[HELP] Multi-Interface Firewall Config Help in Cisco

[HELP] Multi-Interface Firewall Config Help in Cisco http://www.dslreports.com/forum/r21863092 en Wed, 10 Feb 2010 10:46:21 EDT Wed, 10 Feb 2010 10:46:21 EDT Re: [HELP] Multi-Interface Firewall Config Help http://www.dslreports.com/forum/remark,21889223 cooldude9919 :

said by acherman

:

Hey deepblackmag,

Just wanted to say once again thank you for your help. I was able to adapt your info into my setup and get things working quite well - at least in this test environment.

When adding the zone-pair between the Inside and WiSP zones it did allow pings to be generated from the WiSP zone to the Inside zone - didn't seem right to me, but I created and ACL to block host generated ICMP messges (echo), put it in it's own class-map, then added that under the policy map for the outgoing traffic from the WiSP zone (to the Internet zone, but it works).

I am going to set up a few more devices and work with more ACL's embedded inside the policies to test with. I am having a problem with NAT Overload right now that will affect me in the future. Do you know much about that stuff as well?

Anyway, thanks again for your help. Your infor added to all of my reading has cleared up a lot of questions I have been stumbling with for a long time (I could even that good of help from Cisco with our Smarnet contract haha).

Thanks very much!!!

Aaron

We use zbfw in all of our sites. It is really much easier to mess with then people think. Basically you just define your zones then define the zone-pairs to which you apply a policy-map too. You are basically saying i want to apply this set of rules to traffic between this set of two zones. Then you just make class-maps maching nbar,access-lists, or whatever and pass,inspect, or drop that traffic in your policy-map and the class-default takes care of whats left.

Nice work on the example deepblackmag]]> http://www.dslreports.com/forum/remark,21889223 Mon, 09 Feb 2009 16:14:38 EDT Re: [HELP] Multi-Interface Firewall Config Help http://www.dslreports.com/forum/remark,21889155 acherman : Hey deepblackmag,

Just wanted to say once again thank you for your help. I was able to adapt your info into my setup and get things working quite well - at least in this test environment.

When adding the zone-pair between the Inside and WiSP zones it did allow pings to be generated from the WiSP zone to the Inside zone - didn't seem right to me, but I created and ACL to block host generated ICMP messges (echo), put it in it's own class-map, then added that under the policy map for the outgoing traffic from the WiSP zone (to the Internet zone, but it works).

I am going to set up a few more devices and work with more ACL's embedded inside the policies to test with. I am having a problem with NAT Overload right now that will affect me in the future. Do you know much about that stuff as well?

Anyway, thanks again for your help. Your infor added to all of my reading has cleared up a lot of questions I have been stumbling with for a long time (I could even that good of help from Cisco with our Smarnet contract haha).

Thanks very much!!!

Aaron]]> http://www.dslreports.com/forum/remark,21889155 Mon, 09 Feb 2009 16:05:56 EDT Re: [HELP] Multi-Interface Firewall Config Help http://www.dslreports.com/forum/remark,21884926 acherman : No worries on the delay - I know how a week can get busy very quickly. Anyway, I'm just happy you're willing to help. I will work through this again in the morning and let you know how I make out. I may have some questions about adding ACL's to the class map for inbound stuff. For the most part I am fine passing all traffic types (not blocking anything), just restricting the hosts it goes to.

Thanks again. I REALLY appreciate your time and help.]]> http://www.dslreports.com/forum/remark,21884926 Sun, 08 Feb 2009 19:22:36 EDT Re: [HELP] Multi-Interface Firewall Config Help http://www.dslreports.com/forum/remark,21884797 deepblackmag : Alrighty sorry for the delay, my week has been hectic (but i managed to do my taxes, yay!)

As promised, i have the configuration labbed up right now for a 3 legged zone based firewall, with a subinterface for INSIDE, DMZ-WIFI, and OUTSIDE.
The configuration provided will permit outbound traffic in the following directions:
Inside->DMZ
Inside->Outside
DMZ->Outside
All other traffic flows should get dropped by the zone based firewall.

Im assuming you have a basic configuration with subinterfaces configured, in this case i used .1 .2 and .3
Here we created the zones and join the given interfaces to them:

Next i created a generic class-map. You might want multiple class maps with specific inspection entries to only permit or drop certain types of traffic.

Then we create a policy-map for inspecting INSIDE to OUTSIDE traffic and create a zone pairing between the inside and outside with that policy map.

At this point inside traffic should be able to reach the outside but not the DMZ. To permit traffic from the inside to the DMZ we need to create another policy map and zone pair.

Now the inside should be able to initiate a connection to anywhere, however the DMZ is still isolated from initiating any connections. We need to create one final policy map and zone pairing to let the DMZ goto the internet via the outside interface:

And that does it. We can validate with some show commands:

I telnet'd from my inside router through the zone based firewall router to the outside router to demonstrate the session tracking of the zbf.

R6#show policy-map type inspect zone-pair sessions Zone-pair: INSIDE_TO_OUTSIDE   Service-policy inspect : INSIDE_TO_OUTSIDE     Class-map: OUTBOUND_TRAFFIC (match-any)      Match: protocol tcp        2 packets, 48 bytes        30 second rate 0 bps      Match: protocol udp        0 packets, 0 bytes        30 second rate 0 bps      Match: protocol icmp        3 packets, 240 bytes        30 second rate 0 bps      Inspect        Established Sessions         Session 66B2A7AC (1.1.1.1:17512)=>(3.3.3.3:23) tcp SIS_OPEN          Created 00:08:02, Last heard 00:04:30          Bytes sent (initiator:responder) [44:81]     Class-map: class-default (match-any)      Match: any       Drop (default action)        0 packets, 0 bytes Zone-pair: INSIDE_TO_DMZ   Service-policy inspect : INSIDE_TO_DMZ     Class-map: OUTBOUND_TRAFFIC (match-any)      Match: protocol tcp        0 packets, 0 bytes        30 second rate 0 bps      Match: protocol udp        0 packets, 0 bytes        30 second rate 0 bps      Match: protocol icmp        1 packets, 80 bytes        30 second rate 0 bps      Inspect     Class-map: class-default (match-any)      Match: any       Drop (default action)        0 packets, 0 bytes Zone-pair: DMZ_TO_OUTSIDE   Service-policy inspect : DMZ_TO_OUTSIDE     Class-map: OUTBOUND_TRAFFIC (match-any)      Match: protocol tcp        0 packets, 0 bytes        30 second rate 0 bps      Match: protocol udp        0 packets, 0 bytes        30 second rate 0 bps      Match: protocol icmp        1 packets, 80 bytes        30 second rate 0 bps      Inspect     Class-map: class-default (match-any)      Match: any       Drop (default action)        0 packets, 0 bytes

Anyways I hope you can find some value in this info and adapt it to your environment. To permit inbound traffic the opposite direction, you will want to just create a very restrictive class-map, apply it in a policy-map and then finally stick the policy-map in a zonepair from out to in or out to dmz whatever is applicable. Im not an expert in this stuff, so let me know if there are any glaring errors here guys.
]]> http://www.dslreports.com/forum/remark,21884797 Sun, 08 Feb 2009 18:56:03 EDT Re: [HELP] Multi-Interface Firewall Config Help http://www.dslreports.com/forum/remark,21865141 acherman : That's great news!! Thanks for the info. I did try ZBF today, but like I said, as soon as I added a policy to block traffic generated from the WiSP side to the Private side I lost connection both ways. Got me discouraged and I asked for help. haha

I love m0n0wall - so easy to configure, and have been running it for a few hundred users for a few years now. But there are afew "quirks" that I think the 2811 can solve for us - just have to duplicate my current install first.

Any info you need to make helping me easier just ket me know. The true install is a little more grand than my diagram, but only in scale (more VLANs on the WiSP side, etc). I can post a true picture if it helps.

Thanks again to both of you for having a look.]]> http://www.dslreports.com/forum/remark,21865141 Wed, 04 Feb 2009 23:57:13 EDT Re: [HELP] Multi-Interface Firewall Config Help http://www.dslreports.com/forum/remark,21864692 Bink : I have not yet configured CBAC on VLAN interfaces, but can’t see why this would be an issue—it should just work with the right configuration. At the same token though, I do something similar at home with VLAN interfaces, but, kind of like you and m0n0wall, I have an OpenBSD box handling this task with nary an issue (and I’m EXTREMELY pleased).]]> http://www.dslreports.com/forum/remark,21864692 Wed, 04 Feb 2009 22:15:41 EDT Re: [HELP] Multi-Interface Firewall Config Help http://www.dslreports.com/forum/remark,21864254 deepblackmag : That should be completely possible, the correct technology is the zone based firewall approach.
I have used a PIX or ASA in the past to accomplish this, never tried ZBF in IOS before.
Ill lab this up thursday when I have time and reply with any config / suggestions / discoverys.]]> http://www.dslreports.com/forum/remark,21864254 Wed, 04 Feb 2009 21:01:07 EDT [HELP] Multi-Interface Firewall Config Help http://www.dslreports.com/forum/remark,21863092 acherman : Hi everyone, this is a problem I have been working at off and on for a long time. Before I waste anyone's time posting my config I'll ask if what I want to do is even possible.

I have a 2811 router running IOS 12.4(22)T. I have Fa0/1 connected to the Internet, and Fa0/0 with VLAN sub-interfaces on it (2 for now). I want one of the VLAN's (say Fa0/0.1) to be our private network. I want the other (say Fa0/0.2) to be a public network used for a WiSP service. Currently we use m0n0wall in a similar config but it's nearing the end of it's practicality and we want to upgrade.

Anyway, my problem is with traffic flow.
-I want all traffic originating from the Private side to be permitted everywhere (to all other interfaces), and returning traffic to be permitted back (Internet access and management access to the WiSP side).
-I want traffic originating on the WiSP side to be permitted to the Internet (return traffic permitted of course), and traffic not permitted to the Private side.
-I want only specified Internet-originating traffic permitted in to certain hosts.

I have tried just using ACL's, I tried with CBAC (got confused) and just tried using Zone Based Firewall. I can get the Private-to-Internet and WiSP-to-Internet stuff working fine. But each time I try to restrict traffic between the Private network and the WiSP network I either get full traffic flow both ways, or no traffic flow either way. I just want WiSP customer to reach the Internet only, and the private network to reach the Internet and manage the WiSP side.

Is this even possible? Any help is appreciated. I am not good with Cisco configs - slowly getting better. I just played around with ZBF in SDM today and hit the same wall - as soon as I create a zone-pair to block originating traffic in the WiSP zone to the private zone I lose connectivity the other way.

Help? Thanks in advance for anyone willing to help. I am at the point in trying this long enough that I want to pay someone else to do the config to my specs. haha :-|

Firewall Zones.pdf

]]> http://www.dslreports.com/forum/remark,21863092 Wed, 04 Feb 2009 17:41:47 EDT