Press J to jump to the feed. Press question mark to learn the rest of the keyboard shortcuts
Posted byMeow 馃悎馃悎Meow 馃惐馃惐 Meow Meow馃嵑馃悎馃惐Meow A+!1 year ago

The Router that thought it was a ASA

There seems be a lot of people interested in CCNA Security so let's have a brief look at Zone Based Firewalls.

Here is today's topology, we'll be trying to lock down the server to server communication from R10.

A Zone based firewall is Cisco's attempt at bringing the ASA's inspection logic to a IOS device and is much more modular than a traditional ACL.

First things first we will create zones, these are basically the same thing as a ASA nameif.

R10(config)#zone security R01
R10(config-sec-zone)#description R01 Zone
R10(config)#zone security R02   
R10(config-sec-zone)#description R02 Zone

Next we make class-maps to match traffic, you can use match protocol to use NBAR or you can create a ACL and match that instead. We'll match ICMP and HTTP traffic with NBAR and use an ACL for telnet.

R10(config)#ip access-list extended ACL_TELNET
R10(config-ext-nacl)# permit tcp any any eq telnet
R10(config-ext-nacl)# permit tcp any eq telnet any

R10(config)#class-map type inspect match-all CM_TELNET
R10(config-cmap)# match access-group name ACL_TELNET

R10(config)#class-map type inspect match-all CM_ICMP
R10(config-cmap)# match protocol icmp                    
R10(config)#class-map type inspect match-all CM_HTTP
R10(config-cmap)# match protocol http                    

Next we make a policy-map to match all the class-maps, we can inspect traffic traffic, bypass the firewall by using pass, or drop the traffic. We will allow ICMP and HTTP and explicitly drop telnet. We will also use drop log in the class-default so that all unmatched traffic is logged when it is dropped. The policy-map is processed top down just like a ACL so you may need to change the class-map order in more complex setups.

R10(config)#policy-map type inspect PM_R01_TO_R02
R10(config-pmap)# class type inspect CM_HTTP
R10(config-pmap-c)#  inspect
R10(config-pmap-c)# class type inspect CM_ICMP
R10(config-pmap-c)#  inspect
R10(config-pmap-c)# class type inspect CM_TELNET
R10(config-pmap-c)#  drop log
R10(config-pmap-c)# class class-default
R10(config-pmap-c)#  drop log

Once that is done we now need to bind the zones together and apply the policy-map, we will apply the firewall so R01 is the source zone and R02 is the destination zone. This means that R01 will be able to talk to R02 but R02 won't be able to talk to R01 unless its return traffic.

R10(config)#zone-pair security ZP_R01_TO_R02 source R01 destination R02
R10(config-sec-zone-pair)# service-policy type inspect PM_R01_TO_R02

Lastly we need to add the interfaces to their proper zones.

R10(config)#interface GigabitEthernet2.110
R10(config-subif)# zone-member security R01
R10(config-subif)#interface GigabitEthernet2.210
R10(config-subif)# zone-member security R02

On S01 we can access HTTP to the S02

cisco@S01:~$ curl | tail -n 5
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 11510  100 11510    0     0  15010      0 --:--:-- --:--:-- --:--:-- 15045

And we can ping server S02 as well.

cisco@S01:~$ ping -c 5
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=61 time=220 ms
64 bytes from icmp_seq=2 ttl=61 time=322 ms
64 bytes from icmp_seq=3 ttl=61 time=250 ms
64 bytes from icmp_seq=4 ttl=61 time=203 ms
64 bytes from icmp_seq=5 ttl=61 time=416 ms

--- ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4010ms
rtt min/avg/max/mdev = 203.221/282.655/416.633/78.396 ms

But if we try to ssh to the server it will be blocked.

cisco@S01:~$ ssh

*Jun  3 20:37:51.184: %IOSXE-6-PLATFORM:  F0: cpp_cp: QFP:0.0 Thread:000 TS:00000004246156627399 %FW-6-DROP_PKT: Dropping tcp pkt from GigabitEthernet2.110 => due to Policy drop:classify result with ip ident 24557 tcp flag 0x2, seq 3211098309, ack 0 

From S02 we can't access S01's http server because we never permitted the direction.

cisco@S02:~$ curl
curl: (7) Failed to connect to port 80: Connection timed out

We can also see various firewall statistics on the router.

R10#show policy-map type inspect zone-pair ZP_R01_TO_R02 
  Zone-pair: ZP_R01_TO_R02 
  Service-policy inspect : PM_R01_TO_R02

Class-map: CM_HTTP (match-all)  
  Match: protocol http
    Packet inspection statistics [process switch:fast switch]
    http packets: [0:177]

    Session creations since subsystem startup or last reset 7
    Current session counts (estab/half-open/terminating) [0:0:0]
    Maxever session counts (estab/half-open/terminating) [0:0:0]
    Last session created 00:42:18
    Last statistic reset never
    Last session creation rate 0
    Last half-open session total 0

Class-map: CM_ICMP (match-all)  
  Match: protocol icmp
    Packet inspection statistics [process switch:fast switch]
    icmp packets: [0:14]

    Session creations since subsystem startup or last reset 2
    Current session counts (estab/half-open/terminating) [0:0:0]
    Maxever session counts (estab/half-open/terminating) [1:0:0]
    Last session created 00:41:55
    Last statistic reset never
    Last session creation rate 0
    Last half-open session total 0

Class-map: CM_TELNET (match-all)  
  Match: access-group name ACL_TELNET
    2 packets, 156 bytes

Class-map: class-default (match-any)  
  Match: any 
    17 packets, 1446 bytes
87% Upvoted
This thread is archived
New comments cannot be posted and votes cannot be cast
level 1
2 points1 year ago

The drunken ramblings of a snazzy consultant is always a fun read, so don't take it personally when I say it's an ASA.

level 2
Meow 馃悎馃悎Meow 馃惐馃惐 Meow Meow馃嵑馃悎馃惐Meow A+!Original Poster1 point1 year ago

Meh I blame the drink

level 3
1 point1 year ago


level 1

Interesting. Haven't seen this used in the wild so far.

Have you seen or used this in a production environment?

Why would one choose to use this feature if an ASA was available?

Drop some knowledge on me, please mr. packet man.

level 2
Meow 馃悎馃悎Meow 馃惐馃惐 Meow Meow馃嵑馃悎馃惐Meow A+!Original Poster2 points1 year ago

Yup ZFW is part of IWAN now, it is also fairly popular for DMVPN setups.

You would use it if you don't have a ASA or if you want to secure the DMVPN layer. Though now that Firepower is supported on routers it will probably overtake the feature.

level 1

Does this work on older routers like 1841s/2811s, and is this secure enough for publicly-facing services?

level 2
Meow 馃悎馃悎Meow 馃惐馃惐 Meow Meow馃嵑馃悎馃惐Meow A+!Original Poster1 point11 months ago

Yup ZBF has been around for awhile, as far as ACLs go it is far superior to regular ACLs.

level 3

Would an 1841 or maybe ASA5505 be good for publicly-facing services run out of my home? (I'd port forward from ISP router to 1841 to the VMs running the services). These services would have very little usage but need to stay online 24/7 and I have limited budget, but security is important in this case because I feel that some people may specifically attempt to hack these. (it's not paranoia)

Community Details





Create Post
r/ccna Rules
No posting of illegal materials
No posting of braindumps
Be courteous and helpful
Don't ask others to complete your labs
Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies.Learn More.