1 edit | [HELP] Multi-Interface Firewall Config Help Hi everyone, this is a problem I have been working at off and on for a long time. Before I waste anyone's time posting my config I'll ask if what I want to do is even possible.
I have a 2811 router running IOS 12.4(22)T. I have Fa0/1 connected to the Internet, and Fa0/0 with VLAN sub-interfaces on it (2 for now). I want one of the VLAN's (say Fa0/0.1) to be our private network. I want the other (say Fa0/0.2) to be a public network used for a WiSP service. Currently we use m0n0wall in a similar config but it's nearing the end of it's practicality and we want to upgrade.
Anyway, my problem is with traffic flow.
-I want all traffic originating from the Private side to be permitted everywhere (to all other interfaces), and returning traffic to be permitted back (Internet access and management access to the WiSP side).
-I want traffic originating on the WiSP side to be permitted to the Internet (return traffic permitted of course), and traffic not permitted to the Private side.
-I want only specified Internet-originating traffic permitted in to certain hosts.
I have tried just using ACL's, I tried with CBAC (got confused) and just tried using Zone Based Firewall. I can get the Private-to-Internet and WiSP-to-Internet stuff working fine. But each time I try to restrict traffic between the Private network and the WiSP network I either get full traffic flow both ways, or no traffic flow either way. I just want WiSP customer to reach the Internet only, and the private network to reach the Internet and manage the WiSP side.
Is this even possible? Any help is appreciated. I am not good with Cisco configs - slowly getting better. I just played around with ZBF in SDM today and hit the same wall - as soon as I create a zone-pair to block originating traffic in the WiSP zone to the private zone I lose connectivity the other way.
Help? Thanks in advance for anyone willing to help. I am at the point in trying this long enough that I want to pay someone else to do the config to my specs. haha :-| |
|
nosx
join:2004-12-27
00000
kudos:5 | That should be completely possible, the correct technology is the zone based firewall approach.
I have used a PIX or ASA in the past to accomplish this, never tried ZBF in IOS before.
Ill lab this up thursday when I have time and reply with any config / suggestions / discoverys. |
|
Bink
join:2006-05-14
Denver, CO
kudos:4 | reply to acherman
I have not yet configured CBAC on VLAN interfaces, but can’t see why this would be an issue—it should just work with the right configuration. At the same token though, I do something similar at home with VLAN interfaces, but, kind of like you and m0n0wall, I have an OpenBSD box handling this task with nary an issue (and I’m EXTREMELY pleased). |
|
| reply to acherman
That's great news!! Thanks for the info. I did try ZBF today, but like I said, as soon as I added a policy to block traffic generated from the WiSP side to the Private side I lost connection both ways. Got me discouraged and I asked for help. haha
I love m0n0wall - so easy to configure, and have been running it for a few hundred users for a few years now. But there are afew "quirks" that I think the 2811 can solve for us - just have to duplicate my current install first.
Any info you need to make helping me easier just ket me know. The true install is a little more grand than my diagram, but only in scale (more VLANs on the WiSP side, etc). I can post a true picture if it helps.
Thanks again to both of you for having a look. |
|
nosx
join:2004-12-27
00000
kudos:5
1 edit | reply to acherman
Alrighty sorry for the delay, my week has been hectic (but i managed to do my taxes, yay!)
As promised, i have the configuration labbed up right now for a 3 legged zone based firewall, with a subinterface for INSIDE, DMZ-WIFI, and OUTSIDE.
The configuration provided will permit outbound traffic in the following directions:
Inside->DMZ
Inside->Outside
DMZ->Outside
All other traffic flows should get dropped by the zone based firewall.
Im assuming you have a basic configuration with subinterfaces configured, in this case i used .1 .2 and .3
Here we created the zones and join the given interfaces to them:
zone security ZONE_INSIDE
zone security ZONE_DMZ_WIFI
zone security ZONE_OUTSIDE
int fa0/0.1
zone-member security ZONE_INSIDE
int fa0/0.2
zone-member security ZONE_DMZ_WIFI
int fa0/0.3
zone-member security ZONE_OUTSIDE
Next i created a generic class-map. You might want multiple class maps with specific inspection entries to only permit or drop certain types of traffic.
class-map type inspect match-any OUTBOUND_TRAFFIC
match protocol tcp
match protocol udp
match protocol icmp
Then we create a policy-map for inspecting INSIDE to OUTSIDE traffic and create a zone pairing between the inside and outside with that policy map.
policy-map type inspect INSIDE_TO_OUTSIDE
class type inspect OUTBOUND_TRAFFIC
inspect
zone-pair security INSIDE_TO_OUTSIDE source ZONE_INSIDE destination ZONE_OUTSIDE
service-policy type inspect INSIDE_TO_OUTSIDE
At this point inside traffic should be able to reach the outside but not the DMZ. To permit traffic from the inside to the DMZ we need to create another policy map and zone pair.
policy-map type inspect INSIDE_TO_DMZ
class type inspect OUTBOUND_TRAFFIC
inspect
zone-pair security INSIDE_TO_DMZ source ZONE_INSIDE destination ZONE_DMZ_WIFI
service-policy type inspect INSIDE_TO_DMZ
Now the inside should be able to initiate a connection to anywhere, however the DMZ is still isolated from initiating any connections. We need to create one final policy map and zone pairing to let the DMZ goto the internet via the outside interface:
policy-map type inspect DMZ_TO_OUTSIDE
class type inspect OUTBOUND_TRAFFIC
inspect
zone-pair security DMZ_TO_OUTSIDE source ZONE_DMZ_WIFI destination ZONE_OUTSIDE
service-policy type inspect DMZ_TO_OUTSIDE
And that does it. We can validate with some show commands:
R6#show zone security
zone self
Description: System defined zone
zone ZONE_INSIDE
Member Interfaces:
FastEthernet0/0.1
zone ZONE_DMZ_WIFI
Member Interfaces:
FastEthernet0/0.2
zone ZONE_OUTSIDE
Member Interfaces:
FastEthernet0/0.3
R6#show zone-pair security
Zone-pair name INSIDE_TO_OUTSIDE
Source-Zone ZONE_INSIDE Destination-Zone ZONE_OUTSIDE
service-policy INSIDE_TO_OUTSIDE
Zone-pair name INSIDE_TO_DMZ
Source-Zone ZONE_INSIDE Destination-Zone ZONE_DMZ_WIFI
service-policy INSIDE_TO_DMZ
Zone-pair name DMZ_TO_OUTSIDE
Source-Zone ZONE_DMZ_WIFI Destination-Zone ZONE_OUTSIDE
service-policy DMZ_TO_OUTSIDE
I telnet'd from my inside router through the zone based firewall router to the outside router to demonstrate the session tracking of the zbf.
R6#show policy-map type inspect zone-pair sessions
Zone-pair: INSIDE_TO_OUTSIDE
Service-policy inspect : INSIDE_TO_OUTSIDE
Class-map: OUTBOUND_TRAFFIC (match-any)
Match: protocol tcp
2 packets, 48 bytes
30 second rate 0 bps
Match: protocol udp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol icmp
3 packets, 240 bytes
30 second rate 0 bps
Inspect
Established Sessions
Session 66B2A7AC (1.1.1.1:17512)=>(3.3.3.3:23) tcp SIS_OPEN
Created 00:08:02, Last heard 00:04:30
Bytes sent (initiator:responder) [44:81]
Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes
Zone-pair: INSIDE_TO_DMZ
Service-policy inspect : INSIDE_TO_DMZ
Class-map: OUTBOUND_TRAFFIC (match-any)
Match: protocol tcp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol udp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol icmp
1 packets, 80 bytes
30 second rate 0 bps
Inspect
Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes
Zone-pair: DMZ_TO_OUTSIDE
Service-policy inspect : DMZ_TO_OUTSIDE
Class-map: OUTBOUND_TRAFFIC (match-any)
Match: protocol tcp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol udp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol icmp
1 packets, 80 bytes
30 second rate 0 bps
Inspect
Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes
Anyways I hope you can find some value in this info and adapt it to your environment. To permit inbound traffic the opposite direction, you will want to just create a very restrictive class-map, apply it in a policy-map and then finally stick the policy-map in a zonepair from out to in or out to dmz whatever is applicable. Im not an expert in this stuff, so let me know if there are any glaring errors here guys. |
|
|
|
| No worries on the delay - I know how a week can get busy very quickly. Anyway, I'm just happy you're willing to help. I will work through this again in the morning and let you know how I make out. I may have some questions about adding ACL's to the class map for inbound stuff. For the most part I am fine passing all traffic types (not blocking anything), just restricting the hosts it goes to.
Thanks again. I REALLY appreciate your time and help. |
|
| reply to nosx
Hey deepblackmag,
Just wanted to say once again thank you for your help. I was able to adapt your info into my setup and get things working quite well - at least in this test environment.
When adding the zone-pair between the Inside and WiSP zones it did allow pings to be generated from the WiSP zone to the Inside zone - didn't seem right to me, but I created and ACL to block host generated ICMP messges (echo), put it in it's own class-map, then added that under the policy map for the outgoing traffic from the WiSP zone (to the Internet zone, but it works).
I am going to set up a few more devices and work with more ACL's embedded inside the policies to test with. I am having a problem with NAT Overload right now that will affect me in the future. Do you know much about that stuff as well?
Anyway, thanks again for your help. Your infor added to all of my reading has cleared up a lot of questions I have been stumbling with for a long time (I could even that good of help from Cisco with our Smarnet contract haha).
Thanks very much!!!
Aaron |
|
| said by acherman:Hey deepblackmag, Just wanted to say once again thank you for your help. I was able to adapt your info into my setup and get things working quite well - at least in this test environment. When adding the zone-pair between the Inside and WiSP zones it did allow pings to be generated from the WiSP zone to the Inside zone - didn't seem right to me, but I created and ACL to block host generated ICMP messges (echo), put it in it's own class-map, then added that under the policy map for the outgoing traffic from the WiSP zone (to the Internet zone, but it works). I am going to set up a few more devices and work with more ACL's embedded inside the policies to test with. I am having a problem with NAT Overload right now that will affect me in the future. Do you know much about that stuff as well? Anyway, thanks again for your help. Your infor added to all of my reading has cleared up a lot of questions I have been stumbling with for a long time (I could even that good of help from Cisco with our Smarnet contract haha). Thanks very much!!! Aaron We use zbfw in all of our sites. It is really much easier to mess with then people think. Basically you just define your zones then define the zone-pairs to which you apply a policy-map too. You are basically saying i want to apply this set of rules to traffic between this set of two zones. Then you just make class-maps maching nbar,access-lists, or whatever and pass,inspect, or drop that traffic in your policy-map and the class-default takes care of whats left.
Nice work on the example deepblackmag |
|
