Check of ZFW Firewall

Hi together,

I will post my running cisco config below.
I have an external modem on my cisco router, which gets an fixed IP-Adress from the provider. I implemented a ZFW firewall and now I have a few questions.

1. When I allowed ICMP from Internet to self and self to internet, I can not ping the router from outside overall. And I can not ping from the router to 8.8.8.8 for example. If I disable NAT the router can ping 8.8.8.8. That is confusing for me, cause that means, that the router will send a ping to 8.8.8.8 and the response will then be translated from nat? Or why does it not work with nat?

2. I could not figure out how to check that the fw is working properly. There are a few show commands but they only show me how many packets are dropped or passed. I tried some log commands on the policy settings but cant access them. I search for a way to exactly see which packets are dropped, passed, inspected and so on.

3. In the section policy-map ... and class type inspect... I can set the parameter drop, inspect or pass. As I understand, the difference between inspect and pass is, that pass will only pass the packets from one zone to the other, while inspect will allow the retraffic as well without a policy on the other zone pair. Is that correct? So if I inspect for example port 1701 and PC A send a test packet with a dynamic source port 34500 for example, then the packet will be forwarded and the retraffic to the port 34500 is then also allowed?

4. What is the difference on class-map if i use it with a access-list or with the match protocol commands?

5. When I use the show ip nat translation command, I see many translations on random ports, is this normal? That would mean that NAT is translating incoming traffic first and then the firewall drops the traffic. Is that true?

6. Maybe you can give me an assessment to my configuration, that would be very helpful. Are there any other security settings I can do to secure my network?

version 17.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
!
hostname XXX
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
security authentication failure rate 3 log
security passwords min-length 7
enable secret 9 XXX
!
aaa new-model
aaa local authentication attempts max-fail 3
!
!
aaa authentication login default local
aaa authorization network default local 
!
!
!
!
!
!
aaa session-id common
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
!
ip domain name XXX
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
! 
! 
! 
! 
!

parameter-map type inspect global
 log dropped-packets
multilink bundle-name authenticated
!
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
redundancy
 mode none
!
!
!
!
!
no cdp run
!
!
class-map type inspect match-any ALLOW_IN
 match access-group name ALLOWv4
class-map type inspect match-any ROUTER_PROTOCOLS
 match protocol tcp
 match protocol udp
 match protocol icmp
class-map type inspect match-any INTERNET_ALLOW
 match access-group name ALLOWINTERNET
class-map type inspect match-any LOCAL_ALLOW
 match access-group name ALLOWLOCAL
!
policy-map type inspect ROUTER_INTERNET_POLICY
 description Traffic Router to Internet
 class type inspect ROUTER_PROTOCOLS
  inspect
 class class-default
  drop
policy-map type inspect INTERNET_ROUTER_POLICY
 description Traffic Internet to Router
 class type inspect ALLOW_IN
  pass
 class class-default
  drop log
policy-map type inspect LOCAL_INTERNET_POLICY
 description Traffic LOCAL to Internet
 class type inspect LOCAL_ALLOW
  pass
 class class-default
  drop
policy-map type inspect INTERNET_LOCAL_POLICY
 class type inspect INTERNET_ALLOW
  pass
 class class-default
  drop log
!
zone security LOCAL
zone security INTERNET
zone-pair security INTERNET_LOCAL source INTERNET destination LOCAL
 service-policy type inspect INTERNET_LOCAL_POLICY
zone-pair security INTERNET_ROUTER source INTERNET destination self
 service-policy type inspect INTERNET_ROUTER_POLICY
zone-pair security LOCAL_INTERNET source LOCAL destination INTERNET
 service-policy type inspect LOCAL_INTERNET_POLICY
zone-pair security ROUTER_INTERNET source self destination INTERNET
 service-policy type inspect ROUTER_INTERNET_POLICY
! 
! 
! 
interface GigabitEthernet0/0/0
 description Internet static IP
 no ip address
 zone-member security INTERNET
 speed 1000
 no negotiation auto
 no cdp enable
!
interface GigabitEthernet0/0/0.7
 description VLAN 7 tag for DSL
 encapsulation dot1Q 7
 zone-member security INTERNET
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/0/1
 description local LAN
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 zone-member security LOCAL
 ip tcp adjust-mss 1452
 negotiation auto
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 no ip address
 shutdown
 negotiation auto
!
interface Dialer1
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip verify unicast reverse-path
 zone-member security INTERNET
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication pap callin
 ppp pap sent-username XXX@t-online.de password 7 XXX
 ppp ipcp dns request
 ppp ipcp mask request
 ppp ipcp route default
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source static 192.168.1.2 XXX
!
!
ip access-list extended ALLOWINTERNET
 10 permit udp any any eq 1701
 20 permit udp any any eq isakmp
 30 permit udp any any eq non500-isakmp
 40 permit esp any any
 50 permit ahp any any
ip access-list extended ALLOWLOCAL
 10 permit udp any any eq 1701
 20 permit udp any any eq isakmp
 30 permit udp any any eq non500-isakmp
 40 permit esp any any
 50 permit ahp any any
 60 permit tcp any any
 70 permit udp any any
ip access-list extended ALLOWv4
 20 permit udp any any eq isakmp
 30 permit udp any any eq non500-isakmp
 40 permit esp any any
ip access-list extended CLI_ACCESS
 10 permit tcp 192.168.1.0 0.0.0.255 any eq 22
 20 deny   ip any any log-input
 3 remark Config Access Router ACL
!
dialer-list 1 protocol ip list 120
!
!
!
!
!
!
control-plane
!
banner exec ^CSie sind verbunden mit VTY $(line) auf dem Router $(hostname)^C
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 access-class CLI_ACCESS in
 exec-timeout 120 0
 transport input ssh
!

Thank you very much and best regards
gleixnerd

Bitte markiere auch die Kommentare, die zur Lösung des Beitrags beigetragen haben

Content-ID: 3586182481

Url: https://administrator.de/contentid/3586182481

Ausgedruckt am: 23.11.2024 um 17:11 Uhr

6 Kommentare

Neuester Kommentar

1.)
That is normal behaviour.
You have mapped the ACL "ALLOWv4" to the policy-map "INTERNET_ROUTER_POLICY" which is responsable for the protocols which are allowed to pass the firewall from outside. (FROM internet TO the router)
Your acl "ALLOWv4" only allows IPsec traffic from outside but missed having permit icmp any any echo configured to let ICMP echo requests pass as well.
Btw. if you get a fix IP addresse you can make the "ALLOWv4" ACL a bit more stricter and define your static IPv4 as the target IP like:
ip access-list extended ALLOWv4
20 permit udp any <wan_ip_address> eq isakmp
30 permit udp any <wan_ip_address> eq non500-isakmp
40 permit esp any <wan_ip_address>
50 permit icmp any <wan_ip_address> echo

2.)
Try sh policy-map type inspect zone-pair sessions which shows all inspected endstations by ip and protocol and show policy-map type inspect zone-pair <zone_pair_name> for detailed protocol statistics.

3.)
That is correct!

4.)
Access lists define which IPs, ports etc. are allowed and match protocol defines the protocols in general which are allowed and will be deeper inspected. With match protocol you have to watch the sequence, cause deeper inspected protocols have to be placed before the shotgun commands match protocol tcp and match protocol udp at the end!
These commands will inspect ALL not explicitly defined above UDP and TCP protocols. So it is mandatory to put them at the end of the list.
If you like to inspect and pass only dedicated TCP protocols defined above you need to omit these shotgun commands in the match protocol sequence.
Protocol and ACL class maps can of course be combined here.

5.)
No, thats not true! The NAT overload function (in case you mean this?!) translates only IP addresses and not ports.
As a professional networking specialist you know and should keep in mind that source ports are always random in TCP and UDP session by design. Only destination Ports are dedicated and dependent on the application.

6.)
Always check the ZFW section in the Cisco tutorial for a proper setup!
Unfortunately in German but a translator my help here otherwise just ask.
If you need to do port forwarding with the ZFW firewall you'll find a dedicated English tutorial HERE.

1. I have tried that a few day ago, thats why you dont see icmp allowed in the lists. But with one difference, I entered permit icmp any any on internet to router and router to internet policy. I thought that should work as well, but it didnt. So you say it is a normal behaviour that the echo reply will then be translated via nat?

2. I thought I already tried that but I will try it again.

4. Got it. But what is the consequence of inspect? Will it see packets which are dangerous but are sent with a matched protocol?

5. I think you missunderstood my question. Yes that is clear, that source ports are always random. But I have a static NAT running and when I take a look at show ip nat translatios, I get entries which have a destination port, that I have not allowed in the firewall. Thats why I am asking if the nat translation is happening before the firewall is inspecting the traffic. Because then I dont have to worry about those entries. But if they should be dropped before the nat translation is happening, then something doesnt work with the FW, cause why would those entries be there then?
You know what I mean?

6. I thought I tried everything in there but maybe I missed something. I thought there should be a possibility to see that for example the access-list ALLOWv4 dropped 100 packets and show me details about the packets like source and destination ip/port.

Thank you very much and best regards
gleixnerd

1.)

So you say it is a normal behaviour that the echo reply will then be translated via nat?

No, of course not. Everything which is translated by NAT is explicitly defined in the ACL which is mapped to the overload command. I guess in your case its all 120?! (Not shown in config excerpt!)

ip nat inside source list 120 interface Dialer0 overload
!
access-list 120 permit ip 192.168.101.0 0.0.0.255 any (only source IPs with 192.168.101.x are NATed!)
!
dialer-list 1 protocol ip list 120

Due to the fact that outside Internet IPs are not matching the NAT ACL they were never tranlated. Other than that they come in on the ip nat outside interface, so the NAT acl will never get a match anyway, cause its related ONLY on the inside interface! The echo reply will therefore send with the WAN IP address (self) as source.

5.)
Static NAT from an outbound or an inbound interface? So, a port forwarding (from outbound) or a static NAT from an inbound interface to a static IP on the outbound? Overload is PAT. Thats unfortunately unclear? 🤔 (Port forwarding setup for a ZFW can be seen here)

6.)
Yes, that could be seen as well but with the ACL counters. show access-lists shows you all blocked packets. If you need more detailed info on this add the "log" parameter to the acl statements. But be carefull here. ACL logs are process switched (done in CPU) and hence logs should not be written from acls who block a wide range of packets which can overwhelm the CPU.

Important:
You've made another severe configuration error in the above config!!

The interface GigabitEthernet0/0/0 together with its corresponding 0.7 subinterface is only the physical interface to where the Dialer Interface is mapped.
This interface carries NO IP address and is therefore only a physical L2 mapping with no IP traffic.
Firewalls are of course explicitly used on Interfaces WITH IP addresses, cause a firewall is based on IP.
So never ever set a ZFW zone on non IP Interfaces. This is obviously wrong and should be instantly removed!!
The dialer is here the interface which participates in IP forwarding and holds the (WAN) zone!

1. Yes but I dont use the overload command, I use static NAT that translates one internal IP to the public WAN IP.

ip nat inside source static 192.168.1.2 <WANIP>

And if that is active, a ping from the router itself to 8.8.8.8 for example is not successfull. If I disable the static NAT, it is successful. Thats what I dont understand.

5. Here the same, as I wrote on 1. I use a static NAT like that:

ip nat inside source static 192.168.1.2 <WANIP>

and with that configuration, I get like 10-20 entries in the ip nat translations list. And under those entries are some whith ports that I didnt allow on the ZFW.

6. Okay perfect thank you

Thank you for your note, didnt know about that. I thought I have to put every interface which is on the internet side ot the internet zone. But good to know. Fixed that already.

1.)
OK, in this case you can of course just ignore the overload command!

And if that is active, a ping from the router itself to 8.8.8.8 for example is not successfull.

Yes, that is expectable cause, you did not define a source address with the ping command!

If you do NOT do this, the router takes his local LAN IP as source and this IP is due to your static NAT statement NOT translated cause it only translates traffic from host 192.168.1.2 but not the local LAN IP.
If you issue a ping 8.8.8.8 source <wan_ip>or<wan_interface> it will work fine even with the NAT statement!

Always keep in mind what NAT is doing!! The Cisco does exactly what you tell him to do!!