This discussion is locked

Ask the Expert: Zone Based Firewall

Unanswered Question
Mar 20th, 2012

Ashish Jhaldiyal

Welcome to the Cisco Support Community Ask the Expert conversation. Learn from Cisco expert Ashish Jhaldiyal about Zone-Based Policy Firewall also known as Zone-Policy Firewall, or ZFW.

Ashish is a senior TAC engineer at Cisco Systems and his expertise is in Network Security, Intrusion Prevention Systems and Zone based firewall. He has over 5 years of experience in the field of networking and specializes in Firewall and Wireshark.

Remember to use the rating system to let Ashish know if you have received an adequate response. 

Ashish might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event.  This event is a continuation of the Facebook Forum. Visit this forum often to view responses to your questions and the questions of other community members. This event lasts through March 30, 2012.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4.7 (3 ratings)
h.grankvist Wed, 03/21/2012 - 08:14

Hello Ashish!

I have a question about using a Site-to-site VPN and a ZFW.

When you got a ZFW and you inspect the inside traffic going out and is also matched by the crypto-map so it goes over the VPN, the return traffic will be let in, no problems there.

But for the remote end of the site-to-site VPN, you have to let that network initiate the conversation by opening a hole in your ZFW:

ip access-list extended OUTSIDE-TO-INSIDE_ACL

permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

class-map type inspect match-all OUTSIDE-TO-INSIDE_CMAP

match access-group name OUTSIDE-TO-INSIDE_ACL

policy-map type inspect OUTSIDE-TO-INSIDE_PMAP

class type inspect OUTSIDE-TO-INSIDE_CMAP

  inspect

Even thogh I've tested this, it feels like it could be spoofed? What do you think?

h.grankvist Wed, 03/21/2012 - 08:20

And another question:

I've experienced that some protocols have to have a "pass" in the policy-map destined for the self zone, what is the reason for this and what protocols have to have a "pass" instead of an "inspect"?

ajhaldiy Thu, 03/22/2012 - 01:48

Hi Henrik,


Good question!!

Currently, In zone-based firewall there is no way to defined a VPN encrypted traffic in a policy-map. This means after decrypting an ESP packet router will treat it as a normal packet and it will enforce all rules applied for outside to inside traffic.

Router can't differentiate between a normal packet and packet which came through VPN tunnel. Cisco ASA's has this feature "sysopt connection permit-vpn" which allows esp packets to bypass any Access-list applied on Inerface.

Only ICMP,H323,UDP and TCP can be inspected on self interface.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml#accesscontrol

h.grankvist Thu, 03/22/2012 - 08:16

Thanks for the answer.

I was also wondering if there is a difference in matching a protocol in a access-list and match it in a class-map versus matching it directly in a class-map?

ip access-list extended HTTP_ACL

permit tcp any any eq http

class-map type inspect INSIDE-TO-OUTSIDE_CMAP

match access-group name HTTP_ACL

vs.

class-map type inspect INSIDE-TO-OUTSIDE_CMAP

match protocol http

ajhaldiy Thu, 03/22/2012 - 21:08

class-maps are used to define traffic which firewall used for policy inspection, There are two types of class-maps layer 4 and layer 7.

In layer 4 class-map has following criteria to match,

1) Access-Group -- Access-list can filter traffic based on source and destination ip address and source and destination IP

2) Protocol -- It includes Layer 4 protocols like TCP,UDP and ICMP. It also includes application services like HTTP,SMTP etc.

3) Class-map -- A Subordinate class-map is used to provide additional match criteria

4) Not- It specifies that any traffic that does not match a specified proctocol,access-group or class-map

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml#conf-zbf

Now, Your Question was

ip access-list extended HTTP_ACL

Permit tcp any any eq http

Class-map type inspect INSIDE-TO-OUTSIDE_CMAP

Match access-group name HTTP_ACL (This configuration will provide only layer 4 Inspection like allowing return traffic without applying an ACL on outside interface)

vs.

Class-map type inspect INSIDE-TO-OUTSIDE_CMAP

Match protocol http (This configuration will provide application level inspection EX opening control-connection, translating embedded ip address)

franclop Mon, 03/26/2012 - 17:48

Ashish,

I'm having some trouble understanding the self-zone from this document:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

Under "controlling router access" they give an example of using the "inspect" statements on the self zone for both in and out as below:

class-map type inspect match-any self—service-cmap
 match protocol tcp
 match protocol udp
 match protocol icmp
 match protocol h323

I notice they apply a separate policy to allow TFTP traffic with the "pass" command:

policy-map type inspect from-self-pmap
 class type inspect from-self-cmap
  inspect
 class type inspect tftp-out-cmap
  pass
!

Where I have attempted this in practice, the "match protocol" commands on the self-zone with TCP, UDP, ICMP, and H323 appear to have no affect on the traffic flow in either direction.  I had to create separate rules for my traffic with the "pass" associated just as the above example.  Can you clarify that part of the document and tell me why I would both need to "match" the protocol and then create an ACL to allow the traffic to pass as the above document is written?

Thanks!

ajhaldiy Tue, 03/27/2012 - 13:11

Hello,

You don't need an ACL list with class map for inspection. Document includes some example where user wants to allow/deny traffic from specific host, which is possible only with an ACL.

Technically Below configuraiton should Let you inspect TCP,UDP,ICMP and h323 traffic

class-map type inspect match-any self—service-cmap
 match protocol tcp
 match protocol udp
 match protocol icmp
 match protocol h323

I also confirmed this by doing a recreate in my lab.

TFTP is an application layer protcol which can't be inspected on self-zone. We need to pass tftp traffic from out-self and self-out zones.

Self-Zone Policy Limitations

  • As was the case with classical stateful inspection, router-generated           traffic is limited to TCP, UDP, ICMP, and complex-protocol inspection for           H.323.

  • Application Inspection is not available for self-zone policies.

  • Session and rate limiting cannot be configured on self-zone           policies.

Regards

Ashish

Actions

Login or Register to take actions

This Discussion

Posted March 20, 2012 at 1:47 PM
Stats:
Replies:7 Avg. Rating:4.66667
Views:3871 Votes:0
Shares:0

Related Content

Discussions Leaderboard