Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to efficiently troubleshoot zone-based policy firewall on the router with Cisco expert Mynul Hoda. Mynul is a technical leader at Cisco's Network Solutions Integration Test Engineering (NSITE) Lab in the enterprise solution engineering and validation group. Mynul leads a team of eight engineers in validating large-scale branch/WAN solutions for large enterprise customers. Mynul is also working as a technical advisor and escalation resource for security questions in the enterprise network. Mynul holds CCIE certifications in Routing/Switching and Security, and he authored 1100 pages of "Cisco Network Security Troubleshooting Handbook" for Cisco Press.
Remember to use the rating system to let Mynul know if you have received an adequate response.
Mynul might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through June 13, 2008. Visit this forum often to view responses to your questions and the questions of other community members.
I've been configuring 800series router for a while. Since last week, i found the 857 new arrivals has the ios ver 12.4T5(15) installed. (image file: c850-advsecurityk9-mz.124-15-T5.bin) Which in SDM2.5 it is showed using zone based firewall instead of interface firewall.
But using the wizard from SDM, it failed to apply the firewall policy.
I found it always failed at command class-map. So I go into CLI. But under global configuration mode, there is no command class-map as show in the attachment. But it still have ip inspect command.
I attached the summary of firewall to be applied and the error msg for your reference.
Is there any problem with my ios?
This is the 3rd router with the same problem I received in a row.
Thanks for initiating the forum with your question!
You are essentially hitting a bug here -CSCsm79217
Direct Link to the bug:
The problem is with SDM not being able to recognize if the platform supports Zone-based FW or not. Cisco 831 and 851 routers do not support Zone Based Firewall while the 871 model does. However, all of them support CBAC.
Problem occurs, when you do not have any firewall configuration on the router, SDM will attempt to configure the router with Zone Based Firewall by default even if the router doesn't support Zone-based FW. This is where the problem is.
However, if there is already an 'ip inspect' policy applied, the SDM will recognize this configuration, and get into CBAC mode, and will allow you to configure the CBAC the policies. Hence, the work-around until the bug is fixed is to manually configure an ip inspect policy to force SDM into configuring CBAC. This needs to be done from the Command Line Interface (CLI) with the commands below:
Router(config)#ip inspect name fw tcp
Router(config)#interface FastEthernet 4
Router(config-if)#ip inspect fw out
Once this configuration is in place, click the Refresh button from within SDM to query for configuration changes. Now clicking on the Firewall tab, it should allow configuration of the firewall inspection rules.
Hope this helps!
Good to ask the expert. You solved the problem straight away. I actually posted the same issue a week ago. No one really pointed out what has caused the problem.
One more question about the action. Mostly they are inspect. What does inspect really do? For example, inspect tcp. What does it scan for? What exactly action it will take after scanning the packet? It is not as clear as permit, reset,drop actions.
Glad to know that the problem is fixed!
Inpsect means different things for different protocol. For example inpsect TCP means to make sure the packet is a valid TCP packet, and that session is created to maintain the state of the connection on the router (allow syn, sync-ack, and ack to be completed to establish connection). So, to have the basic stateful functionality of IOS FW to work, as a minimum you need to have TCP/UDP inspection. However, for multichannel protocol such as FTP, the payload needs to be inpsected as well to get the necessary IP or/and protocol information to be able to allow the subsequent data connection. Again, there are some application layer inspection such as SMTP is to make sure the SMTP exchange across the firewall is within the protocol conformance. So, net net is, inspection serves different purpose for different protocol.
Now, if you require IOS FW to create necessary sessions to crea
Why does the new zone-based firewall silently drops traffic instead of sending icmp unreachables like the old firewall or acls do? And/or why is there no option to change this behaviour? Does Cisco now join the "stealth" hype, too?
Welcome and thanks for your time. I have a question that I have spent pretty much time on, Tom Hunter tried to help me also but he couldnt email me back that he is busy. The follwing link contains what I want to achieve.
If you like I can send you the mails between me and Tom so that you can see where we stucked.
My second question is about the packet-tracer in 7.2 above code and debug commands.
Following is an example output.
Forward Flow based lookup yields rule:
in id=0x23b60c0, priority=0, domain=permit-ip-option, deny=true
hits=2108983, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
packet-tracer command is one of the favourite commands for troubleshooting for sure. But there are parts that I cant understand. For example it says true for deny, but packet is permitted, also that id code mean anything? How can I learn more about details of that command.
Also for debugging crypto engine. I have intermediate debugging experience but how can I learn about advanced debugging skills? Any Cisco press books out there?
Tom Hunter is the SME on ASA, so please try and get help from him through the forum.
This event is on Zone-based firewall discussion, hence to be fair for others, if possible, I would like to keep the discussion on Zone-based Firewall or Classic IOS Firewall only.
Being said that, please feel free to send me the offline message via e-mail, and I will be more than happy to take a look at the problem where you are stuck.
At its current state, Zone-based firewall works in Stealth mode. Having a knob to change its behavior doesn't exist in the current code base.
Please stay tuned, I am trying to follow up with the development team to see if having the knob is in the roadmap!
At its current state, Zone-based firewall works in Stealth mode, hence no icmp unreachable packets getting sent from the firewall. Having a knob to change its behavior doesn't exist in the current code base.
Please stay tuned, I am trying to follow up with the development team to see if having the knob is in the roadmap!
say if you get a log message like the following:
*Jun 3 15:33:18.702 EDT: %FW-6-DROP_PKT: Dropping Other session 220.127.116.11:514 18.104.22.168:514 on zone-pair publicPrivateOut class class-default due to DROP action found in policy-map with ip ident 33708
What can you tell from "ip ident 33708" ?
hi mynul glad to have to u the forum. can u pls tell us how to use the self and where it is required.
and how to deal with ipsec connections terminating on the router running zone based firewall.
If you don't mind me answering...
The "self" zone is used to control inbound and outbound services to and from the router. Unlike user defined zones (public, private, dmz, vpn, etc), the self zone implicitly allows all other zones access to and from the router.
If you have a policy-map between public and self, then permit ike, gre to and from.
Don't want to speculate on how ESP is doing though.
Not at all, and well said.
Please also refer to the following link for VPN related issues with the Zone-Based FW.
Please, let me know if this doesn't addresses the question.
I think the question was that if you want to protect your router by limiting say only ssh/scp/snmp to the self zone from the public zone, then how do you do that without affecting the VPN related stuffs?
the above document doesn't address the self zone.
Another question is: how do effectively and efficiently protect the self zone if you have 10 other zones? Do you have to create 10 zone pairs?
I re-read the question, and I think we have answered what Sushil is looking for.
Please confirm if you need any additional details.
I would appreciate if you can send an e-mail to me with the configuration. All its saying is that IP Identity 33708 has DROP action set, hence the connection is getting dropped. Please, send me the config so that I comment better regarding this.
Wanted to follow-up on this. I did consult with the Product team, and they suggested that there is a Product Enhancement request made regarding this. I would suggest that you contact your account team to raise the importance of this.
Do you have more detail on what the name of the enhancement is?
I think we have a request for better log messages (so that even a person whom doesn't know the topology would understand what the log is saying)
This was a response to Gerald's question. I was referring to the follow-up on Stealth feature question for Zone-based Firewall. The PERs request is on that.
It's a web glicthe. Therefore, for future answer, to avoid any confusion, I will go ahead adress the name when providing my answer.
To start with, I have two questions:
1. Is it possible to block an inside host infected by a worm and generating lots of TCP SYNs with Zone firewall or Classic firewall and/or other IOS security feature? (IPS appliance, CSA, NAC, etc. are not an option in our net).
ip inspect tcp max-incomplete host N block-time minutes
parameter-map type inspect ...
tcp max-incomplete host N [block-time minutes]
can block by Destination IP only, not the Source IP.
Also, how can I diagnose infections if the message "%FW-4-HOST_TCP_ALERT_ON: Max tcp half-open connections (50) exceeded for host
2. Is it possible to kill specific IOS firewall session? For example, suppose we have PCs infected by a worm. It can take a lot of time to locate and isolate those PCs in a big network. How can we block _established_ sessions of those PCs on a router? So far as I understood, an ACL will not work in Classic firewall, because the sessions are already established and the traffic is not processed by an ACL for established sessions. What about Zone firewall? Will ACL work? Can we kill a session in ZPF?
Answer for question 1 is that you need to use the IPS features instead of IOS FW features. DoS prevention mechanism is only based on destination address. Have you thought about the software based IPS features?
Unfortunately, answer to question 2 is NO as well to the best of my knowledge. Let me think and see if there is any work-around or mechanism I can think of.
Thank you for the replay.
Unability to block by source IP and diagnose infections is the major limitation of the IOS firewall. Using software-based IPS is not a good idea, because it can overload the CPU. Also, so far as I know, Sig 3050 uses the same code as firewall. I'm not sure, is it possible to block with this signature by source IP. When I tested blocking in one of the initial releases of 12.4(15)T the deny-attacker-inline didn't even work for service.http engine.
What do you think?
IOS IPS is a complimentary technology to IOS FW.
To minimize the IPS impact on the router, what you may want to do is "Retire" all signature, and also disable all the signatures that you don't need. Signature 3050 should serve your purpose.
hi sir OLEG,
am coming in now to ask you really if the ccsp(CSVPN 642-511 EXAM ) IS STILL ONLINE becaus e am looking everywhere on all cisco exams list but i can't see the one .
plz need help i am preparing for two exams but i'll the ccna 640-802 exam and 2 weeks later i will conduct the csvpn exam 642-511 that why i would like to know these information.
Please ask this question under Career Certification session, as this session is on different topic.
Please, i have 2 problems :
1.-Sometimes (each 30 minutes aprox.) the connections are losed when the web server (DMZ - sec level 50) access to Jboss/mod-JK Tomcat (INSIDE - sec level 100). In order to improve it issue, I upgrade from version 7.02 to 8.02. However after 10 days ...the problem is again ...
2.-I have a Cisco ASA with 8.03, how I can block p2p and streaming traffic
Greetings from Lima - Peru
This session is targeted for IOS FW security, not on the Appliance. I would suggest that you post the question under Security section of this forum.
Thanks for your understanding!
I was trying to connect to the Console Port on a MDS9216. I am using the cable supplied with new switch, however, I have a I have a an IBM ThinkPad with no Serial port only USB ports. How do I connect to the switch.
This session is only on IOS FW security features, hence I would suggest you to post your question under Data Center section.