Hello Everyone,
*Basic Knowledge:
-Who belongs to the self-zone (Any of the IP addresses of the router)
-What traffic should I consider to be handled by the self-zone:
- Managment plane (SSH,Telnet,etc)
- Control Plane traffic (Routing Protocols)
-Pass Action: Equal to an ACL permit statement, Unidirectional, must exist on both sides of the connection to work, does not generate an entry into the stateful table of the firewall.
*Why would you consider to use the self-zone?
When we talk about firewalls we talk about the devices that are in charge of protecting our network infrastructure, the devices that are configured to prevent any kind of attack, filtering traffic based on security policies.
If we protect our internal resources but leave the FW itself unsecure what would be the implication of that:
I mean anyone could log into the FW and change the configuration, create backdoors, etc.
So using the Self-Zone is a MUST.
*Self-Zone Key Facts
- By default traffic from the router and to the router is not filter by the ZBFW.
- As soon as you use a zone-pair that mentions the self-zone, traffic from any host that is attached to any zone will be filtered by the policies so make sure you configure all the policies before setting the zone-pairs.
- Traffic from a host behind an interface (that does not belong to any zone) to any of the interfaces of the router will NOT be restricted.
All we have to do is to create a zone-pair that makes reference to the self-zone (either as source or destination)
zone-pair security TEST source Inside destination Self
Q/Is traffic going to be inspected withing the self-zone as any other zone?
A/No, and you need to be really careful here, (I dont remember how many times I heard the following: You must use a PASS policy when you talk about self-zone... And that is not true unless you try to match L7 traffic)
*The Self-Zone and L7 inspection
The Self-Zone cannot be configured to inspect traffic that you matched via a L7 match protocol.
class-map type inspect Out-To-Self
match protocol SSH
policy-map type inspect Out-Self
class Out-To-Self
inspect
zone-pair security Out-Self source outside destination self
service-policy type inspect Out-Self
%Protocol configured in class-map To_Self cannot be configured for the self zone with inspect action. Please remove the protocol and retry
Cause of the problem:
The self-zone is not aware of L7 traffic so it cannot inspected (Only understand L4 traffic, so inspect can only by done via L4 class-map match commands)
Solution:
- Match the traffic via L4 matches
- Instead of inspect action use a pass action
Solution 1
Match layer 4 traffic
ip access-list extended test
permit tcp any any eq 23
permit tcp any any eq 22
class-map type inspect match-any To_Self
no match protocol ssh
no match protocol telnet
match protocol icmp (ICMP works at layer 3, we can leave it like this)
match access-group name test
zone-pair security Out-Self source outside destination self
service-policy type inspect Out-Self
Solution 2
Use the pass action instead of inspect
class-map type inspect match-any To_Self
match protocol ssh
match protocol telnet
match protocol icmp
Policy-map type inspect Out-Self
class To_Self
pass
zone-pair security Out-Self source outside destination self
service-policy type inspect Out-Self
And everything will work now..
*VPN Traffic and the Self-Zone:
With ZBFW when we are using the self-zone and we have a VPN L2L IPSec tunnel we must focus only on phase 1 (Control Channel negotiation or Isakmp).
The action must be set to pass
Ex:
ip access-list extended Isakmp
permit udp any any eq 500
class-map type inspect VPN
match access-group name Isakmp
policy-map type inspect Out-Self
class VPN
pass
Policy-map type inspect Self-Out
class VPN
pass
*Routing Protocols and the Self-zone
RIP/BGP: Need a pass action
OSPF/EIGRP: Before 15.1 they do not need any configuration in order to built a neigbhorship, after 15.1 a policy-map configuration that matches the OSPF/EIGRP protocol is requried with a PASS action.
Regards,
Julio Carvajal
