ASK THE EXPERT - IOS FIREWALL

Unanswered Question
Feb 27th, 2009

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity learn how to control capabilities for IM, peer-to-peer applications, firewall policy bandwidth shaping and more with Cisco expert Alex Yeung. Alex is a technical marketing engineer for router security in Cisco, with primarily focus on IOS Firewall and IOS Intrusion Prevention Systems (IPS). He has 15 years of experience in the network industry. His responsibilities include router security product marketing, creating collateral, delivering presentations at various forums, and providing support and training to both Cisco customers and partners. He provides recommendations for product improvement and quality, improves customer understanding, awareness, and successful adoption of router based security. Alex is also leading the effort of creating and implementing router security lab for Cisco partners and system engineers, the lab is delivered to multiple theaters around the globe. He is a dual CCIE (#5581, Security, and Routing and Switching).

Remember to use the rating system to let Alex know if you have received an adequate response.

Alex might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through March 13, 2009. Visit this forum often to view responses to your questions and the questions of other community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (8 ratings)
Loading.
adamclarkuk_2 Fri, 02/27/2009 - 12:50

Hi

I am new to the forum and was unaware you held "Ask the expert" discussions. I would just like to say that it is a fantastic idea and would like to express how impressed I am with this forum and the quality of it's members, keep up the great work.

My question is this.

IOS firewall has come along way, but how far behind your ASA series is it technically. What i mean by that is when a customer asks me which is the best option, it seems to be getting harder to justify paying for a dedicated firewall when an IOS firewall can offer so much in the way of protection as well as a vast array of tools with routing and switching.

Regards

Adam

Alex Yeung Fri, 02/27/2009 - 17:45

Hi Adam,

Thanks for your good words about this forum.

I won't say that IOS firewall is technically behind ASA. Any particular features you are looking for that is not in IOS firewall?

Both IOS firewall and ASA are stateful firewall but there are features that are available in IOS firewall but not in ASA and vice versa. For example, IOS firewal supports zone-based policy firewall but ASA does not, ASA supports Active/Active stateful failover but IOS firewall does not.

Choose between IOS firewall and ASA really depends on the deployment scenarios. For example, if customers would like to have an integrated platform that have routing, QoS, voice, and firewall capability at a branch/small office, then IOS firewall on ISR will be a good fit; if customers are looking for higher performance than what IOS firewall can provide, then ASA will be a better fit.

Thanks.

Alex Yeung

Jon Marshall Fri, 02/27/2009 - 18:46

Hi Alex

How much of IOS firewall is done in software ? - i'm assuming all of it as there are no dedicated ASIC's on routers ?

I know this is a rather open ended question but what extra performance hit would you expect by running the IOS firewall and how does this compare with ASA figures ?

Jon

Jon Marshall Sat, 02/28/2009 - 12:50

Alex

Many thanks for that and a useful doc which i haven't seen before. I guess though that i am asking from your experience what is the CPU/memory hit on a router ie.

Cisco ASA 5510: 300 Mbps

An equivalent (or close) for an IOS router is

Cisco 3825: 287 Mbps

Now lets say they are both running at approx 150Mbps of firewalled traffic. Do you have any figures to show what additional overhead on the CPU/memory on a router there is for the above.

That has always been my main concern with choosing a router to do the firewalling.

Also are there any plans to have dedicated AIM's within the routers that you could offload the firewalling functions to ?

Jon

Alex Yeung Sat, 02/28/2009 - 23:58

Hi Jon,

First of all, we don't have a plan to have a dedicated AIM for firewall functions on the router at this time, but we are always looking for ways to improve our products and customer experience.

Now back to your original question, are you asking given a baseline config (no IOS firewall), what is the additional CPU/memory used when IOS firewall is enabled? In terms of memory, IOS Firewall consumes roughly 700 bytes per connection for basic inspection. More detailed application inspection will consume more memory, e.g. FTP, HTTP and VoIP AIC. In terms of CPU, there will be CPU cycles being consumed due to the addition of IOS firewall, but I don't have a number for you right now.

Regards,

Alex Yeung

tenaro.gusatu.novici Tue, 03/03/2009 - 03:51

Hi there,

there is a pretty nice new feature for ASA called "phone proxy" that allows a remote phone to securely connect and register to the CUCM cluster. Any chance this feature will be available inside IOS FW too?

Regards,

Tenaro

Alex Yeung Wed, 03/04/2009 - 17:03

Hi Tenaro,

We are looking into this to add it to IOS FW.

The current Cisco Unified Communications Trusted Firewall Control feature provides an alternative to phone proxy. WE are working on a solution report and will post it soon when it's completed.

For more info on Cisco Unified Communications Trusted Firewall Control, please take a look at:

http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/feature/guide/TrustedFirewallControll.html

and

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_fwll_trp_ps6441_TSD_Products_Configuration_Guide_Chapter.html

Thanks.

Alex Yeung

HEATH FREEL Tue, 03/03/2009 - 05:19

Hi,

Are there any plans to incorporate Zone Based Firewalling into the ASA's?

As time has gone bt it appears the ASA is becoming more IOS like and the Zone Firewall is long overdue...

Thanks,

Heath

Alex Yeung Wed, 03/04/2009 - 17:11

Hi Heath,

I believe the ASA team is investigating into this.

Are you currently deploying Zone-based FW? I would like to hear your experience in deploying it and how would you like to see what goes into Zone firewall?

Thanks.

Alex Yeung

HEATH FREEL Tue, 03/03/2009 - 05:28

Zone Based FW testing...

My configuration is simple and testing has gone well.... I started off with a Class map that only matched on an access list. After successful testing I added a subordinate class map for protocol matching. If appears to be working but the statistics do not show what I expect.

In the attachment you will see the configuration and the output of the "show policy-map type inspect zone-pair inout session" command.

Although it is working I expected to see hits against the protocols I am inspecting. In this case a ping to an outside server should have hits against the ICMP protocol. Same thing it I do an HTTP session - it works but no hits. In reading through the documentation I have configured it correctly, but am I missing something.

BTW - 881 Version 12.4.20T1

Thanks,

Heath

Attachment: 
Alex Yeung Wed, 03/04/2009 - 22:31

Hi Heath,

You are using a nested class-map (i.e. class-map in another class-map) and statistics is not currently supported. Cisco IOS Firewall engineering team is working to add the functionality into future releases.

The workaround for now if you want to show the statistics is to create multiple class-maps, each class-map using "match-all" with "match protocol http" and "match access-group 103".

We would love to hear from you about any suggestions you may have to help us to improve IOS Firewall.

Thanks.

Alex Yeung

HEATH FREEL Thu, 03/05/2009 - 06:32

Alex,

Thanks for the info as it explains that my config is good...

If I use two "match-all" class-maps, how do I go about incorporating other protocols in the policy-map? Would I just add a "match-any" class-map with all my other protocols - DNS, SMTP, HTTPS etc. to the policy-map?

I am doing a bunch of testing on the ZFW and will keep you updated with my findings - so far so good.

Thanks,

Heath

Alex Yeung Fri, 03/06/2009 - 10:42

Hi Heath,

You can have multiple class-maps in your policy-map. For example:

class-map type inspect match-all all-private

match access-group 101

class-map type inspect match-all private-ftp

match protocol ftp

match access-group 101

class-map type inspect match-any netbios

match protocol msrpc

match protocol netbios-dgm

match protocol netbios-ns

match protocol netbios-ssn

class-map type inspect match-all private-netbios

match class-map netbios

match access-group 101

class-map type inspect match-all private-ssh

match protocol ssh

match access-group 101

class-map type inspect match-all private-http

match protocol http

match access-group 101

!

policy-map type inspect priv-pub-pmap

class type inspect private-http

inspect

class type inspect private-ftp

inspect

class type inspect private-ssh

inspect

class type inspect private-netbios

inspect

class type inspect all-private

inspect

class class-default!

zone security private

zone security public

zone-pair security priv-pub source private destination public

service-policy type inspect priv-pub-pmap

For details, please take a look at the "Zone-Based Policy Firewall Design and Application Guide":

http://www.cisco.com/en/US/products/sw/secursw/ps1018/prod_white_papers_list.html

Regards,

Alex Yeung

Hi,

I have a problem with a 1721 router attempting to allow SIP traffic from outside to inside. I can't seem to get any UDP traffic to be NATed to the internal server. Attached is a sanitized copy of the current running config. Please tell me what I'm doing wrong here or is this a bug in the current software version on the router.

Thanks for your help.

Doug

Attachment: 
Alex Yeung Thu, 03/05/2009 - 00:23

Hi Doug,

I don't see you are using IOS FIrewall in your configuration.

Do you have a TAC case opened for this NAT issue?

Thanks.

Alex Yeung

You are right. The firewalling will come to harden the router when everything is working. I have found something on ip nat piggy-back sip, which I think will help, but I'm not sure how to set that up. It requires an upgrade of the router and IOS to get this command, as it doesn't exist in 12.3. I may change routers to a 871 with advanced security 12.4 on it, and restart this what should have been easy project. Any input would be of real help here..

Thanks.

remi-reszka Wed, 03/04/2009 - 15:02

Hi Alex,

First of all thanks for opportunity to be able to discuss with you certain technical solutions to certain problems. Oh, well there you go, I have one already ;-). I am trying to block p2p and IM traffic on a router 877 with IOS 12.4(6). How can this be done in most efficient and effective way? I've been trying to make use of NBAR and QoS but it seems like I can't find any PDLMs for p2p applications like ARES or LIMEWIRE. How about IM like Messenger or Yahoo? What would be your suggestion?

Many thanks in advance.

Rgds,

Remi

remi-reszka Fri, 03/06/2009 - 06:19

Hi Alex,

Thank you for the clue. How about blocking p2p? Can it be achieved with IPS if not with NBAR? I was thinking if I could configured to reset connection on any client that would generate too many connections say more than 30-50 with use of IPS. How can it be done?

Thanks very much in advance.

Remi

Alex Yeung Fri, 03/06/2009 - 11:34

Hi Remi,

IOS Firewall can block P2P traffic as well:

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_zone_polcy_firew_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1056150

If you use IOS IPS, you can reset the P2P connections, but you can't reset the connection after certain number of conenctions from the client, i.e. you either allow the connections or block it.

When you use IOS zone-based policy firewall, you can rate policing and session control to control your P2P sessions:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml#conf3

Regards,

Alex Yeung

remi-reszka Sun, 03/08/2009 - 09:29

Hi Alex,

Many thanks for the information. I'm on it right now and will get back to you should I stumble upon some difficulties.

Remi

Alex Yeung Tue, 03/10/2009 - 11:58

Let me know how it goes and any feedback and suggestions are welcomed.

Alex Yeung

kdepijper Tue, 03/10/2009 - 04:21

Hello Alex,

What is your strategy on logging the accepted flows from the IOS firewall ?

I discovered they cannot be logged - except with a paramter-map and audit-trail option. (opened a case for that 610892545)

thx Karien

HEATH FREEL Thu, 03/05/2009 - 10:55

Hi Alex, It's me again...

I am now trying to get SSL (Webvpn) working on my Zone Based Configuration...

I am a little confused here because the Web VPN terminates on the router and although I can log into the WEB interface of the webvpn, the anyconnect client connects but will not pass any traffic. I am not sure what I need in my class-map/policy-map to allow this traffic.

I have tried a https class-map as well as a ACL class-map but neither are working. neither show up in the stats as matching either.

Any ideas?

Thanks,

Heath

Alex Yeung Thu, 03/05/2009 - 18:52

Hi Heath,

How's your zone-based firewall configured? Can you include the config?

Thanks.

Alex Yeung

harinirina Fri, 03/06/2009 - 04:00

Hi Alex,

I'd like to know if it is possible to block googletalk on a router?

harinirina Wed, 03/11/2009 - 00:10

Hi Alex,

About blocking gtalk, do you mean we need to use PAM with CBAC ?

is it possible to use "Cisco IOS FW App Inspection" for blocking gtalk?

harinirina Thu, 03/12/2009 - 01:04

Thank you Alex. I'll try to do the config.

Is there a way to ask you question after March 13 ?

Alex Yeung Thu, 03/12/2009 - 09:02

Yes, please give me your email and I will reply with my email.

Alex Yeung

harinirina Thu, 03/12/2009 - 23:13
Alex Yeung Fri, 03/13/2009 - 10:21

I am not aware of such tool.

Is it possible to have a VMWare image of your customer's application, so you can test it with IOS FW?

Regards,

Alex Yeung

harinirina Thu, 03/12/2009 - 08:10

Hi again,

We have some applications which use non-standard port for initiating connection.

When the connection is established, dynamic port is used for communicating.

Can we also use PAM for these applications?

Is there any limitation when using PAM?

Alex Yeung Thu, 03/12/2009 - 11:00

You can use PAM to define non-standard ports for your applications.

PAM can only recognize applications based on default and customized (or configured) protocol and port numbers. However, PAM cannot recognize applications that use dynamic destination ports.

Regards,

Alex Yeung

harinirina Fri, 03/13/2009 - 01:53

Hi,

How can we allow the return traffic that corresponds with connections originate from those kind of applications (The initial session takes place on a well-known port, but not standard, and

dynamically assigned port numbers are used after)

Alex Yeung Fri, 03/13/2009 - 10:25

You can use PAM to define those non-standard port.

Regards,

Alex Yeung

HEATH FREEL Fri, 03/06/2009 - 05:19

Hi Alex,

I have attached the Zone Config, NAT, ACL's and webvpn config. Currently I am using a "permit ip any any" acl just to see if I can match on the traffic - but it does not.

I can however ping the Internal IP of the router when the anyconnect client is connected, but I cannot ping devices in the lan.

Attachment: 
HEATH FREEL Fri, 03/06/2009 - 10:45

Just some more info on this. I removed ZBF and SSL works to the inside.

Re-enabled and simplified the ZBF configuration to only inspect TCP, UDP and ICMP in both directions. But the client could still not work.

Verified that the SSL packets are getting to the router, but it looks like a return traffic issue.

Also, when initiating traffic from the Inside host to the Connected SSL client - it does not match on any of my Inspection rules....

Thanks,

Heath

Alex Yeung Fri, 03/06/2009 - 17:11

Hi Heath,

I believe you are run into a bug in IOS Zone firewall -- CSCsr93965 SSLVPN: Cannot assign SSLVPN-VIF0 to firewall security zone, which is fixed in 12.4(22)T or later.

Regards,

Alex Yeung

HEATH FREEL Mon, 03/09/2009 - 05:23

Alex,

I upgraded to 12.4.24T and ran into the same issue. Also the symptoms are a little different in that I cannot access the internal LAN. I have attached the entire config.

I also simplified the Zone FW by inspecting only TCP,UDP and ICMP in both directions. I have also verified that the SSL client works when the Zones are removed from the interfaces.

Thanks,

Heath

Alex Yeung Fri, 03/06/2009 - 14:12

Can you include the interface config and which zone is assigned to which zone? You can remove the IP address but would like to see how the interfaces and zones are assigned.

Thanks.

Alex Yeung

HEATH FREEL Wed, 03/11/2009 - 13:48

Hi Alex,

I sent it all in a previous reply. Here is the config.

I upgraded and still no luck. I have also verified that the anyconnect is working when the interfaces are not part of a zone. I have it configured currently to only inspect TCP,UDP and ICMP in both directions.

Alex Yeung Wed, 03/11/2009 - 22:48

Hi Heath,

Sorry for the delay in response. I was working with a development engineer looking at your issue.

The bug I mentioned to you last time was a duplicate of another bug, which is going to be fixed in the upcoming 12.4T releases -- 12.4(20)T3, 12.4(22)T2 and 12.4(24)T1.

The issue is solved with this fix.

But the config needs to be modified to make this work.

This fix for this bug introduces SSLVPN-VIF virtual interface. This interface is not configurable but can be configured using a Virtual Template.

The more detailed config instructions are attached to this post.

Regards,

Alex Yeung

zone-based firewall

webvpn

sslvpn

HEATH FREEL Thu, 03/12/2009 - 05:24

Hi Alex,

Thanks for the info - I got to the last step and then got stuck.

I was unable to configure the virtual-template in the webvpn context. It appears that this command is not available.

LAB-881-R1(config)#webvpn context WEB

LAB-881-R1(config-webvpn-context)#?

SSLVPN Submode commands:

aaa AAA config for context

acl ACL configuration submode

browser-attribute Browser Attribute

cifs-url-list CIFS URL list configuration submode

color Color for the browser

csd Cisco Secure Desktop config

default-group-policy Default group policy

exit Exit from SSLVPN mode

gateway Associate gateway to context

inservice Bring context to inservice

language client display language

logging Error and event logging config

login-message Login message to be displayed

login-photo Login Photo file to be displayed

logo Logo file to be displayed

max-users Maximum users for this context

nbns-list NBNS list configuration submode

no Negate or set default values of a command

policy Policy configuration

port-forward Port-forward list config submode

secondary-color Secondary color for the browser

secondary-text-color Secondary text color for the browser

ssl SSL configurations for backend server connections

sso-server SSO Server configuration submode

text-color Text color for the browser

time-range Define time range entries

title Title to be displayed on the browser

title-color Title color for the browser

url URL configuration

url-list URL list configuration submode

user-profile user profile

vrf-name VRF associated to context

LAB-881-R1(config-webvpn-context)#

Alex Yeung Thu, 03/12/2009 - 10:32

Hi Heath,

This virtual Template for SSLVPN is not available yet in the current 12.4T release, it will be in the upcoming releases -- 12.4(20)T3, 12.4(22)T2 and 12.4(24)T1.

Regards,

Alex Yeung

HEATH FREEL Thu, 03/12/2009 - 10:49

Hi Alex,

Sorry I misunderstood you earlier. When can I expect to see the next release?

Thanks for all your help.

Heath

Actions

This Discussion