Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

IOS Zone-Base Firewall Self-Zone Features

Currently I've been working on the configuration of several IOS Zone-based Firewall (over ISR2801 with IOS 12..4(15)T12) and I've read about the features and limits of the Self-zone for the router outbound and inbound traffic. I really prefer use the CLI because the SDM creates a "nesting mess". As I found in some documents there is no way to inspect protocols like http/https or telnet or ssh for the Sefl-zone so I cannot use this kind of config:

class-map type inspect match-any ExampleCM

match protocol ssh

match protocol https

exit

policy-map type inspect ExamplePM

class type inspect ExampleCM

inspect

class class-default

drop log

exit

exit

because when i try to implement the policy for a zone-pair, the router shows a message that says this config is not possible for the self-zone.

I need to configure the router management access only from two or three of the HQ's IPs so the Branch Router must be managed by SSH or HTTPS through the outside network. Somebody could help me please

the HQ Network is 192.168.1.0/24

the IPs allowed to manage the Remote router are 192.168.1.104, 192.168.1.222 and 192.168.1.18

the Branch Office Inside (trusted) Network is 192.168.11.0/24, the router IP is 192.168.11.11

the Branch Office Outside (untrusted) Network is 10.50.70.0/30 the router IP is 10.50.70.2

9 REPLIES

Re: IOS Zone-Base Firewall Self-Zone Features

IP Access-list Extended MGMT

Permit tcp host 192.168.1.104 host 10.50.70.2 eq 22

Permit tcp host 192.168.1.104 host 10.50.70.2 eq  443

class-map  ExampleCM

match access-group MGMT

exit

policy-map type inspect ExamplePM

class type inspect ExampleCM

pass

class class-default

drop log

exit

exit

With this example the IP 192.168.1.104 will be able to SSH and HTTPS to the Outside IP of the router.

You will have to create 2 Zones because you are not inspecting the traffic. One from the outside to the self zone with the policy ExamplePM  and Another one from the self to the outside. You can use this policy

class-map type inspect match-any ExampleCM

match protocol ssh

match protocol https

exit

policy-map type inspect ExamplePM-TEST

class type inspect ExampleCM

inspect

class class-default

drop log

exit

exit

WHat you have to remember is that you have to create 2 ZOnes one from X to Self and another from Self to X.. This because you are not inspecting the traffic but passing it.

Try and let me know.

New Member

Re: IOS Zone-Base Firewall Self-Zone Features

hi diego, thanks for your cooperation. I have a question about when you said

"Yo can use this policy

class-map type inspect match-any ExampleCM

match protocol ssh

match protocol https

exit

policy-map type inspect ExamplePM-TEST

class type inspect ExampleCM

inspect

class class-default

drop log

exit

exit"

this configuration does L7 inspection, so when i tried to do this for the Self-Zone, the system tells me that SSH or HTTPS can be inspected for the Self-Zone, only L4 inspection. So I tried the next ( I have no probe it yet):

! I need to do SSH and HTTPS from the HQ to the Branch not by the Outside Interface but the Inside interface.

ip access-list extende mgmt-acl

     permit ip host 192.168.1.104 host 192.168.11.11 ( the first IP is on the HQ segment, the second one related with the inside Router interface)

     deny ip any any

exit

class-map type inspect match-any mgmt-traffic

     match protocol ssh

     match protocol https

     match protocol icmp

exit

class-map type inspect match-all out-self-cmap

     match access-group name mgmt-acl

     match class-map mgmt-traffic

exit

policy-map type inspect out-self-pmap

     class type inspect out-self-cmap

     [inspect]<--------------------------------------------if I set "inspect" when I try to join this policy with the zone-pair out-self the system does not allow it

     [pass]<---------------------------------------------if i set "pass" It suppose to create the policy and zone-pair for the traffic in the other direction self-out.

     class type inspect class-default

     drop log

     exit

exit

zone-pair security out-self source out-zone destination self

     service-policy type inspect out-self-pmap

exit

Assume this configurartion is made till here, not a line more not a line less, the traffic at the policy map is "Pass", this configuration does not suppose to work because there is no route back from self-zone to out-zone right?? so if I tried to do SSH to the 192.168.11.11 it ain't gonna happen. Could you help me to figure out if this is correct

And these configurations are equivalents:

Configuration A:

ip Access-list Extended mgmt-acl

     Permit tcp host 192.168.1.104 host 192.168.11.11 eq 22

     Permit tcp host 192.168.1.104 host 192.168.11.11 eq 443

exit

class-map  type inspect match-all mgmt-cmap

     match access-group name mgmt-acl

exit

-------------------------------------------------------------------------------------------------

Configuration B:

ip access-list extended mgmt-acl

     permit ip host 192.168.1.104 host 192.168.11.11

     deny ip any any

exit


class-map type inspect match-any mgmt-traffic

     match protocol ssh

     match protocol https

exit


class-map type inspect match-all mgmt-cmap

     match access-group name mgmt-acl

     match class-map mgmt-traffic

exit

Thanks and Regards

Re: IOS Zone-Base Firewall Self-Zone Features

Hi,

The pass option is not stateful. It means that you have to create 2 ZOne-pairs. One from self to out-zone and one from out-zone to self.  (if HQ is in the OUT-ZONE).

Is the HQ in the OUT-ZONE ??  Do you have a public IP in the OUTSIDE interface??

You wrote.

I need to do SSH and HTTPS from the HQ to the Branch not by the Outside Interface but the Inside interface-----> Is the HQ in the OUTSIDE???  Im seeing that the zone-pair is between the OUT-ZONE and the self.....

New Member

Re: IOS Zone-Base Firewall Self-Zone Features

hi diego, the link between the HQ router and Branch routers is provided by an ISP through FrameRelay connection for some Branch offices and MPLS for others. So, the ISP give me Invalid IPs for the WAN links (i.e: 10.50.70.0/30 or 10.50.70.40/30). Something like this:

        LAN HQ                                            WAN                                       WAN                                                   LAN Branch

192.168.1.0/24<-------->HQ Router <------10.50.70.0/30-------> ISP <-------- 10.50.70.40/30------> Branch Router----------->192.168.11.0/

For the The Branch router:

     - The outside will be the WAN interface 10.50.70.42

     - The inside will be the LAN interface 192.168.11.11

So when I configure the Firewall on the Branch Routers I need to access to it from the HQ with SSH or HTTPS using the LAN IP not the WAN IP. So any network administrator should use ssh 192.168.11.11 to gain access to the Branch router.

again, could you please answer me if these configurations are equivalents:

Configuration A:

ip Access-list Extended mgmt-acl

     Permit tcp host 192.168.1.104 host 192.168.11.11 eq 22

     Permit tcp host 192.168.1.104 host 192.168.11.11 eq 443

exit

class-map  type inspect match-all mgmt-cmap

     match access-group name mgmt-acl

exit

-------------------------------------------------------------------------------------------------

Configuration B:

ip access-list extended mgmt-acl

     permit ip host 192.168.1.104 host 192.168.11.11

     deny ip any any

exit


class-map type inspect match-any mgmt-traffic

     match protocol ssh

     match protocol https

exit


class-map type inspect match-all mgmt-cmap

     match access-group name mgmt-acl

     match class-map mgmt-traffic

exit

Thanks and Regards

Re: IOS Zone-Base Firewall Self-Zone Features

In the first example. Yes they are going to do the same but. in the second example you would be doing L7 inepction if you set as action inpect. But you will not so in this case it's the same case A as case B

Re: IOS Zone-Base Firewall Self-Zone Features

About your problem I'm not 100% sure if ssh or https is going to work from the HQ... Do you have a route in the HQ to reach the internal IP through the MPLS?? I have never worked in an scenario like yours. Have you tried creating a loopback? ans ssh and https to the loopback IP?

New Member

Re: IOS Zone-Base Firewall Self-Zone Features

Hi jose, have u solved it? I have the same problem... because the SELF zone can't do inspect of the protocol ssh.... If you have solved it... could you share how u did it?

Thanks in advance.

Fabio

New Member

Re: IOS Zone-Base Firewall Self-Zone Features

hi Fabio, I think i solve it (or for my case it works). It is possible to use the inspect action on a policy for the Self-Zone, but you have to keep in mind this:

when you use this kind of config:

     class-map type inspect match-any out-self-cmap

          match protocol ssh

          match protocol https

          match protocol snmp

     exit

     policy-map type inspect out-self-pmap

          class type inspect example-cmap

          inspect

          class class-default

          drop log

          exit

     exit

you are doing an inspection for the whole protocol (ssh, https or snmp), this is a L7 inspection, if you try to attach the policy-map with a zone-pair that involves the self-zone the system won't allow you.

To solve this you can "trick" the inspection, so you don't inspect the whole protocol, instead, you only inspect a given port (ssh:22 TCP, https:443 TCP, snmp:161 UDP). so the configuration will be something like this:

     ip access-list extended ssh-acl

          remark This acl allows the SSH session from two HQ PCs to the Router

          remark of the Branch Office (the inside or LAN IP of the Remote Router is

          remark 192.168.8.1 and the outside or WAN IP is 10.10.10.2

          permit tcp host 192.168.10.20 host 192.168.8.1 eq 22

          permit tcp host 192.168.10.30 host 192.168.8.1 eq 22

          deny tcp any any eq 22

     exit

      ip access-list extended https-acl

          remark This acl allows the HTTPS session from all HQ PCs to the Router

          remark of the Branch Office (the inside or LAN IP of the Remote Router is

          remark 192.168.8.1 and the outside or WAN IP is 10.10.10.2

          permit tcp 192.168.10.0 0.0.0.255 host 192.168.8.1 eq 443

          deny tcp any any eq 443

     exit

     ip access-list extended snmp-acl

          remark This acl allows the SNMP session from one HQ Server to the Router

          remark of the Branch Office (the inside or LAN IP of the Remote Router is

          remark 192.168.8.1 and the outside or WAN IP is 10.10.10.2

          permit udp host 192.168.10.100 host 192.168.8.1 eq 161

          deny udp any any eq 161

     exit
     class-map type inspect match-any out-self-cmap
          match access-group name ssh-acl
          match access-group name https-acl
          match access-group name snmp-acl
     exit
     policy-map type inspect out-self-pmap
          class type inspect out-self-cmap
          inspect
          class class-default
          drop log
          exit
     exit
     zone-pair security out-self source out-zone destination self
          service-policy type inspect out-self-pmap
          exit
     exit

This way you are doing L4 inspection over the port and the router will allow you to attach the policy-map to the zone-pair which includes de sefl-zone. And as you can see, you are monitoring and manage the device through the Inside IP not the Outside. I did this configuration for my case and it is working, I can do ssh, https (SDM) and snmp monitoring.

As a bonus, if you are the kind of person who enjoy configure through the CLI, don´t forget to allow the Routing protocol messages or adjacencies. Once you start to work on the self zone you have to be careful, if you are using OSPF or EIGRP you have to allow the message from this protocol to establish the adjacencies. This will help you:

     ip access-list extended ospf-acl

          permit ospf any any

     exit

     class-map type inspect match-all ospf-cmap

          match access-group ospf-acl

     exit

     policy-map type inspect out-self-pmap

          class type inspect out-self-cmap

          inspect

          class type inspect ospf-cmap

          pass

          class class-default

          drol-log

By the way, if you use "pass" traffic from the "out-zone" to the "self-zone" is not necessary to create the traffic back from the "self" to the "out-zone" because this traffic is allowed by default. you have to use the back traffic policies if you are passing the traffic between two zones different of "self-zone".

I hope this help you Fabio.

Regards

New Member

Re: IOS Zone-Base Firewall Self-Zone Features

Thanks for you reply Jose... I understand the situation... and I will make some test and then I tell you about the results.... Do you have some more example of rules from inside to outside... and from outside to inside... if you could send me some example.. (If u have) I would appreciate... fabio@teletex.com.br

Thanks in advance.

Fabio

940
Views
0
Helpful
9
Replies
CreatePlease to create content