This discussion is locked

Ask the Expert: Security on IOS Router Devices (ZBFW, IPS, CBAC)

Unanswered Question
Jun 29th, 2012

Read the bioWith Julio Carvajal Segura

Welcome to the Cisco Support Community Ask the Expert conversation with Cisco expert Julio Carvajal Segura. This is an opportunity to learn and ask questions on how to make your IOS router devices (Zone-Base Firewall, Intrusion Prevention Systems, & Context-Base Access Control) more secure.

Julio Carvajal Segura is a support engineer at the Cisco Technical Center in Costa Rica. His expertise is in security topics such as Cisco Security Content, intrusion prevention systems, Cisco Adaptive Security Appliances (ASA), Cisco Firewall Services Modules, zone based firewalls, and context-based access control. He has over a year of experience working and resolving customer problems.

Remember to use the rating system to let Julio know if you have received an adequate response. 

Julio might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community Firewalling forum shortly after the event. This event lasts through July 13, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
John Ventura Tue, 07/03/2012 - 07:02

Hi Julio,

After I configured the ZBFW or the CBAC feature my VPN's were down, how can I resolve this?

Thank you


Julio Carvajal Tue, 07/03/2012 - 09:44

Hello John,

Hope you are doing great

Now regarding your query if you configure the ZBFW using the SDM you will have the inside, outside and Self-zone configured.

That being the case you will need to allow traffic on port udp 4500 ( NAT T) and 500 ( Isakmp) to the interface where the crypto map is applied ( Self-zone)

I would say that is the problem but just in case remember to allow traffic from inside zone to outside zone from your Local Lan to the Destination Lan. Same thing from outside to inside.

If you want you can post your configuration and  I can make the changes to make it work



rizwanr74 Tue, 07/03/2012 - 13:30

"After I configured the ZBFW or the CBAC feature my VPN's were down, how can I resolve this?"

Hi John,

your ACL for CBAC please create two permit lines as shown below, which you have applied on the outside interface, xxx assumed to be your public ip address.

access-list 101 permit udp any host eq isakmp

access-list 101 permit esp any host

Hope that helps.


Rizwan Rafeek

james_flockton Wed, 07/04/2012 - 07:52

Hi Julio,

My company has recently deployed VCS around an established ASA 5510 service.  The Firewall traversal element is working perfecty for H323 calls but SIP seems to fail for no clear reason.  The traversal zone is active but yet if I call from a SIP UI registered to Cisco Expressway it cannot call the UI of a device on the inside.  I have allowed the VCS control to (through ACLS) to connect to any device on the outside but yet calls still seem to fail.  Do you have any pointers to help me resolve this problem please?



Julio Carvajal Wed, 07/04/2012 - 08:45

Hello James,

This Ask the expert is focus on IOS routers but I still will help on this

So basically the problem is SIP across the ASA.

Do you have already the inspection enabled for the SIP protocol?

Are you using a static one to one NAT translation for the VCS control?


John Peterson Thu, 07/05/2012 - 14:33

Hi Julio,

In my recent experience I have used ASA as edge devices. But after seeming some of the features on a router I would like to replace my ASAs with Cisco routers.

I have seen some router which has an built in firewall features based on the firmware.

What would be your thoughts of this, are the new routers and which firmware would you recommend on a router for firewall features together with its routing capabilities?

Julio Carvajal Thu, 07/05/2012 - 15:35

Hello John,

Nice question.

That is correct some of the IOS devices come with a built-in IPS sensor as an example that you could use to secure your network perimeter.

One of the other advantages from my perspective would be that the IOS router will support Routing protocols on a extended way than the ASA.

The router supports Policed Based Routing ( Route based on source Ip addresses)

The router does QoS on an extended way than the ASA,etc.

The thing is that by default the router is not a security device so we will need to configure them on a way that they can protect our network.

If you ask me what do I prefer (If ZBFW or CBAC witch are the 2 Firewall built in options on an IOS router):

     I would recommend you 100% ZBFW witch lets you be more flexible with your actions to security policies. ( You  can be as granular as you want )

Now regarding firmware you should go to the latest versions as they will provide new features and will fix previous bugs on the code.

ZBFW is supported after 12.4(6)T6 but  if you use code 15.1(2) you will have additional features like support to IPV6 or if you go to IOS Release 15.0(1)M you will have intra-zone policies,etc.

Hope I could help,

PD: The ASA for monitoring and troubleshooting is the best option in the market on the security area.

       The ASA is capable of having a local-host table, Conn table to correlate events,etc.


Cisco TAC engineer.

Carlos Lesaige Mon, 07/09/2012 - 08:18

Hi Julio,

I wonder how can I state fully inspect RDP sessions using a IOS router? Can you comment on this?



Julio Carvajal Mon, 07/09/2012 - 08:39

Hello Carlos,

We need to configure the following in order to make the router able to inspect RDP sessions as this protocol uses a non-standar port.

This can be done using ip port-maps:

ip port-map RDP port tcp 3389

Class-map type inspect RDP

match protocol RDP

policy-map type inspect RDP
class type inspect RDP

That should make the router firewall able to statefully inspect RDP.

There is another option ( instead of using the Ip port-map command we can make it work doing a match with an ACL:

ip access-list extended RDP

permit tcp any any eq 3389

Class-map type inspect RDP

match access-group name RDP

policy-map type inspect RDP
class type inspect RDP

Hope I could help,


rogelioalvez Tue, 07/10/2012 - 07:13

Hello Julio:

I would like to mount a cluster of two routers running CBAC and SSO to implement the Stateful Failover High Availability concept, as shown in

Actually, the documentation mentions the support for only one inside and one outside interface, and the standby router taking over if either of these interfaces on the active router goes down.

¿ Is it possible to extend this concept for a cluster with at least three interfaces on each router ?

Your kind answer will be greatly appreciated.

Best regards...

Rogelio Alvez


Julio Carvajal Tue, 07/10/2012 - 11:56

Hello Rogelio,

¿Is it possible to extend this concept for a cluster with at least three interfaces on each router?

A/ It is possible to have a stateful IOS cluster with firewall enabled. You will be able to monitor three different  interfaces using HSRP and SSO.

Now  to improve the performance of your firewall you can only  apply a inspection policy  to an interface ( this could be done by appliying it to the outside interface)

Let me know if this answers your question.



clark-white Tue, 07/10/2012 - 12:49

Hello Julio,

I tried to configure CBAC on the IOS flash:c2800nm-advipservicesk9-mz.124-3g.bin, after configuring CBAC my internet connection is very slow with no video specially with youtube.

From inside to outside i ahve permited everything permit tcp any any and permit udp any any

Julio Carvajal Tue, 07/10/2012 - 14:07

Hello Clark,

Can you share the CBAC configuration you have, also I would like to see the logs generated by the IOS router.

To be able to generate the logs from the firewall please set the following command:

     -ip inspect log drop-pkt

With the logs we will be able to see if this happens because of a deep packet inspection problem, out of order packets,etc.



rogelioalvez Wed, 07/11/2012 - 05:51

Thank you very much Julio.

Best regards, Rogelio

Julio Carvajal Wed, 07/11/2012 - 06:04

Hello Rogelio,

It's my pleasure to help.



Julio Carvajal Wed, 07/11/2012 - 06:14

Hello Yadhu,

Can you remove the following configuration:

zone security VPN

interface Virtual-Template1 type tunnel

  zone-member security VPN

policy-map type inspect VPN-TO-IN-POLICY

class type inspect vpn-access


zone-pair security VPN-TO-IN source VPN destination INSIDE service-policy type inspect VPN-TO-IN-POLICY

Then add the following:

interface Virtual-Template1 type tunnel

     zone-member security OUTSIDE

Then take the tunnel down and generate some traffic,

let me know how it goes


Yadhu Tony Thu, 07/12/2012 - 02:51

Hello Julio,

Thank you for your reply.

I removed the same and added :

interface Virtual-Template1 type tunnel

zone-member security OUTSIDE

The moment i added the above configuration i cannot even ping the LAN interface of my router. Instead of adding 'Virtual-Template1' interface to the OUTSIDE zone i tried to include it in the INSIDE zone like:

interface Virtual-Template1 type tunnel

zone-member security INSIDE

and its started working i.e i can access the LAN of my company. Can u please tell me whether it is a correct approach or not ?

Please see the zones :

Router#sh zone security
zone self
  Description: System defined zone

  Member Interfaces:

  Member Interfaces:



Julio Carvajal Thu, 07/12/2012 - 09:39

Hello Yadhu,

Great to hear it is working,

The first problem you had was that the zone was not applied to any zone security and we needed it to have it on one to make it work.

The approach looks good to me, actually if the change on the outside zone the next step would be on the inside.

This will still be safe as in order to any user to get into the in-zone he will need to authenticate itself first to this Ezvpn server.



Yadhu Tony Thu, 07/12/2012 - 10:17

Thank you so much for your support Julio.



r.heitmann Wed, 07/11/2012 - 03:08

Hi Julio,

since the "aes-256-cbc"-cipher can't be used anymore if security is needed -any production-grade network?- (see for example
)  and the RFC 4344 which addresses and solves the issue (using "ctr" instead of the "cbc" cipher) isn't implemented in IOS today - what would you recommend to do:

- switch to sshv1 using 3des

- switch to telnet and use vpn-client/ezvpn to provide encryption

any better idea?



Julio Carvajal Wed, 07/11/2012 - 06:40

Hello Ronald,

You might want to take a look at the following bug CSCsx30944

So as you already said implementing the CTR cipher instead of CBC on an IOS router is not an option.

From the two options you point I would say that the implementation of sshv1 is the easiest of the two options( it offers encryption (It can be reversible so it also has some vulnerabilitys)

Now talking about the VPN ezvpn option it would require way more administration but it will provide more security so I will choose that one if this were my case ( We are trying to get rid of a vulnerability and by using this option we can make it happen)

Hope this helps,


r.heitmann Wed, 07/11/2012 - 07:41

Hi Julio, thank you for the very quick answer! you know - for the case that SSHv1/3DES is an option - if there's a posibillity to specify (decrease) the "key-lifetime" to increase the ssh-3DES-security like we*'ve done it in IPSec-VPNs as AES wasn't available?

I didn't find anything on the web how to fine-tune the IOS-SSH-Daemon regarding the cipher-suites used.

Since there is no official "security advisory" and the Bug mentions "Workaround: None", are there some best practices beyond "config)# ip ssh version 1"?

Best Regards,


Julio Carvajal Wed, 07/11/2012 - 07:52

Hello Ronald,

Since there is no official "security advisory" and the Bug mentions "Workaround: None", are there some best practices beyond "config)# ip ssh version 1"?

A/ No,Given the low probability of this being successfully exploited.

Do you know - for the case that SSHv1/3DES is an option - if there's a posibillity to specify (decrease) the "key-lifetime" to increase the ssh-3DES-security like we*'ve done it in IPSec-VPNs as AES wasn't available?

A/ No, there are only a few commands to tune SSH paramaters:

        ip ssh time-out 60

     ip ssh authentication-retries 2

You will need to re-generate the RSA key manually.


Mario Sierra Thu, 07/12/2012 - 20:47

Hi Julio

I have a quick question regarding ZBFW running on ASR platform. I have an asr1001-universalk9.03.06.01.S.152-2.S1 version and I'm trying to configure SMTP inspection, I have found information but I'm not sure if I'm in the correct path.

Security Configuration Guide: Zone- Based Policy Firewall, Cisco IOS XE Release 3S

Restrictions for Zone-Based Policy Firewall

• Application-level maps (also referred to as Layer 7 class maps) are not supported in Cisco IOS XE


Layer 3 and Layer 4 Class Maps and Policy Maps

Supported Protocols

The following protocols are supported:


• H.323


• Lightweight Directory Access Protocol (LDAP)

• LDAP over Transport Layer Security/Secure Socket Layer (LDAPS)

• Real-time Streaming Protocol (RTSP)

• Session Initiation Protocol (SIP)

• SCCP (Skinny Client Control Protocol)




Then I got

Cisco IOS XE 3S Release Notes Release 3.2S Features and Important Notes

New Software Features in Cisco IOS XE Release 3.2.0S

Application Inspection and Control for SMTP

The Application Inspection for SMTP feature provides an intense provisioning mechanism that can be configured to inspect packets on a granular level so that malicious network activity, related to the transfer of e-mail at the application level, can be identified and controlled. This feature qualifies the Cisco IOS firewall extended Simple Mail Transfer Protocol (ESMTP) module as an "SMTP application firewall," which protects in a similar way to that of an HTTP application firewall.

For more information, see the following document:

If I go to the last link I'm getting

Networking Software (IOS & NX-OS)

Application Inspection and Control for SMTP

So at this point is talking about regular IOS and NX-OS but not IOS-XE. So I thin that statement "Application-level maps (also referred to as Layer 7 class maps) are not supported in Cisco IOS XE software."  still applies right?

I have this configuration but I'm not able to get SMTP inpection working.

class-map type inspect match-any InspProtocol

match protocol http

match protocol https

match protocol smtp

match protocol ftp

match protocol dns

match protocol icmp

match protocol ntp

match protocol isakmp

match protocol ssh

match protocol tcp

match protocol udp

policy-map type inspect PInspect

class type inspect InspProtocol


class class-default

  pass log

I just want to inspect specific traffic and permit the rest.

zone security INSIDE

zone security OUTSIDE

zone-pair security IN-to-Out-ZONE source INSIDE destination OUTSIDE

service-policy type inspect PInspect

interface GigabitEthernet0/0/0

description Red Interna

ip address

ip access-group privated in

ip nat inside

ip virtual-reassembly

zone-member security INSIDE

interface GigabitEthernet0/1/1

bandwidth 8192

ip address x.x.x.x

ip access-group antispoofing in

ip access-group monitoreo out

ip nat outside

ip flow ingress

ip virtual-reassembly

zone-member security OUTSIDE

speed 1000

no negotiation auto

crypto map VPNs-Internet

hold-queue 4096 in

The results

sh policy-map type inspect  zone-pair sessions

Zone-pair: IN-to-Out-ZONE

  Service-policy inspect : PInspect

    Class-map: InspProtocol (match-any) 

      Match: protocol http

      Match: protocol https

      Match: protocol smtp

      Match: protocol ftp

      Match: protocol dns

      Match: protocol icmp

      Match: protocol ntp

      Match: protocol isakmp

      Match: protocol ssh

      Match: protocol tcp

      Match: protocol udp


        Half-open Sessions

         Session 1920248 (>(200.x.x.x:25) smtp SIS_OPENING

          Created 00:00:18, Last heard 00:00:18

          Bytes sent (initiator:responder) [0:0]

         Session 1920294 (>(174.x.x.x:25) smtp SIS_OPENING

          Created 00:00:23, Last heard 00:00:23

          Bytes sent (initiator:responder) [0:0]

         Session 19202E0 (>(193.x.x.x:25) smtp SIS_OPENING

          Created 00:00:12, Last heard 00:00:03

Thanks in advance

Julio Carvajal Fri, 07/13/2012 - 05:41

Hello Mario,

That is correct, Application-level maps (also referred to as Layer 7 class maps) are not supported in Cisco IOS XE


You will not be able to inspect the SMTP protocol.

You can inspect it but at layer 3 and 4 based on an ACL

     ip access-list e SMTP

          permit tcp any any eq 25

class-map type inspect SMTP

     match access-group name SMTP

policy-map type inspect PInspect

class SMTP


class  InspProtocol


class class-default

       pass log

Then you can remove the match protocol SMTP from the class InspProtocol




This Discussion