cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8503
Views
20
Helpful
27
Replies

Ask the Expert: Security on IOS Router Devices (ZBFW, IPS, CBAC)

ciscomoderator
Community Manager
Community Manager

Read the bioWith Julio Carvajal Segura

Welcome to the Cisco Support Community Ask the Expert conversation with Cisco expert Julio Carvajal Segura. This is an opportunity to learn and ask questions on how to make your IOS router devices (Zone-Base Firewall, Intrusion Prevention Systems, & Context-Base Access Control) more secure.

Julio Carvajal Segura is a support engineer at the Cisco Technical Center in Costa Rica. His expertise is in security topics such as Cisco Security Content, intrusion prevention systems, Cisco Adaptive Security Appliances (ASA), Cisco Firewall Services Modules, zone based firewalls, and context-based access control. He has over a year of experience working and resolving customer problems.

Remember to use the rating system to let Julio know if you have received an adequate response. 

Julio might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community Firewalling forum shortly after the event. This event lasts through July 13, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

27 Replies 27

John Ventura
Level 1
Level 1

Hi Julio,

After I configured the ZBFW or the CBAC feature my VPN's were down, how can I resolve this?

Thank you

John

Hello John,

Hope you are doing great

Now regarding your query if you configure the ZBFW using the SDM you will have the inside, outside and Self-zone configured.

That being the case you will need to allow traffic on port udp 4500 ( NAT T) and 500 ( Isakmp) to the interface where the crypto map is applied ( Self-zone)

I would say that is the problem but just in case remember to allow traffic from inside zone to outside zone from your Local Lan to the Destination Lan. Same thing from outside to inside.

If you want you can post your configuration and  I can make the changes to make it work

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

"After I configured the ZBFW or the CBAC feature my VPN's were down, how can I resolve this?"

Hi John,

your ACL for CBAC please create two permit lines as shown below, which you have applied on the outside interface, xxx assumed to be your public ip address.

access-list 101 permit udp any host xxx.xxx.xxx.xxx eq isakmp

access-list 101 permit esp any host xxx.xxx.xxx.xxx

Hope that helps.

thanks

Rizwan Rafeek

james_flockton
Level 1
Level 1

Hi Julio,

My company has recently deployed VCS around an established ASA 5510 service.  The Firewall traversal element is working perfecty for H323 calls but SIP seems to fail for no clear reason.  The traversal zone is active but yet if I call from a SIP UI registered to Cisco Expressway it cannot call the UI of a device on the inside.  I have allowed the VCS control to (through ACLS) to connect to any device on the outside but yet calls still seem to fail.  Do you have any pointers to help me resolve this problem please?

Thanks

James

Hello James,

This Ask the expert is focus on IOS routers but I still will help on this

So basically the problem is SIP across the ASA.

Do you have already the inspection enabled for the SIP protocol?

Are you using a static one to one NAT translation for the VCS control?

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

John Peterson
Level 1
Level 1

Hi Julio,

In my recent experience I have used ASA as edge devices. But after seeming some of the features on a router I would like to replace my ASAs with Cisco routers.

I have seen some router which has an built in firewall features based on the firmware.

What would be your thoughts of this, are the new routers and which firmware would you recommend on a router for firewall features together with its routing capabilities?

Hello John,

Nice question.

That is correct some of the IOS devices come with a built-in IPS sensor as an example that you could use to secure your network perimeter.

One of the other advantages from my perspective would be that the IOS router will support Routing protocols on a extended way than the ASA.

The router supports Policed Based Routing ( Route based on source Ip addresses)

The router does QoS on an extended way than the ASA,etc.

The thing is that by default the router is not a security device so we will need to configure them on a way that they can protect our network.

If you ask me what do I prefer (If ZBFW or CBAC witch are the 2 Firewall built in options on an IOS router):

     I would recommend you 100% ZBFW witch lets you be more flexible with your actions to security policies. ( You  can be as granular as you want )

Now regarding firmware you should go to the latest versions as they will provide new features and will fix previous bugs on the code.

ZBFW is supported after 12.4(6)T6 but  if you use code 15.1(2) you will have additional features like support to IPV6 or if you go to IOS Release 15.0(1)M you will have intra-zone policies,etc.

Hope I could help,

PD: The ASA for monitoring and troubleshooting is the best option in the market on the security area.

       The ASA is capable of having a local-host table, Conn table to correlate events,etc.

Julio

Cisco TAC engineer.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Carlos Lesaige
Level 1
Level 1

Hi Julio,

I wonder how can I state fully inspect RDP sessions using a IOS router? Can you comment on this?

Thanks,

Carlos

Hello Carlos,

We need to configure the following in order to make the router able to inspect RDP sessions as this protocol uses a non-standar port.

This can be done using ip port-maps:

ip port-map RDP port tcp 3389

Class-map type inspect RDP

match protocol RDP


policy-map type inspect RDP
class type inspect RDP
  inspect

That should make the router firewall able to statefully inspect RDP.

There is another option ( instead of using the Ip port-map command we can make it work doing a match with an ACL:

ip access-list extended RDP

permit tcp any any eq 3389

Class-map type inspect RDP

match access-group name RDP

policy-map type inspect RDP
class type inspect RDP
  inspect

Hope I could help,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

rogelioalvez
Level 1
Level 1

Hello Julio:

I would like to mount a cluster of two routers running CBAC and SSO to implement the Stateful Failover High Availability concept, as shown in http://www.cisco.com/en/US/prod/collateral/routers/ps5855/white_paper_c11_472858.html.

Actually, the documentation mentions the support for only one inside and one outside interface, and the standby router taking over if either of these interfaces on the active router goes down.

¿ Is it possible to extend this concept for a cluster with at least three interfaces on each router ?

Your kind answer will be greatly appreciated.

Best regards...

Rogelio Alvez

Argentina

Hello Rogelio,

¿Is it possible to extend this concept for a cluster with at least three interfaces on each router?

A/ It is possible to have a stateful IOS cluster with firewall enabled. You will be able to monitor three different  interfaces using HSRP and SSO.

Now  to improve the performance of your firewall you can only  apply a inspection policy  to an interface ( this could be done by appliying it to the outside interface)

Let me know if this answers your question.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello Julio,

I tried to configure CBAC on the IOS flash:c2800nm-advipservicesk9-mz.124-3g.bin, after configuring CBAC my internet connection is very slow with no video specially with youtube.

From inside to outside i ahve permited everything permit tcp any any and permit udp any any

Hello Clark,

Can you share the CBAC configuration you have, also I would like to see the logs generated by the IOS router.

To be able to generate the logs from the firewall please set the following command:

     -ip inspect log drop-pkt

With the logs we will be able to see if this happens because of a deep packet inspection problem, out of order packets,etc.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thank you very much Julio.

Best regards, Rogelio

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: