06-30-2010 09:54 PM - edited 03-11-2019 11:05 AM
Currently I've been working on the configuration of several IOS Zone-based Firewall (over ISR2801 with IOS 12..4(15)T12) and I've read about the features and limits of the Self-zone for the router outbound and inbound traffic. I really prefer use the CLI because the SDM creates a "nesting mess". As I found in some documents there is no way to inspect protocols like http/https or telnet or ssh for the Sefl-zone so I cannot use this kind of config:
class-map type inspect match-any ExampleCM
match protocol ssh
match protocol https
exit
policy-map type inspect ExamplePM
class type inspect ExampleCM
inspect
class class-default
drop log
exit
exit
because when i try to implement the policy for a zone-pair, the router shows a message that says this config is not possible for the self-zone.
I need to configure the router management access only from two or three of the HQ's IPs so the Branch Router must be managed by SSH or HTTPS through the outside network. Somebody could help me please
the HQ Network is 192.168.1.0/24
the IPs allowed to manage the Remote router are 192.168.1.104, 192.168.1.222 and 192.168.1.18
the Branch Office Inside (trusted) Network is 192.168.11.0/24, the router IP is 192.168.11.11
the Branch Office Outside (untrusted) Network is 10.50.70.0/30 the router IP is 10.50.70.2
07-05-2010 07:03 AM
IP Access-list Extended MGMT
Permit tcp host 192.168.1.104 host 10.50.70.2 eq 22
Permit tcp host 192.168.1.104 host 10.50.70.2 eq 443
class-map ExampleCM
match access-group MGMT
exit
policy-map type inspect ExamplePM
class type inspect ExampleCM
pass
class class-default
drop log
exit
exit
With this example the IP 192.168.1.104 will be able to SSH and HTTPS to the Outside IP of the router.
You will have to create 2 Zones because you are not inspecting the traffic. One from the outside to the self zone with the policy ExamplePM and Another one from the self to the outside. You can use this policy
class-map type inspect match-any ExampleCM
match protocol ssh
match protocol https
exit
policy-map type inspect ExamplePM-TEST
class type inspect ExampleCM
inspect
class class-default
drop log
exit
exit
WHat you have to remember is that you have to create 2 ZOnes one from X to Self and another from Self to X.. This because you are not inspecting the traffic but passing it.
Try and let me know.
07-06-2010 04:46 PM
hi diego, thanks for your cooperation. I have a question about when you said
"Yo can use this policy
class-map type inspect match-any ExampleCM
match protocol ssh
match protocol https
exit
policy-map type inspect ExamplePM-TEST
class type inspect ExampleCM
inspect
class class-default
drop log
exit
exit"
this configuration does L7 inspection, so when i tried to do this for the Self-Zone, the system tells me that SSH or HTTPS can be inspected for the Self-Zone, only L4 inspection. So I tried the next ( I have no probe it yet):
! I need to do SSH and HTTPS from the HQ to the Branch not by the Outside Interface but the Inside interface.
ip access-list extende mgmt-acl
permit ip host 192.168.1.104 host 192.168.11.11 ( the first IP is on the HQ segment, the second one related with the inside Router interface)
deny ip any any
exit
class-map type inspect match-any mgmt-traffic
match protocol ssh
match protocol https
match protocol icmp
exit
class-map type inspect match-all out-self-cmap
match access-group name mgmt-acl
match class-map mgmt-traffic
exit
policy-map type inspect out-self-pmap
class type inspect out-self-cmap
[inspect]<--------------------------------------------if I set "inspect" when I try to join this policy with the zone-pair out-self the system does not allow it
[pass]<---------------------------------------------if i set "pass" It suppose to create the policy and zone-pair for the traffic in the other direction self-out.
class type inspect class-default
drop log
exit
exit
zone-pair security out-self source out-zone destination self
service-policy type inspect out-self-pmap
exit
Assume this configurartion is made till here, not a line more not a line less, the traffic at the policy map is "Pass", this configuration does not suppose to work because there is no route back from self-zone to out-zone right?? so if I tried to do SSH to the 192.168.11.11 it ain't gonna happen. Could you help me to figure out if this is correct
And these configurations are equivalents:
Configuration A:
ip Access-list Extended mgmt-acl
Permit tcp host 192.168.1.104 host 192.168.11.11 eq 22
Permit tcp host 192.168.1.104 host 192.168.11.11 eq 443
exit
class-map type inspect match-all mgmt-cmap
match access-group name mgmt-acl
exit
-------------------------------------------------------------------------------------------------
Configuration B:
ip access-list extended mgmt-acl
permit ip host 192.168.1.104 host 192.168.11.11
deny ip any any
exit
class-map type inspect match-any mgmt-traffic
match protocol ssh
match protocol https
exit
class-map type inspect match-all mgmt-cmap
match access-group name mgmt-acl
match class-map mgmt-traffic
exit
Thanks and Regards
07-07-2010 06:52 AM
Hi,
The pass option is not stateful. It means that you have to create 2 ZOne-pairs. One from self to out-zone and one from out-zone to self. (if HQ is in the OUT-ZONE).
Is the HQ in the OUT-ZONE ?? Do you have a public IP in the OUTSIDE interface??
You wrote.
I need to do SSH and HTTPS from the HQ to the Branch not by the Outside Interface but the Inside interface-----> Is the HQ in the OUTSIDE??? Im seeing that the zone-pair is between the OUT-ZONE and the self.....
07-07-2010 07:56 AM
hi diego, the link between the HQ router and Branch routers is provided by an ISP through FrameRelay connection for some Branch offices and MPLS for others. So, the ISP give me Invalid IPs for the WAN links (i.e: 10.50.70.0/30 or 10.50.70.40/30). Something like this:
LAN HQ WAN WAN LAN Branch
192.168.1.0/24<-------->HQ Router <------10.50.70.0/30-------> ISP <-------- 10.50.70.40/30------> Branch Router----------->192.168.11.0/
For the The Branch router:
- The outside will be the WAN interface 10.50.70.42
- The inside will be the LAN interface 192.168.11.11
So when I configure the Firewall on the Branch Routers I need to access to it from the HQ with SSH or HTTPS using the LAN IP not the WAN IP. So any network administrator should use ssh 192.168.11.11 to gain access to the Branch router.
again, could you please answer me if these configurations are equivalents:
Configuration A:
ip Access-list Extended mgmt-acl
Permit tcp host 192.168.1.104 host 192.168.11.11 eq 22
Permit tcp host 192.168.1.104 host 192.168.11.11 eq 443
exit
class-map type inspect match-all mgmt-cmap
match access-group name mgmt-acl
exit
-------------------------------------------------------------------------------------------------
Configuration B:
ip access-list extended mgmt-acl
permit ip host 192.168.1.104 host 192.168.11.11
deny ip any any
exit
class-map type inspect match-any mgmt-traffic
match protocol ssh
match protocol https
exit
class-map type inspect match-all mgmt-cmap
match access-group name mgmt-acl
match class-map mgmt-traffic
exit
Thanks and Regards
07-07-2010 08:02 AM
In the first example. Yes they are going to do the same but. in the second example you would be doing L7 inepction if you set as action inpect. But you will not so in this case it's the same case A as case B
07-07-2010 08:12 AM
About your problem I'm not 100% sure if ssh or https is going to work from the HQ... Do you have a route in the HQ to reach the internal IP through the MPLS?? I have never worked in an scenario like yours. Have you tried creating a loopback? ans ssh and https to the loopback IP?
07-13-2010 06:41 AM
Hi jose, have u solved it? I have the same problem... because the SELF zone can't do inspect of the protocol ssh.... If you have solved it... could you share how u did it?
Thanks in advance.
Fabio
07-13-2010 07:36 AM
hi Fabio, I think i solve it (or for my case it works). It is possible to use the inspect action on a policy for the Self-Zone, but you have to keep in mind this:
when you use this kind of config:
class-map type inspect match-any out-self-cmap
match protocol ssh
match protocol https
match protocol snmp
exit
policy-map type inspect out-self-pmap
class type inspect example-cmap
inspect
class class-default
drop log
exit
exit
you are doing an inspection for the whole protocol (ssh, https or snmp), this is a L7 inspection, if you try to attach the policy-map with a zone-pair that involves the self-zone the system won't allow you.
To solve this you can "trick" the inspection, so you don't inspect the whole protocol, instead, you only inspect a given port (ssh:22 TCP, https:443 TCP, snmp:161 UDP). so the configuration will be something like this:
ip access-list extended ssh-acl
remark This acl allows the SSH session from two HQ PCs to the Router
remark of the Branch Office (the inside or LAN IP of the Remote Router is
remark 192.168.8.1 and the outside or WAN IP is 10.10.10.2
permit tcp host 192.168.10.20 host 192.168.8.1 eq 22
permit tcp host 192.168.10.30 host 192.168.8.1 eq 22
deny tcp any any eq 22
exit
ip access-list extended https-acl
remark This acl allows the HTTPS session from all HQ PCs to the Router
remark of the Branch Office (the inside or LAN IP of the Remote Router is
remark 192.168.8.1 and the outside or WAN IP is 10.10.10.2
permit tcp 192.168.10.0 0.0.0.255 host 192.168.8.1 eq 443
deny tcp any any eq 443
exit
ip access-list extended snmp-acl
remark This acl allows the SNMP session from one HQ Server to the Router
remark of the Branch Office (the inside or LAN IP of the Remote Router is
remark 192.168.8.1 and the outside or WAN IP is 10.10.10.2
permit udp host 192.168.10.100 host 192.168.8.1 eq 161
deny udp any any eq 161
This way you are doing L4 inspection over the port and the router will allow you to attach the policy-map to the zone-pair which includes de sefl-zone. And as you can see, you are monitoring and manage the device through the Inside IP not the Outside. I did this configuration for my case and it is working, I can do ssh, https (SDM) and snmp monitoring.
As a bonus, if you are the kind of person who enjoy configure through the CLI, don´t forget to allow the Routing protocol messages or adjacencies. Once you start to work on the self zone you have to be careful, if you are using OSPF or EIGRP you have to allow the message from this protocol to establish the adjacencies. This will help you:
ip access-list extended ospf-acl
permit ospf any any
exit
class-map type inspect match-all ospf-cmap
match access-group ospf-acl
exit
policy-map type inspect out-self-pmap
class type inspect out-self-cmap
inspect
class type inspect ospf-cmap
pass
class class-default
drol-log
By the way, if you use "pass" traffic from the "out-zone" to the "self-zone" is not necessary to create the traffic back from the "self" to the "out-zone" because this traffic is allowed by default. you have to use the back traffic policies if you are passing the traffic between two zones different of "self-zone".
I hope this help you Fabio.
Regards
07-13-2010 07:48 AM
Thanks for you reply Jose... I understand the situation... and I will make some test and then I tell you about the results.... Do you have some more example of rules from inside to outside... and from outside to inside... if you could send me some example.. (If u have) I would appreciate... fabio@teletex.com.br
Thanks in advance.
Fabio
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: