5
Check of ZFW Firewall
Hi together,
I will post my running cisco config below.
I have an external modem on my cisco router, which gets an fixed IP-Adress from the provider. I implemented a ZFW firewall and now I have a few questions.
1. When I allowed ICMP from Internet to self and self to internet, I can not ping the router from outside overall. And I can not ping from the router to 8.8.8.8 for example. If I disable NAT the router can ping 8.8.8.8. That is confusing for me, cause that means, that the router will send a ping to 8.8.8.8 and the response will then be translated from nat? Or why does it not work with nat?
2. I could not figure out how to check that the fw is working properly. There are a few show commands but they only show me how many packets are dropped or passed. I tried some log commands on the policy settings but cant access them. I search for a way to exactly see which packets are dropped, passed, inspected and so on.
3. In the section policy-map ... and class type inspect... I can set the parameter drop, inspect or pass. As I understand, the difference between inspect and pass is, that pass will only pass the packets from one zone to the other, while inspect will allow the retraffic as well without a policy on the other zone pair. Is that correct? So if I inspect for example port 1701 and PC A send a test packet with a dynamic source port 34500 for example, then the packet will be forwarded and the retraffic to the port 34500 is then also allowed?
4. What is the difference on class-map if i use it with a access-list or with the match protocol commands?
5. When I use the show ip nat translation command, I see many translations on random ports, is this normal? That would mean that NAT is translating incoming traffic first and then the firewall drops the traffic. Is that true?
6. Maybe you can give me an assessment to my configuration, that would be very helpful. Are there any other security settings I can do to secure my network?
Thank you very much and best regards
gleixnerd
I will post my running cisco config below.
I have an external modem on my cisco router, which gets an fixed IP-Adress from the provider. I implemented a ZFW firewall and now I have a few questions.
1. When I allowed ICMP from Internet to self and self to internet, I can not ping the router from outside overall. And I can not ping from the router to 8.8.8.8 for example. If I disable NAT the router can ping 8.8.8.8. That is confusing for me, cause that means, that the router will send a ping to 8.8.8.8 and the response will then be translated from nat? Or why does it not work with nat?
2. I could not figure out how to check that the fw is working properly. There are a few show commands but they only show me how many packets are dropped or passed. I tried some log commands on the policy settings but cant access them. I search for a way to exactly see which packets are dropped, passed, inspected and so on.
3. In the section policy-map ... and class type inspect... I can set the parameter drop, inspect or pass. As I understand, the difference between inspect and pass is, that pass will only pass the packets from one zone to the other, while inspect will allow the retraffic as well without a policy on the other zone pair. Is that correct? So if I inspect for example port 1701 and PC A send a test packet with a dynamic source port 34500 for example, then the packet will be forwarded and the retraffic to the port 34500 is then also allowed?
4. What is the difference on class-map if i use it with a access-list or with the match protocol commands?
5. When I use the show ip nat translation command, I see many translations on random ports, is this normal? That would mean that NAT is translating incoming traffic first and then the firewall drops the traffic. Is that true?
6. Maybe you can give me an assessment to my configuration, that would be very helpful. Are there any other security settings I can do to secure my network?
version 17.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
!
hostname XXX
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
security authentication failure rate 3 log
security passwords min-length 7
enable secret 9 XXX
!
aaa new-model
aaa local authentication attempts max-fail 3
!
!
aaa authentication login default local
aaa authorization network default local
!
!
!
!
!
!
aaa session-id common
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
!
ip domain name XXX
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
parameter-map type inspect global
log dropped-packets
multilink bundle-name authenticated
!
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
redundancy
mode none
!
!
!
!
!
no cdp run
!
!
class-map type inspect match-any ALLOW_IN
match access-group name ALLOWv4
class-map type inspect match-any ROUTER_PROTOCOLS
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-any INTERNET_ALLOW
match access-group name ALLOWINTERNET
class-map type inspect match-any LOCAL_ALLOW
match access-group name ALLOWLOCAL
!
policy-map type inspect ROUTER_INTERNET_POLICY
description Traffic Router to Internet
class type inspect ROUTER_PROTOCOLS
inspect
class class-default
drop
policy-map type inspect INTERNET_ROUTER_POLICY
description Traffic Internet to Router
class type inspect ALLOW_IN
pass
class class-default
drop log
policy-map type inspect LOCAL_INTERNET_POLICY
description Traffic LOCAL to Internet
class type inspect LOCAL_ALLOW
pass
class class-default
drop
policy-map type inspect INTERNET_LOCAL_POLICY
class type inspect INTERNET_ALLOW
pass
class class-default
drop log
!
zone security LOCAL
zone security INTERNET
zone-pair security INTERNET_LOCAL source INTERNET destination LOCAL
service-policy type inspect INTERNET_LOCAL_POLICY
zone-pair security INTERNET_ROUTER source INTERNET destination self
service-policy type inspect INTERNET_ROUTER_POLICY
zone-pair security LOCAL_INTERNET source LOCAL destination INTERNET
service-policy type inspect LOCAL_INTERNET_POLICY
zone-pair security ROUTER_INTERNET source self destination INTERNET
service-policy type inspect ROUTER_INTERNET_POLICY
!
!
!
interface GigabitEthernet0/0/0
description Internet static IP
no ip address
zone-member security INTERNET
speed 1000
no negotiation auto
no cdp enable
!
interface GigabitEthernet0/0/0.7
description VLAN 7 tag for DSL
encapsulation dot1Q 7
zone-member security INTERNET
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/0/1
description local LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
zone-member security LOCAL
ip tcp adjust-mss 1452
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Dialer1
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip verify unicast reverse-path
zone-member security INTERNET
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username XXX@t-online.de password 7 XXX
ppp ipcp dns request
ppp ipcp mask request
ppp ipcp route default
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source static 192.168.1.2 XXX
!
!
ip access-list extended ALLOWINTERNET
10 permit udp any any eq 1701
20 permit udp any any eq isakmp
30 permit udp any any eq non500-isakmp
40 permit esp any any
50 permit ahp any any
ip access-list extended ALLOWLOCAL
10 permit udp any any eq 1701
20 permit udp any any eq isakmp
30 permit udp any any eq non500-isakmp
40 permit esp any any
50 permit ahp any any
60 permit tcp any any
70 permit udp any any
ip access-list extended ALLOWv4
20 permit udp any any eq isakmp
30 permit udp any any eq non500-isakmp
40 permit esp any any
ip access-list extended CLI_ACCESS
10 permit tcp 192.168.1.0 0.0.0.255 any eq 22
20 deny ip any any log-input
3 remark Config Access Router ACL
!
dialer-list 1 protocol ip list 120
!
!
!
!
!
!
control-plane
!
banner exec ^CSie sind verbunden mit VTY $(line) auf dem Router $(hostname)^C
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class CLI_ACCESS in
exec-timeout 120 0
transport input ssh
!Thank you very much and best regards
gleixnerd
Share on Facebook
Share on Twitter
Share on Reddit
Share on LinkedinPlease also mark the comments that contributed to the solution of the article
Content-Key: 3586182481
Url: https://administrator.de/contentid/3586182481
Printed on: May 2, 2024 at 09:05 o'clock
5 Comments
Latest comment
1.)
That is normal behaviour.
You have mapped the ACL "ALLOWv4" to the policy-map "INTERNET_ROUTER_POLICY" which is responsable for the protocols which are allowed to pass the firewall from outside. (FROM internet TO the router)
Your acl "ALLOWv4" only allows IPsec traffic from outside but missed having permit icmp any any echo configured to let ICMP echo requests pass as well.
Btw. if you get a fix IP addresse you can make the "ALLOWv4" ACL a bit more stricter and define your static IPv4 as the target IP like:
ip access-list extended ALLOWv4
20 permit udp any <wan_ip_address> eq isakmp
30 permit udp any <wan_ip_address> eq non500-isakmp
40 permit esp any <wan_ip_address>
50 permit icmp any <wan_ip_address> echo
2.)
Try sh policy-map type inspect zone-pair sessions which shows all inspected endstations by ip and protocol and show policy-map type inspect zone-pair <zone_pair_name> for detailed protocol statistics.
3.)
That is correct!
4.)
Access lists define which IPs, ports etc. are allowed and match protocol defines the protocols in general which are allowed and will be deeper inspected. With match protocol you have to watch the sequence, cause deeper inspected protocols have to be placed before the shotgun commands match protocol tcp and match protocol udp at the end!
These commands will inspect ALL not explicitly defined above UDP and TCP protocols. So it is mandatory to put them at the end of the list.
If you like to inspect and pass only dedicated TCP protocols defined above you need to omit these shotgun commands in the match protocol sequence.
Protocol and ACL class maps can of course be combined here.
5.)
No, thats not true! The NAT overload function (in case you mean this?!) translates only IP addresses and not ports.
As a professional networking specialist you know and should keep in mind that source ports are always random in TCP and UDP session by design. Only destination Ports are dedicated and dependent on the application.
6.)
Always check the ZFW section in the Cisco tutorial for a proper setup!
Unfortunately in German but a translator my help here otherwise just ask.
If you need to do port forwarding with the ZFW firewall you'll find a dedicated English tutorial HERE.
That is normal behaviour.
You have mapped the ACL "ALLOWv4" to the policy-map "INTERNET_ROUTER_POLICY" which is responsable for the protocols which are allowed to pass the firewall from outside. (FROM internet TO the router)
Your acl "ALLOWv4" only allows IPsec traffic from outside but missed having permit icmp any any echo configured to let ICMP echo requests pass as well.
Btw. if you get a fix IP addresse you can make the "ALLOWv4" ACL a bit more stricter and define your static IPv4 as the target IP like:
ip access-list extended ALLOWv4
20 permit udp any <wan_ip_address> eq isakmp
30 permit udp any <wan_ip_address> eq non500-isakmp
40 permit esp any <wan_ip_address>
50 permit icmp any <wan_ip_address> echo
2.)
Try sh policy-map type inspect zone-pair sessions which shows all inspected endstations by ip and protocol and show policy-map type inspect zone-pair <zone_pair_name> for detailed protocol statistics.
3.)
That is correct!
4.)
Access lists define which IPs, ports etc. are allowed and match protocol defines the protocols in general which are allowed and will be deeper inspected. With match protocol you have to watch the sequence, cause deeper inspected protocols have to be placed before the shotgun commands match protocol tcp and match protocol udp at the end!
These commands will inspect ALL not explicitly defined above UDP and TCP protocols. So it is mandatory to put them at the end of the list.
If you like to inspect and pass only dedicated TCP protocols defined above you need to omit these shotgun commands in the match protocol sequence.
Protocol and ACL class maps can of course be combined here.
5.)
No, thats not true! The NAT overload function (in case you mean this?!) translates only IP addresses and not ports.
As a professional networking specialist you know and should keep in mind that source ports are always random in TCP and UDP session by design. Only destination Ports are dedicated and dependent on the application.
6.)
Always check the ZFW section in the Cisco tutorial for a proper setup!
Unfortunately in German but a translator my help here otherwise just ask.
If you need to do port forwarding with the ZFW firewall you'll find a dedicated English tutorial HERE.
2
1. I have tried that a few day ago, thats why you dont see icmp allowed in the lists. But with one difference, I entered permit icmp any any on internet to router and router to internet policy. I thought that should work as well, but it didnt. So you say it is a normal behaviour that the echo reply will then be translated via nat?
2. I thought I already tried that but I will try it again.
4. Got it. But what is the consequence of inspect? Will it see packets which are dangerous but are sent with a matched protocol?
5. I think you missunderstood my question. Yes that is clear, that source ports are always random. But I have a static NAT running and when I take a look at show ip nat translatios, I get entries which have a destination port, that I have not allowed in the firewall. Thats why I am asking if the nat translation is happening before the firewall is inspecting the traffic. Because then I dont have to worry about those entries. But if they should be dropped before the nat translation is happening, then something doesnt work with the FW, cause why would those entries be there then?
You know what I mean?
6. I thought I tried everything in there but maybe I missed something. I thought there should be a possibility to see that for example the access-list ALLOWv4 dropped 100 packets and show me details about the packets like source and destination ip/port.
Thank you very much and best regards
gleixnerd
2. I thought I already tried that but I will try it again.
4. Got it. But what is the consequence of inspect? Will it see packets which are dangerous but are sent with a matched protocol?
5. I think you missunderstood my question. Yes that is clear, that source ports are always random. But I have a static NAT running and when I take a look at show ip nat translatios, I get entries which have a destination port, that I have not allowed in the firewall. Thats why I am asking if the nat translation is happening before the firewall is inspecting the traffic. Because then I dont have to worry about those entries. But if they should be dropped before the nat translation is happening, then something doesnt work with the FW, cause why would those entries be there then?
You know what I mean?
6. I thought I tried everything in there but maybe I missed something. I thought there should be a possibility to see that for example the access-list ALLOWv4 dropped 100 packets and show me details about the packets like source and destination ip/port.
Thank you very much and best regards
gleixnerd
1.)
ip nat inside source list 120 interface Dialer0 overload
!
access-list 120 permit ip 192.168.101.0 0.0.0.255 any (only source IPs with 192.168.101.x are NATed!)
!
dialer-list 1 protocol ip list 120
Due to the fact that outside Internet IPs are not matching the NAT ACL they were never tranlated. Other than that they come in on the ip nat outside interface, so the NAT acl will never get a match anyway, cause its related ONLY on the inside interface! The echo reply will therefore send with the WAN IP address (self) as source.
5.)
Static NAT from an outbound or an inbound interface? So, a port forwarding (from outbound) or a static NAT from an inbound interface to a static IP on the outbound? Overload is PAT. Thats unfortunately unclear? 🤔 (Port forwarding setup for a ZFW can be seen here)
6.)
Yes, that could be seen as well but with the ACL counters. show access-lists shows you all blocked packets. If you need more detailed info on this add the "log" parameter to the acl statements. But be carefull here. ACL logs are process switched (done in CPU) and hence logs should not be written from acls who block a wide range of packets which can overwhelm the CPU.
Important:
You've made another severe configuration error in the above config!!
The interface GigabitEthernet0/0/0 together with its corresponding 0.7 subinterface is only the physical interface to where the Dialer Interface is mapped.
This interface carries NO IP address and is therefore only a physical L2 mapping with no IP traffic.
Firewalls are of course explicitly used on Interfaces WITH IP addresses, cause a firewall is based on IP.
So never ever set a ZFW zone on non IP Interfaces. This is obviously wrong and should be instantly removed!!
The dialer is here the interface which participates in IP forwarding and holds the (WAN) zone!
So you say it is a normal behaviour that the echo reply will then be translated via nat?
No, of course not. Everything which is translated by NAT is explicitly defined in the ACL which is mapped to the overload command. I guess in your case its all 120?! (Not shown in config excerpt!)ip nat inside source list 120 interface Dialer0 overload
!
access-list 120 permit ip 192.168.101.0 0.0.0.255 any (only source IPs with 192.168.101.x are NATed!)
!
dialer-list 1 protocol ip list 120
Due to the fact that outside Internet IPs are not matching the NAT ACL they were never tranlated. Other than that they come in on the ip nat outside interface, so the NAT acl will never get a match anyway, cause its related ONLY on the inside interface! The echo reply will therefore send with the WAN IP address (self) as source.
5.)
Static NAT from an outbound or an inbound interface? So, a port forwarding (from outbound) or a static NAT from an inbound interface to a static IP on the outbound? Overload is PAT. Thats unfortunately unclear? 🤔 (Port forwarding setup for a ZFW can be seen here)
6.)
Yes, that could be seen as well but with the ACL counters. show access-lists shows you all blocked packets. If you need more detailed info on this add the "log" parameter to the acl statements. But be carefull here. ACL logs are process switched (done in CPU) and hence logs should not be written from acls who block a wide range of packets which can overwhelm the CPU.
Important:
You've made another severe configuration error in the above config!!
The interface GigabitEthernet0/0/0 together with its corresponding 0.7 subinterface is only the physical interface to where the Dialer Interface is mapped.
This interface carries NO IP address and is therefore only a physical L2 mapping with no IP traffic.
Firewalls are of course explicitly used on Interfaces WITH IP addresses, cause a firewall is based on IP.
So never ever set a ZFW zone on non IP Interfaces. This is obviously wrong and should be instantly removed!!
The dialer is here the interface which participates in IP forwarding and holds the (WAN) zone!
2
1. Yes but I dont use the overload command, I use static NAT that translates one internal IP to the public WAN IP.
ip nat inside source static 192.168.1.2 <WANIP>
And if that is active, a ping from the router itself to 8.8.8.8 for example is not successfull. If I disable the static NAT, it is successful. Thats what I dont understand.
5. Here the same, as I wrote on 1. I use a static NAT like that:
ip nat inside source static 192.168.1.2 <WANIP>
and with that configuration, I get like 10-20 entries in the ip nat translations list. And under those entries are some whith ports that I didnt allow on the ZFW.
6. Okay perfect thank you
Thank you for your note, didnt know about that. I thought I have to put every interface which is on the internet side ot the internet zone. But good to know. Fixed that already.
ip nat inside source static 192.168.1.2 <WANIP>
And if that is active, a ping from the router itself to 8.8.8.8 for example is not successfull. If I disable the static NAT, it is successful. Thats what I dont understand.
5. Here the same, as I wrote on 1. I use a static NAT like that:
ip nat inside source static 192.168.1.2 <WANIP>
and with that configuration, I get like 10-20 entries in the ip nat translations list. And under those entries are some whith ports that I didnt allow on the ZFW.
6. Okay perfect thank you
Thank you for your note, didnt know about that. I thought I have to put every interface which is on the internet side ot the internet zone. But good to know. Fixed that already.
1.)
OK, in this case you can of course just ignore the overload command!
If you do NOT do this, the router takes his local LAN IP as source and this IP is due to your static NAT statement NOT translated cause it only translates traffic from host 192.168.1.2 but not the local LAN IP.
If you issue a ping 8.8.8.8 source <wan_ip>or<wan_interface> it will work fine even with the NAT statement!
Always keep in mind what NAT is doing!! The Cisco does exactly what you tell him to do!!
OK, in this case you can of course just ignore the overload command!
And if that is active, a ping from the router itself to 8.8.8.8 for example is not successfull.
Yes, that is expectable cause, you did not define a source address with the ping command! If you do NOT do this, the router takes his local LAN IP as source and this IP is due to your static NAT statement NOT translated cause it only translates traffic from host 192.168.1.2 but not the local LAN IP.
If you issue a ping 8.8.8.8 source <wan_ip>or<wan_interface> it will work fine even with the NAT statement!
Always keep in mind what NAT is doing!! The Cisco does exactly what you tell him to do!!
