Transparent Firewall (IOS) and CBAC - dhcp-passthrough
Today I’d like to implement L2 firewall on cisco router using CBAC. A few months ago I did similar lab but today I’d like to add a new requirement:
- allowing on DHCP packets across the L2 firewall.
fa1/0/11 fa1/0/13
/----\ \ ----------------------- / /----\
| R2 |----------| SW |----------| R3 |
\----/ \ ----------------------- / \----/
gig0/0 /\ /----\ / \ fa0/0
10.0.0.1 fa1/0/9 - | R1 |- fa1/0/10 dhcp client
dhcp server / \----/ \
gig0/0 | gig0/1
|
VLAN 10 L2 FW VLAN 20
--------------------------->|<----------------------------
At the beginning, to test connectivity and CBAC, the interface fa0/0 will have static IP of 10.0.0.11/24
hostname r1
!
bridge irb
!
interface GigabitEthernet0/0
no ip address
ip access-group 101 in
bridge-group 1
!
interface GigabitEthernet0/1
no ip address
ip inspect L2-FW in
bridge-group 1
!
ip inspect name L2-FW icmp alert on audit-trail on
ip inspect name L2-FW tcp alert on audit-trail on
ip inspect name L2-FW telnet alert on audit-trail on
!
access-list 101 deny ip any any
!
hostname r2
!
ip dhcp excluded-address 10.0.0.1 10.0.0.10
!
ip dhcp pool POOL
network 10.0.0.0 255.255.255.0
!
!
interface GigabitEthernet0/0
description link to MP-SW Fas 1/0/11
ip address 10.0.0.1 255.255.255.0
!
hostname r3
!
interface FastEthernet0/0
ip address 10.0.0.11 255.255.255.0
duplex auto
speed auto
!
hostname MP-SW
!
vlan 10
name R2-R1
!
vlan 20
name R1-R3
!
!
interface FastEthernet1/0/9
description to R1-2911 gi0/0
switchport access vlan 10
switchport mode access
!
interface FastEthernet1/0/10
description to R1-2911 gi0/1
switchport access vlan 20
switchport mode access
!
interface FastEthernet1/0/11
description to R2-2911 gi0/0
switchport access vlan 10
switchport mode access
!
interface FastEthernet1/0/13
description to R3-2811 fa0/0
switchport access vlan 20
switchport mode access
!
Let’s test the above configuration (R3 -> R2):
a) ping
r3#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r3#
r1#sh ip inspect sessions
Established Sessions
Session 30AC590C (10.0.0.11:8)=>(10.0.0.1:0) icmp SIS_OPEN
r1#
*Oct 4 09:59:06.448: %FW-6-SESS_AUDIT_TRAIL_START: Start icmp session: initiator (10.0.0.11:8) -- responder (10.0.0.1:0)
r1#
*Oct 4 09:59:16.816: %FW-6-SESS_AUDIT_TRAIL: Stop icmp session: initiator (10.0.0.11:8) sent 360 bytes -- responder (10.0.0.1:0) sent 360 bytes
b) telnet
r3#telnet 10.0.0.1
Trying 10.0.0.1 ... Open
***********************************************************************
* Warning Notice: *
* PLEASE after you finish load DEFAULT_config.txt *
***********************************************************************
User Access Verification
Password:
***********************************************************************
* Warning Notice: *
* PLEASE after you finish load DEFAULT_config.txt *
***********************************************************************
r2>
r1#
*Oct 4 10:00:11.812: %FW-6-SESS_AUDIT_TRAIL_START: Start telnet session: initiator (10.0.0.11:20805) -- responder (10.0.0.1:23)
r1#
r1#sh ip inspect sessions
Established Sessions
Session 30AC590C (10.0.0.11:20805)=>(10.0.0.1:23) telnet SIS_OPEN
r1#
*Oct 4 10:00:46.948: %FW-6-SESS_AUDIT_TRAIL: Stop telnet session: initiator (10.0.0.11:20805) sent 43 bytes -- responder (10.0.0.1:23) sent 682 bytes
r1#
c) www
r3#telnet 10.0.0.1 80
Trying 10.0.0.1, 80 ... Open
r1#
*Oct 4 10:02:19.272: %FW-6-SESS_AUDIT_TRAIL_START: Start tcp session: initiator (10.0.0.11:35734) -- responder (10.0.0.1:80)
r1#sh ip inspect sessions
Established Sessions
Session 30AC590C (10.0.0.11:35734)=>(10.0.0.1:80) tcp SIS_OPEN
r1#
*Oct 4 10:02:58.024: %FW-6-SESS_AUDIT_TRAIL: Stop tcp session: initiator (10.0.0.11:35734) sent 5 bytes -- responder (10.0.0.1:80) sent 122 bytes
r1#
d) connectivity R2->R3
r2#ping 10.0.0.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.11, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r2#
r2#
r2#telnet 10.0.0.11
Trying 10.0.0.11 ...
r1#sh access-lists
Extended IP access list 101
10 deny ip any any (12 matches)
r1#
Ok, as we see we can establish connection only from R3 to R2. Let’s configure a DHCP server on R2 and R3 as a client. We have to add a new inspection to pass DHCP request/offer packets.
r3#sh run int fa0/0
Building configuration...
Current configuration : 94 bytes
!
interface FastEthernet0/0
ip address 10.0.0.11 255.255.255.0
duplex auto
speed auto
end
Now I remove the static IP and enable DHCP:
r3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
r3(config)#int fa0/0
r3(config-if)#no ip address
r3(config-if)#ip add
r3(config-if)#ip address dhcp
r3(config-if)#end
r3#
On the DHCP server I can monitor the pool:
r2#sh ip dhcp pool
Pool POOL :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 0
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased addresses
10.0.0.12 10.0.0.1 - 10.0.0.254 0
r2#
As we see any IP address has been assigned yet.
We have to add a new inspection and from below output we can see L2-transparent mode commands:
r1(config)#ip inspect ?
L2-transparent Transparent Mode commands
WAAS Firewall and Cisco WAE interoperability configuration
alert-off Disable alert
audit-trail Enable the logging of session information (addresses and
bytes)
dns-timeout Specify timeout for DNS
hashtable-size Specify size of hashtable
log Inspect packet logging
max-incomplete Specify maximum number of incomplete connections before
clamping
name Specify an inspection rule
one-minute Specify one-minute-sample watermarks for clamping
redundancy Redundancy settings for firewall sessions
tcp Config timeout values for tcp connections
udp Config timeout values for udp flows
<cr>
and there is one option here, exactly this one we need:
r1(config)#ip inspect L2-transparent ?
dhcp-passthrough Allow DHCP passthrough
r1(config)#ip inspect L2-transparent dhcp-passthrough
r1(config)#end
r1#
Let’s enable debug:
r1#debug ip inspect ?
L2-transparent Transparent firewall
detailed Inspection Detailed Debug Records
events Inspection events
function-trace Inspection function trace
ha Debug IOS firewall High Availability
mib Debug IOS firewall MIB
object-creation Inspection Object Creations
object-deletion Inspection Object Deletions
policy policy firewall
protocol protocol-specific-debug
timers Inspection Timer related events
r1#debug ip inspect L2-transparent dhcp-passthrough
INSPECT L2 firewall DHCP debugging is on
r1#debug ip inspect L2-transparent packets
INSPECT L2 firewall debugging is on
r1#
After a few seconds:
r1#
*Oct 4 10:38:12.720: L2FW:insp_l2_flood: input is GigabitEthernet0/1 output is GigabitEthernet0/0
*Oct 4 10:38:12.720: L2FW: FLOOD number of i/fs in bridge-group is exactly 2. Calling Inspection
*Oct 4 10:38:12.720: L2FW:insp_l2_inspection: input is GigabitEthernet0/1 output is GigabitEthernet0/0
*Oct 4 10:38:12.720: L2FW*:Src 0.0.0.0 dst 255.255.255.255 protocol udp
*Oct 4 10:38:12.720: TBAP: Check AuthProxy is configured on idb=GigabitEthernet0/1 path=0 linktype=38
*Oct 4 10:38:12.720: L2FW:udp ports src 68 dst 67
*Oct 4 10:38:12.720: L2FW:src 0.0.0.0 dst 255.255.255.255
*Oct 4 10:38:12.720: L2FW:DHCP packet seen. Pass-through flag allows the packet
*Oct 4 10:38:12.720: L2FW:Output ACL is not configured or ACL is bypassed
*Oct 4 10:38:12.720: L2FW*:Packet is broadcast or multicast.PASS
*Oct 4 10:38:12.720: L2FW: Packet is passed by Inspection
*Oct 4 10:38:14.720: L2FW:insp_l2_flood: input is GigabitEthernet0/0 output is GigabitEthernet0/1
*Oct 4 10:38:14.720: L2FW: FLOOD number of i/fs in bridge-group is exactly 2. Calling Inspection
*Oct 4 10:38:14.720: L2FW:insp_l2_inspection: input is GigabitEthernet0/0 output is GigabitEthernet0/1
*Oct 4 10:38:14.720: L2FW*:Src 10.0.0.1 dst 255.255.255.255 protocol udp
*Oct 4 10:38:14.720: TBAP: Check AuthProxy is configured on idb=GigabitEthernet0/0 path=0 linktype=38
*Oct 4 10:38:14.720: L2FW:udp ports src 67 dst 68
*Oct 4 10:38:14.720: L2FW:src 10.0.0.1 dst 255.255.255.255
*Oct 4 10:38:14.720: L2FW:DHCP packet seen. Pass-through flag allows the packet
*Oct 4 10:38:14.720: L2FW:Output ACL is not configured or ACL is bypassed
*Oct 4 10:38:14.720: L2FW*:Packet is broadcast or multicast.PASS
*Oct 4 10:38:14.720: L2FW: Packet is passed by Inspection
*Oct 4 10:38:14.720: L2FW:insp_l2_flood: input is GigabitEthernet0/1 output is GigabitEthernet0/0
*Oct 4 10:38:14.720: L2FW: FLOOD number of i/fs in bridge-group is exactly 2. Calling Inspection
*Oct 4 10:38:14.720: L2FW:insp_l2_inspection: input is GigabitEthernet0/1 output is GigabitEthernet0/0
*Oct 4 10:38:14.720: L2FW*:Src 0.0.0.0 dst 255.255.255.255 protocol udp
*Oct 4 10:38:14.720: TBAP: Check AuthProxy is configured on idb=GigabitEthernet0/1 path=0 linktype=38
*Oct 4 10:38:14.720: L2FW:udp ports src 68 dst 67
*Oct 4 10:38:14.720: L2FW:src 0.0.0.0 dst 255.255.255.255
*Oct 4 10:38:14.720: L2FW:DHCP packet seen. Pass-through flag allows the packet
*Oct 4 10:38:14.720: L2FW:Output ACL is not configured or ACL is bypassed
*Oct 4 10:38:14.720: L2FW*:Packet is broadcast or multicast.PASS
*Oct 4 10:38:14.720: L2FW: Packet is passed by Inspection
*Oct 4 10:38:14.724: L2FW:insp_l2_flood: input is GigabitEthernet0/0 output is GigabitEthernet0/1
*Oct 4 10:38:14.724: L2FW: FLOOD number of i/fs in bridge-group is exactly 2. Calling Inspection
*Oct 4 10:38:14.724: L2FW:insp_l2_inspection: input is GigabitEthernet0/0 output is GigabitEthernet0/1
*Oct 4 10:38:14.724: L2FW*:Src 10.0.0.1 dst 255.255.255.255 protocol udp
*Oct 4 10:38:14.724: TBAP: Check AuthProxy is configured on idb=GigabitEthernet0/0 path=0 linktype=38
*Oct 4 10:38:14.724: L2FW:udp ports src 67 dst 68
*Oct 4 10:38:14.724: L2FW:src 10.0.0.1 dst 255.255.255.255
*Oct 4 10:38:14.724: L2FW:DHCP packet seen. Pass-through flag allows the packet
*Oct 4 10:38:14.724: L2FW:Output ACL is not configured or ACL is bypassed
*Oct 4 10:38:14.724: L2FW*:Packet is broadcast or multicast.PASS
*Oct 4 10:38:14.724: L2FW: Packet is passed by Inspection
on the DHCP server (R2) we see:
r2#
*Oct 4 09:59:57.548: DHCPD: client's VPN is .
*Oct 4 09:59:57.548: DHCPD: DHCPDISCOVER received from client 0063.6973.636f.2d30.3463.352e.6134.3366.2e64.3664.302d.4661.302f.30 on interface GigabitEthernet0/0.
*Oct 4 09:59:57.548: DHCPD: Allocate an address without class information (10.0.0.0)
*Oct 4 09:59:57.548: DHCPD: Saving workspace (ID=0xDE000005)
*Oct 4 09:59:59.548: DHCPD: Reprocessing saved workspace (ID=0xDE000005)
*Oct 4 09:59:59.548: DHCPD: DHCPDISCOVER received from client 0063.6973.636f.2d30.3463.352e.6134.3366.2e64.3664.302d.4661.302f.30 on interface GigabitEthernet0/0.
*Oct 4 09:59:59.548: DHCPD: Sending DHCPOFFER to client 0063.6973.636f.2d30.3463.352e.6134.3366.2e64.3664.302d.4661.302f.30 (10.0.0.14).
*Oct 4 09:59:59.548: DHCPD: broadcasting BOOTREPLY to client 04c5.a43f.d6d0.
*Oct 4 09:59:59.548: DHCPD: client's VPN is .
*Oct 4 09:59:59.548: DHCPD: DHCPREQUEST received from client 0063.6973.636f.2d30.3463.352e.6134.3366.2e64.3664.302d.4661.302f.30.
*Oct 4 09:59:59.548: DHCPD: No default domain to append - abort update
*Oct 4 09:59:59.548: DHCPD: Sending DHCPACK to client 0063.6973.636f.2d30.3463.352e.6134.3366.2e64.3664.302d.4661.302f.30 (10.0.0.14).
*Oct 4 09:59:59.548: DHCPD: broadcasting BOOTREPLY to client 04c5.a43f.d6d0.
r2#
r2#
Let’s check the pool:
r2#sh ip dhcp pool
Pool POOL :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 1
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased addresses
10.0.0.15 10.0.0.1 - 10.0.0.254 1
and binding table:
r2#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
10.0.0.14 0063.6973.636f.2d30. Oct 05 2014 09:59 AM Automatic
3463.352e.6134.3366.
2e64.3664.302d.4661.
302f.30
r2#
On R3 we see the notification:
r3#
*Oct 4 10:25:09.744: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/0 assigned DHCP address 10.0.0.14, mask 255.255.255.0, hostname r3
When you implement L2 firewall and it is installed between DHCP server and DHCP clients you have to add ‘dhcp’ inspection. Without this the DHCP packets will be blocked.
6
Kudos
6
Kudos