ASK THE EXPERT - TROUBLESHOOTING IOS ZONE BASED FIREWALL

Unanswered Question
May 30th, 2008
User Badges:
  • Gold, 750 points or more

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to efficiently troubleshoot zone-based policy firewall on the router with Cisco expert Mynul Hoda. Mynul is a technical leader at Cisco's Network Solutions Integration Test Engineering (NSITE) Lab in the enterprise solution engineering and validation group. Mynul leads a team of eight engineers in validating large-scale branch/WAN solutions for large enterprise customers. Mynul is also working as a technical advisor and escalation resource for security questions in the enterprise network. Mynul holds CCIE certifications in Routing/Switching and Security, and he authored 1100 pages of "Cisco Network Security Troubleshooting Handbook" for Cisco Press.


Remember to use the rating system to let Mynul know if you have received an adequate response.

Mynul might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through June 13, 2008. Visit this forum often to view responses to your questions and the questions of other community members.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (6 ratings)
Loading.
yayasolenet Sun, 06/01/2008 - 22:59
User Badges:

Hi Mynul,


I've been configuring 800series router for a while. Since last week, i found the 857 new arrivals has the ios ver 12.4T5(15) installed. (image file: c850-advsecurityk9-mz.124-15-T5.bin) Which in SDM2.5 it is showed using zone based firewall instead of interface firewall.


But using the wizard from SDM, it failed to apply the firewall policy.


I found it always failed at command class-map. So I go into CLI. But under global configuration mode, there is no command class-map as show in the attachment. But it still have ip inspect command.


I attached the summary of firewall to be applied and the error msg for your reference.


Is there any problem with my ios?


This is the 3rd router with the same problem I received in a row.


Thanks



Attachment: 
mhoda Sun, 06/01/2008 - 23:34
User Badges:
  • Silver, 250 points or more

Hello Lydia,


Thanks for initiating the forum with your question!


You are essentially hitting a bug here -CSCsm79217


Bug Tool: http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs


Direct Link to the bug:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsm79217


The problem is with SDM not being able to recognize if the platform supports Zone-based FW or not. Cisco 831 and 851 routers do not support Zone Based Firewall while the 871 model does. However, all of them support CBAC.


Problem occurs, when you do not have any firewall configuration on the router, SDM will attempt to configure the router with Zone Based Firewall by default even if the router doesn't support Zone-based FW. This is where the problem is.


However, if there is already an 'ip inspect' policy applied, the SDM will recognize this configuration, and get into CBAC mode, and will allow you to configure the CBAC the policies. Hence, the work-around until the bug is fixed is to manually configure an ip inspect policy to force SDM into configuring CBAC. This needs to be done from the Command Line Interface (CLI) with the commands below:


Router(config)#ip inspect name fw tcp

Router(config)#interface FastEthernet 4

Router(config-if)#ip inspect fw out

Router(config-if)#


Once this configuration is in place, click the Refresh button from within SDM to query for configuration changes. Now clicking on the Firewall tab, it should allow configuration of the firewall inspection rules.


Hope this helps!


Regards,

Mynul

yayasolenet Mon, 06/02/2008 - 18:55
User Badges:

Thanks.


Good to ask the expert. You solved the problem straight away. I actually posted the same issue a week ago. No one really pointed out what has caused the problem.


One more question about the action. Mostly they are inspect. What does inspect really do? For example, inspect tcp. What does it scan for? What exactly action it will take after scanning the packet? It is not as clear as permit, reset,drop actions.


Thanks.

mhoda Mon, 06/02/2008 - 22:55
User Badges:
  • Silver, 250 points or more

Glad to know that the problem is fixed!


Inpsect means different things for different protocol. For example inpsect TCP means to make sure the packet is a valid TCP packet, and that session is created to maintain the state of the connection on the router (allow syn, sync-ack, and ack to be completed to establish connection). So, to have the basic stateful functionality of IOS FW to work, as a minimum you need to have TCP/UDP inspection. However, for multichannel protocol such as FTP, the payload needs to be inpsected as well to get the necessary IP or/and protocol information to be able to allow the subsequent data connection. Again, there are some application layer inspection such as SMTP is to make sure the SMTP exchange across the firewall is within the protocol conformance. So, net net is, inspection serves different purpose for different protocol.


HTH,

Mynul


Now, if you require IOS FW to create necessary sessions to crea

Gerald Vogt Mon, 06/02/2008 - 17:08
User Badges:
  • Bronze, 100 points or more

Why does the new zone-based firewall silently drops traffic instead of sending icmp unreachables like the old firewall or acls do? And/or why is there no option to change this behaviour? Does Cisco now join the "stealth" hype, too?

husycisco Mon, 06/02/2008 - 18:15
User Badges:
  • Gold, 750 points or more

Hi Mynul

Welcome and thanks for your time. I have a question that I have spent pretty much time on, Tom Hunter tried to help me also but he couldnt email me back that he is busy. The follwing link contains what I want to achieve.

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&topicID=.ee6e1fe&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc00f96

If you like I can send you the mails between me and Tom so that you can see where we stucked.

My second question is about the packet-tracer in 7.2 above code and debug commands.


Following is an example output.


Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x23b60c0, priority=0, domain=permit-ip-option, deny=true

hits=2108983, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0

packet-tracer command is one of the favourite commands for troubleshooting for sure. But there are parts that I cant understand. For example it says true for deny, but packet is permitted, also that id code mean anything? How can I learn more about details of that command.

Also for debugging crypto engine. I have intermediate debugging experience but how can I learn about advanced debugging skills? Any Cisco press books out there?


Thank you

mhoda Mon, 06/02/2008 - 22:46
User Badges:
  • Silver, 250 points or more

Hello Huseyin,


Tom Hunter is the SME on ASA, so please try and get help from him through the forum.


This event is on Zone-based firewall discussion, hence to be fair for others, if possible, I would like to keep the discussion on Zone-based Firewall or Classic IOS Firewall only.


Being said that, please feel free to send me the offline message via e-mail, and I will be more than happy to take a look at the problem where you are stuck.


Thanks!

Mynul

mhoda Mon, 06/02/2008 - 22:38
User Badges:
  • Silver, 250 points or more

Hello!


At its current state, Zone-based firewall works in Stealth mode. Having a knob to change its behavior doesn't exist in the current code base.


Please stay tuned, I am trying to follow up with the development team to see if having the knob is in the roadmap!


Thanks,

Mynul

mhoda Mon, 06/02/2008 - 22:39
User Badges:
  • Silver, 250 points or more

Hello!


At its current state, Zone-based firewall works in Stealth mode, hence no icmp unreachable packets getting sent from the firewall. Having a knob to change its behavior doesn't exist in the current code base.


Please stay tuned, I am trying to follow up with the development team to see if having the knob is in the roadmap!


Thanks,

Mynul

LUAN NGUYEN Tue, 06/03/2008 - 11:12
User Badges:

Hello,

say if you get a log message like the following:

*Jun 3 15:33:18.702 EDT: %FW-6-DROP_PKT: Dropping Other session 208.209.251.210:514 206.64.200.15:514 on zone-pair publicPrivateOut class class-default due to DROP action found in policy-map with ip ident 33708


What can you tell from "ip ident 33708" ?


Thanks.

sushilmenon Tue, 06/03/2008 - 15:29
User Badges:

hi mynul glad to have to u the forum. can u pls tell us how to use the self and where it is required.


and how to deal with ipsec connections terminating on the router running zone based firewall.


regards


sushil

LUAN NGUYEN Tue, 06/03/2008 - 20:11
User Badges:

If you don't mind me answering...

The "self" zone is used to control inbound and outbound services to and from the router. Unlike user defined zones (public, private, dmz, vpn, etc), the self zone implicitly allows all other zones access to and from the router.

If you have a policy-map between public and self, then permit ike, gre to and from.

Don't want to speculate on how ESP is doing though.

LUAN NGUYEN Wed, 06/04/2008 - 07:17
User Badges:

I think the question was that if you want to protect your router by limiting say only ssh/scp/snmp to the self zone from the public zone, then how do you do that without affecting the VPN related stuffs?

the above document doesn't address the self zone.


Another question is: how do effectively and efficiently protect the self zone if you have 10 other zones? Do you have to create 10 zone pairs?

mhoda Thu, 06/12/2008 - 07:04
User Badges:
  • Silver, 250 points or more

Hello,


I re-read the question, and I think we have answered what Sushil is looking for.


Sushil,


Please confirm if you need any additional details.


Thx,

Mynul

mhoda Tue, 06/03/2008 - 23:58
User Badges:
  • Silver, 250 points or more

Hi,


I would appreciate if you can send an e-mail to me with the configuration. All its saying is that IP Identity 33708 has DROP action set, hence the connection is getting dropped. Please, send me the config so that I comment better regarding this.


Thx,

Mynul

mhoda Tue, 06/03/2008 - 23:56
User Badges:
  • Silver, 250 points or more

Hi,


Wanted to follow-up on this. I did consult with the Product team, and they suggested that there is a Product Enhancement request made regarding this. I would suggest that you contact your account team to raise the importance of this.


Regards,

Mynul

LUAN NGUYEN Wed, 06/04/2008 - 07:19
User Badges:

Do you have more detail on what the name of the enhancement is?

I think we have a request for better log messages (so that even a person whom doesn't know the topology would understand what the log is saying)


thanks.



mhoda Thu, 06/05/2008 - 21:49
User Badges:
  • Silver, 250 points or more

Hi,


This was a response to Gerald's question. I was referring to the follow-up on Stealth feature question for Zone-based Firewall. The PERs request is on that.


It's a web glicthe. Therefore, for future answer, to avoid any confusion, I will go ahead adress the name when providing my answer.


Thanks,

Mynul

Hi, Mynul


To start with, I have two questions:


1. Is it possible to block an inside host infected by a worm and generating lots of TCP SYNs with Zone firewall or Classic firewall and/or other IOS security feature? (IPS appliance, CSA, NAC, etc. are not an option in our net).


Unfortunately, the


ip inspect tcp max-incomplete host N block-time minutes


or


parameter-map type inspect ...

tcp max-incomplete host N [block-time minutes]


can block by Destination IP only, not the Source IP.


Also, how can I diagnose infections if the message "%FW-4-HOST_TCP_ALERT_ON: Max tcp half-open connections (50) exceeded for host " prints out the Destination IP, rather than the Source IP?


2. Is it possible to kill specific IOS firewall session? For example, suppose we have PCs infected by a worm. It can take a lot of time to locate and isolate those PCs in a big network. How can we block _established_ sessions of those PCs on a router? So far as I understood, an ACL will not work in Classic firewall, because the sessions are already established and the traffic is not processed by an ACL for established sessions. What about Zone firewall? Will ACL work? Can we kill a session in ZPF?


Thank you.



mhoda Thu, 06/05/2008 - 23:37
User Badges:
  • Silver, 250 points or more

Hello Oleg,


Answer for question 1 is that you need to use the IPS features instead of IOS FW features. DoS prevention mechanism is only based on destination address. Have you thought about the software based IPS features?


Unfortunately, answer to question 2 is NO as well to the best of my knowledge. Let me think and see if there is any work-around or mechanism I can think of.


Thanks,

Mynul

Thank you for the replay.


Unability to block by source IP and diagnose infections is the major limitation of the IOS firewall. Using software-based IPS is not a good idea, because it can overload the CPU. Also, so far as I know, Sig 3050 uses the same code as firewall. I'm not sure, is it possible to block with this signature by source IP. When I tested blocking in one of the initial releases of 12.4(15)T the deny-attacker-inline didn't even work for service.http engine.


What do you think?


mhoda Thu, 06/12/2008 - 07:02
User Badges:
  • Silver, 250 points or more

Hello,


IOS IPS is a complimentary technology to IOS FW.


To minimize the IPS impact on the router, what you may want to do is "Retire" all signature, and also disable all the signatures that you don't need. Signature 3050 should serve your purpose.


Thanks,

Mynul




231272sdd Tue, 06/10/2008 - 09:39
User Badges:

hi sir OLEG,

am coming in now to ask you really if the ccsp(CSVPN 642-511 EXAM ) IS STILL ONLINE becaus e am looking everywhere on all cisco exams list but i can't see the one .

plz need help i am preparing for two exams but i'll the ccna 640-802 exam and 2 weeks later i will conduct the csvpn exam 642-511 that why i would like to know these information.

best regards

dinard

mhoda Thu, 06/12/2008 - 06:36
User Badges:
  • Silver, 250 points or more

Hi Dinard,


Please ask this question under Career Certification session, as this session is on different topic.


Thx,

Mynul

bluestarenergys... Wed, 06/04/2008 - 08:21
User Badges:


Please, i have 2 problems :


1.-Sometimes (each 30 minutes aprox.) the connections are losed when the web server (DMZ - sec level 50) access to Jboss/mod-JK Tomcat (INSIDE - sec level 100). In order to improve it issue, I upgrade from version 7.02 to 8.02. However after 10 days ...the problem is again ...


2.-I have a Cisco ASA with 8.03, how I can block p2p and streaming traffic


Greetings from Lima - Peru


mhoda Thu, 06/05/2008 - 23:39
User Badges:
  • Silver, 250 points or more

Hello Thomas,


This session is targeted for IOS FW security, not on the Appliance. I would suggest that you post the question under Security section of this forum.


Thanks for your understanding!


Regards,

Mynul

mhoda Thu, 06/05/2008 - 23:41
User Badges:
  • Silver, 250 points or more

Hello Jim,


This session is only on IOS FW security features, hence I would suggest you to post your question under Data Center section.


Thanks,

Mynul

vahom_spec Thu, 06/05/2008 - 17:37
User Badges:

Hello Mr Mynul Hoda !


I have a router Cisco 871 with IOS C870-ADVIPSERVICESK9-M, Version 12.4(15)T4

I want to connect all local users to the Internet through NAT and block the access to some sites on Cisco without using extra server to filter URL.

To filter Http traffic I'm using Zone-Based Policy Firewall c Http Application Inspection (http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml)

The problem is that when I'm turning on Deep packet inspection Cisco is blocking all URL on the list but it also blocking URL that is not on the list such as http://www.mail.ru and http://www.yandex.ru.


I tried to fix this problem in properties of ZBPFW. Maybe I should look somewhere else?


Here is my configuration (I tuned it by documentation http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml):

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname MainOff

!

boot-start-marker

boot-end-marker

!

enable secret xxx

!

no aaa new-model

!

ip cef

!

ip domain name domen.ru

ip name-server xxx.xxx.xxx.xxx

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

multilink bundle-name authenticated

parameter-map type regex block_url

pattern \.farpost\.ru

!

username test privilege 15 secret xxx

!

archive

log config

hidekeys

!

ip ssh time-out 60

ip ssh authentication-retries 2

!

class-map type inspect match-all all-private

match access-group name users_http_deny_sites

match protocol http

class-map type inspect http match-any http-l7-cmap

match request header regex block_url

class-map type inspect match-any dns_and_other

match protocol dns

match protocol telnet

!

policy-map type inspect http http-l7-pmap

class type inspect http http-l7-cmap

reset

class class-default

policy-map type inspect priv-pub-pmap

class type inspect dns_and_other

inspect

class type inspect all-private

inspect

service-policy http http-l7-pmap

class class-default

!

zone security safe

zone security hostile

zone-pair security safe-hostile source safe destination hostile

service-policy type inspect priv-pub-pmap

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

ip address FFF.SSS.EEE.KKK 255.255.255.224

ip nat outside

ip virtual-reassembly

zone-member security hostile

duplex auto

speed auto

!

interface Vlan1

ip address 192.168.1.232 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security safe

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 XXX.EEE.WWW.BBB

!

!

no ip http server

no ip http secure-server

ip nat inside source list nat_users interface FastEthernet4 overload

!

ip access-list extended nat_users

permit ip 192.168.1.0 0.0.0.255 any

ip access-list extended users_http_deny_sites

permit ip any any

!

control-plane

!

line con 0

no modem enable

transport output telnet

line aux 0

line vty 0 4

privilege level 15

logging synchronous

login local

transport input telnet ssh

!

scheduler max-task-time 5000

end


P/S:

Such configuration is blocking the access to http://www.farpost.ru. All other URL are working accept http://www.mail.ru and http://www.yandex.ru, they are blocked too. But sites like http://horo.mail.ru, http://www.ya.ru, http://www.love.mail.ru are working.


Where is the problem? How should I block access to what I pointed and unblock http://www.mail.ru and http://www.yandex.ru?


mhoda Thu, 06/12/2008 - 06:49
User Badges:
  • Silver, 250 points or more

Hello Vasily,


Please try this -


parameter-map type regex block_url

“\.farpost\.ru”


Let me know how does it go.


Thx,

Mynul

shibindong Sun, 06/08/2008 - 05:43
User Badges:

hi Mynul:

sorry i have a question about ASA, which I need to ask you, because i have posted the question on the forum many times and nobody can help me"


we have 2 ASA 5520 working as active/active redenduncy, FW1 is active for context admin and passive for context ctx1; while Fw2 is active for ctx1 and passive for admin, and the admin-context is "admin".


we can telnet/ssh to each context but only can access context admin via ASDM, every timer when we tried connecting context ctx1 via ASDM launcher, we got an error msg like" no ASDM found, only support ASDM 5.0 higher". we have checked the IOS and ASDM version on both firewalls, they are same: ASDM521. My question is: is it because of context ctx1 is not admin-context? and is there any way to do?


thanks in advance!!!

mhoda Thu, 06/12/2008 - 06:34
User Badges:
  • Silver, 250 points or more

Bindong,


This event is targeted for IOS FW. I would suggest you to put the question under the Security session of this forum. I will respond there. This is to keep the event seperate for individual topic.


Thanks,

Mynul

shibindong Thu, 06/12/2008 - 18:32
User Badges:

thanks for your reply, I have put my questions but nobody replies. SO i have to you ask for your help.

mhoda Thu, 06/12/2008 - 18:52
User Badges:
  • Silver, 250 points or more

Sure, I just answered to your post under the Firewall section that you posted before. Thanks,

Mynul


Gregsandy Wed, 06/11/2008 - 09:36
User Badges:

hello, I am trying to reset the password on my asa 5510, and now everytime I restart the device, my terminal goes to rommon #\ prompt. How do I restore my device?


thanks

Greg

mhoda Thu, 06/12/2008 - 06:33
User Badges:
  • Silver, 250 points or more

Greg,


This event is targeted for IOS FW. I would suggest you to put the question under the Security session of this forum. I will respond there.


Thanks,

Mynul

heartwinlion Fri, 06/13/2008 - 03:55
User Badges:

Respected Sir


I am new to the world of Network Security. I am working in a organization as Network support for PIX firewall and I want to pratise my command related to PIX,

To fullfill my requirment i need a simulator for Pix Firewall can you provide me this item

mhoda Fri, 06/13/2008 - 06:06
User Badges:
  • Silver, 250 points or more

Hi Manjeet,


This session is on IOS Firewall security, hence, for you best would be if you post this under Security > Firewall section.


I am personally not aware of any PIX simulator.


Thanks,

Mynul

mhoda Fri, 06/13/2008 - 06:28
User Badges:
  • Silver, 250 points or more

Hi Manjeet,


This session is on IOS Firewall security, hence, for you best would be if you post this under Security > Firewall section.


I am personally not aware of any PIX simulator.


Thanks,

Mynul

Actions

This Discussion