ip any any
ip access-list extended IN-TO-OUT_acl
10 permit ip any any
ip access-list extended INSIDE_TO_OUTSIDE_acl
10 permit ip any any
!
ip access-list standard 1
11 permit 192.168.1.0 0.0.0.255
!
route-map track-primary-if permit 1
match ip address 197
set interface GigabitEthernet0/0/0
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line vty 0
login local
length 0
transport input ssh
line vty 1 4
login
length 0
transport input ssh
line vty 5 14
login
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
ntp server ip 0.ch.pool.ntp.org prefer
!
!
!
!
!
!
end

Hello,

 

the DHCP part looks not right. The access lists basically need to match only UDP ports 67 and 68, not 'ip any any'. Also, the DHCP traffic needs to 'pass', not 'inspect'. I don't know what impact, if any, that has on the performance...

 

 

OUTSIDE-SELF-POLICY

 

ip access-list extended DHCP_acl
10 permit ip any any

 

ip access-list extended DHCP_acl
10 permit udp any any eq 68


SELF-OUTSIDE-POLICY

 

ip access-list extended Allow_DHCP_acl
10 permit ip any any

 

ip access-list extended Allow_DHCP_acl
10 permit udp any any eq 67

 

policy-map type inspect OUTSIDE-SELF-POLICY
class type inspect DHCP
inspect

 

policy-map type inspect OUTSIDE-SELF-POLICY
class type inspect DHCP
pass

 

policy-map type inspect SELF-OUTSIDE-POLICY
class type inspect Allow_DHCP
inspect

 

policy-map type inspect SELF-OUTSIDE-POLICY
class type inspect Allow_DHCP
pass

Thanks! I will change that. By the way, would it possibly be faster if I restricted the firewall policy to ip, tcp, udp and icmp? Would that mean that only this protocol information would be used for 'inspect' and returning traffic, but no deep packet inspection would be performed? Would that speed things up?

Just to let you know: I have implemented the changes discussed below. Unfortunately, performance still takes a hit of about 50% (even though only one CPU is really busy, ~70%). Also, the DHCP information in the original config was created by the WebGUI when you activate the "application firewall" feature on a firewall rule.

Hello,

 

looking at your config, I think it can be greatly simplified.

 

If I understand it correctly, you want all outgoing traffic to be allowed, and all incoming traffic to be blocked (except for DHCP) ?

Hi,

 

yes - it's the typical small office scenario. 

- The router serves as a DHCP server and provides NAT for all clients on the LAN.

- The router gets its IP address for the external / WAN interface via DHCP from my ISP.

- All unsolicited traffic entering on the WAN interface (except for DHCP) should be dropped, but return traffic from requests made from LAN hosts should be allowed.

- Configuration of the router should only be possible from the internal side and not on the external interface

 

Hello,

 

I put together the configuration below. I have taken out (I hope) all of the redundancies, so all you are left with is a ZBF that allows all outbound traffic, inspects it, and just passes DHCP. I used a slightly different naming convention, in order to tell what a class map, a policy map, and an access list are.

 

The idea of course is to check if the load on your system decreases.

 

Using 5828 out of 33554432 bytes
!
! Last configuration change at 17:20:45 GMT Sun Mar 13 2022 by andreas
!
version 17.6
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname CiscoRouter
!
boot-start-marker
boot system bootflash:c1100-universalk9.17.07.01a.SPA.bin
boot system bootflash:c1100-universalk9.17.06.01a.SPA.bin
boot-end-marker
!
no aaa new-model
clock timezone GMT 1 0
!
ip nbar http-services
!
ip name-server 8.8.8.8 8.8.4.4
ip domain name localdomain.local
ip dhcp excluded-address 192.168.1.0 192.168.1.99
!
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4
lease 7
!
login on-success log
!
no license feature hseck9
license udi pid C1111X-8P sn XXXXX
license boot level securityk9
license smart transport callhome
memory free low-watermark processor 73242
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
redundancy
mode none
!
vlan internal allocation policy ascending
!
class-map type inspect match-all INSIDE_TO_OUTSIDE_ALL_CM
match protocol tcp
match protocol udp
class-map type inspect match-all DHCP_SELF_OUT_CM
match access-group name DHCP_SELF_OUT_ACL
class-map type inspect match-all DHCP_OUT_SELF_CM
match access-group name DHCP_OUT_SELF_ACL
!
policy-map type inspect OUTSIDE_SELF_POLICY_PM
class type inspect DHCP_OUT_SELF_CM
pass
class class-default
drop
policy-map type inspect INSIDE_OUTSIDE_POLICY_PM
class type inspect INSIDE_TO_OUTSIDE_ALL_CM
inspect
class class-default
drop
policy-map type inspect SELF_OUTSIDE_POLICY_PM
class type inspect DHCP_SELF_OUT_CM
pass
class class-default
drop
!
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone security default
zone-pair security INSIDE_OUTSIDE_ZP source INSIDE destination OUTSIDE
service-policy type inspect INSIDE_OUTSIDE_POLICY_PM
zone-pair security OUTSIDE_SELF_ZP source OUTSIDE destination self
service-policy type inspect OUTSIDE_SELF_POLICY_PM
zone-pair security SELF_OUTSIDE_ZP source self destination OUTSIDE
service-policy type inspect SELF_OUTSIDE_POLICY_PM
!
interface GigabitEthernet0/0/0
ip dhcp client client-id ascii XXXXX
ip address dhcp
ip nbar protocol-discovery
ip nat outside
zone-member security OUTSIDE
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
zone-member security OUTSIDE
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
zone-member security INSIDE
!
interface GigabitEthernet0/1/1
zone-member security INSIDE
!
interface GigabitEthernet0/1/2
zone-member security INSIDE
!
interface GigabitEthernet0/1/3
zone-member security INSIDE
!
interface GigabitEthernet0/1/4
zone-member security INSIDE
!
interface GigabitEthernet0/1/5
zone-member security INSIDE
!
interface GigabitEthernet0/1/6
zone-member security INSIDE
!
interface GigabitEthernet0/1/7
zone-member security INSIDE
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
zone-member security INSIDE
!
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/0
ip forward-protocol nd
ip dns server
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
!
ip access-list extended DHCP_SELF_OUT_ACL
10 permit udp any any eq 67
!
ip access-list extended DHCP_OUT_SELF_ACL
10 permit udp any any eq 68
!
ip access-list standard 1
11 permit 192.168.1.0 0.0.0.255
!
control-plane
!
line con 0
transport input none
stopbits 1
line vty 0
login local
length 0
transport input ssh
line vty 1 4
login
length 0
transport input ssh
line vty 5 14
login
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
ntp server ip 0.ch.pool.ntp.org prefer
!
end

Thanks for your help, but the configuration above results in all LAN hosts having no internet access...am I missing something?

Hello,

 

can you post what you have configured ?

Sure! I simply added your suggestions to a config file and restored the router after uploading it:

 

Using 5128 out of 33554432 bytesUsing 5828 out of 33554432 bytes
!
! Last configuration change at 17:20:45 GMT Sun Mar 13 2022 by andreas
!
version 17.6
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname CiscoRouter
!
boot-start-marker
boot system bootflash:c1100-universalk9.17.07.01a.SPA.bin
boot system bootflash:c1100-universalk9.17.06.01a.SPA.bin
boot-end-marker
!
!
!
no aaa new-model
clock timezone GMT 1 0
!
!
!
!
ip nbar http-services
!
!
!
!
!
ip name-server 8.8.8.8 8.8.4.4
ip domain name localdomain.local
ip dhcp excluded-address 192.168.1.0 192.168.1.99
!
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4
lease 7
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint SLA-TrustPoint
enrollment terminal
revocation-check crl
!
!
!
crypto pki certificate chain SLA-TrustPoint
certificate ca 01 nvram:CiscoLicensi#1CA.cer
!
crypto pki certificate pool
cabundle nvram:ios_core.p7b
!
!
no license feature hseck9
license udi pid C1111X-8P sn XXXXX
license boot level securityk9
license smart transport callhome
memory free low-watermark processor 73242
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
[...]
!
redundancy
mode none
!
!
!
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-all INSIDE_TO_OUTSIDE_ALL_CM
match protocol tcp
match protocol udp
class-map type inspect match-all DHCP_SELF_OUT_CM
match access-group name DHCP_SELF_OUT_ACL
class-map type inspect match-all DHCP_OUT_SELF_CM
match access-group name DHCP_OUT_SELF_ACL
!
policy-map type inspect OUTSIDE_SELF_POLICY_PM
class type inspect DHCP_OUT_SELF_CM
pass
class class-default
drop
policy-map type inspect INSIDE_OUTSIDE_POLICY_PM
class type inspect INSIDE_TO_OUTSIDE_ALL_CM
inspect
class class-default
drop
policy-map type inspect SELF_OUTSIDE_POLICY_PM
class type inspect DHCP_SELF_OUT_CM
pass
class class-default
drop
!
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone security default
zone-pair security INSIDE_OUTSIDE_ZP source INSIDE destination OUTSIDE
service-policy type inspect INSIDE_OUTSIDE_POLICY_PM
zone-pair security OUTSIDE_SELF_ZP source OUTSIDE destination self
service-policy type inspect OUTSIDE_SELF_POLICY_PM
zone-pair security SELF_OUTSIDE_ZP source self destination OUTSIDE
service-policy type inspect SELF_OUTSIDE_POLICY_PM
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
ip dhcp client client-id ascii XXXXXX
ip address dhcp
ip nbar protocol-discovery
ip nat outside
zone-member security OUTSIDE
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
zone-member security OUTSIDE
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
zone-member security INSIDE
!
interface GigabitEthernet0/1/1
zone-member security INSIDE
!
interface GigabitEthernet0/1/2
zone-member security INSIDE
!
interface GigabitEthernet0/1/3
zone-member security INSIDE
!
interface GigabitEthernet0/1/4
zone-member security INSIDE
!
interface GigabitEthernet0/1/5
zone-member security INSIDE
!
interface GigabitEthernet0/1/6
zone-member security INSIDE
!
interface GigabitEthernet0/1/7
zone-member security INSIDE
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
zone-member security INSIDE
!
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/0
ip forward-protocol nd
ip dns server
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
!
!
ip access-list extended DHCP_SELF_OUT_ACL
10 permit udp any any eq 67
!
ip access-list extended DHCP_OUT_SELF_ACL
10 permit udp any any eq 68
!
ip access-list standard 1
11 permit 192.168.1.0 0.0.0.255
!
route-map track-primary-if permit 1
match ip address 197
set interface GigabitEthernet0/0/0
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line vty 0
login local
length 0
transport input ssh
line vty 1 4
login
length 0
transport input ssh
line vty 5 14
login
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
ntp server ip 0.ch.pool.ntp.org prefer
!
!
!
!
!
!
end

Hello,

 

I think I found the mistake I made:

 

class-map type inspect match-all INSIDE_TO_OUTSIDE_ALL_CM
match protocol tcp
match protocol udp

 

should be:

 

class-map type inspect match-any INSIDE_TO_OUTSIDE_ALL_CM
match protocol tcp
match protocol udp

Review Cisco Networking for a $25 gift card