Transparent Firewall (IOS) and ZBPF.
I would like to continue working with transparent firewalls and today we try to implement the Zone Base Policy Firewall:
OUTSIDE L2 firewall INSIDE
[10.0.0.1] [10.0.0.3]
/----\ /----\ /----\
| R1 |------| R2 |-------| R3 |
\----/ / \----/ \ \----/
gig0/0.10 gig0/1.20
icmp, telnet
<---------
R2 - firewall is not enabled:
bridge irb
!
bridge 1 protocol ieee
!
interface GigabitEthernet0/0
no sh
!
interface GigabitEthernet0/0.10
encapsu dot 10
no ip address
bridge-group 1
!
interface GigabitEthernet0/1
no sh
!
interface GigabitEthernet0/1.20
encapsu dot 20
no ip address
bridge-group 1
!
no ip routing
!
R2 is configured as the L2 device and it doesn’t do any traffic control:
r1#ping 10.0.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
r1#telnet 10.0.0.3
Trying 10.0.0.3 ... Open
Password required, but none set
[Connection to 10.0.0.3 closed by foreign host]
r1#
r3#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r3#telnet 10.0.0.1
Trying 10.0.0.1 ... Open
C
***********************************************************************
* Warning Notice: *
* PLEASE after you finish load DEFAULT_config.txt *
***********************************************************************
Password required, but none set
[Connection to 10.0.0.1 closed by foreign host]
r3#
Now we implement the ZBPF with icmp and telnet inspection. Traffic should be allowed only from R3 to R1, but R1 can’t initiate any traffic.
class-map type inspect match-all ZBFW-CLASS
match protocol icmp
match protocol telnet
!
!
policy-map type inspect ZBFW-POLICY
class type inspect ZBFW-CLASS
inspect
class class-default
drop log
!
zone security INSIDE
zone security OUTSIDE
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect ZBFW-POLICY
!
interface GigabitEthernet0/0.10
zone-member security OUTSIDE
!
interface GigabitEthernet0/0.20
zone-member security INSIDE
!
r2#sh policy-map type inspect zone-pair sessions
policy exists on zp INSIDE-OUTSIDE
Zone-pair: INSIDE-OUTSIDE
Service-policy inspect : ZBFW-POLICY
Class-map: ZBFW-CLASS (match-all)
Match: protocol icmp
Match: protocol telnet
Inspect
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
r2#
Let’s try send traffic:
a) inside->outside:
r3#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r3#
Let’s check what is doing the inspection engine:
r2#debug ip inspect L2-transparent packets
INSPECT L2 firewall debugging is on
r2#
*Apr 15 22:19:21.793: L2FW:insp_l2_flood: input is GigabitEthernet0/1.20 output is GigabitEthernet0/0.10
*Apr 15 22:19:21.793: L2FW: FLOOD number of i/fs in bridge-group is exactly 2. Calling Inspection
*Apr 15 22:19:21.793: L2FW:insp_l2_inspection: input is GigabitEthernet0/1.20 output is GigabitEthernet0/0.10
*Apr 15 22:19:21.793: L2FW*:Src 10.0.0.3 dst 10.0.0.1 protocol icmp
*Apr 15 22:19:21.793: TBAP: Check AuthProxy is configured on idb=GigabitEthernet0/1.20 path=0 linktype=38
*Apr 15 22:19:21.793: L2FW:Input ACL not configured or the ACL is bypassed
*Apr 15 22:19:21.793: L2FW:Output ACL is not configured or ACL is bypassed
*Apr 15 22:19:21.793: L2FW:Inspection is not configured on input or output interface.
*Apr 15 22:19:21.793: L2FW:fw_inspection_wrapper returned TRUE.Drop the packet
*Apr 15 22:19:21.793: L2FW: Packet dropped by inspection
*Apr 15 22:19:23.793: L2FW:insp_l2_flood: input is GigabitEthernet0/1.20 output is GigabitEthernet0/0.10
*Apr 15 22:19:23.793: L2FW: FLOOD number of i/fs in bridge-group is exactly 2. Calling Inspection
*Apr 15 22:19:23.793: L2FW:insp_l2_inspection: input is GigabitEthernet0/1.20 output is GigabitEthernet0/0.10
*Apr 15 22:19:23.793: L2FW*:Src 10.0.0.3 dst 10.0.0.1 protocol icmp
*Apr 15 22:19:23.793: TBAP: Check AuthProxy is configured on idb=GigabitEthernet0/1.20 path=0 linktype=38
*Apr 15 22:19:23.793: L2FW:Input ACL not configured or the ACL is bypassed
*Apr 15 22:19:23.793: L2FW:Output ACL is not configured or ACL is bypassed
*Apr 15 22:19:23.793: L2FW:Inspection is not configured on input or output interface.
*Apr 15 22:19:23.793: L2FW:fw_inspection_wrapper returned TRUE.Drop the packet
*Apr 15 22:19:23.793: L2FW: Packet dropped by inspection
*Apr 15 22:19:25.793: L2FW:insp_l2_flood: input is GigabitEthernet0/1.20 output is GigabitEthernet0/0.10
*Apr 15 22:19:25.793: L2FW: FLOOD number of i/fs in bridge-group is exactly 2. Calling Inspection
*Apr 15 22:19:25.793: L2FW:insp_l2_inspection: input is GigabitEthernet0/1.20 output is GigabitEthernet0/0.10
*Apr 15 22:19:25.793: L2FW*:Src 10.0.0.3 dst 10.0.0.1 protocol icmp
*Apr 15 22:19:25.793: TBAP: Check AuthProxy is configured on idb=GigabitEthernet0/1.20 path=0 linktype=38
*Apr 15 22:19:25.793: L2FW:Input ACL not configured or the ACL is bypassed
*Apr 15 22:19:25.793: L2FW:Output ACL is not configured or ACL is bypassed
*Apr 15 22:19:25.793: L2FW:Inspection is not configured on input or output interface.
*Apr 15 22:19:25.793: L2FW:fw_inspection_wrapper returned TRUE.Drop the packet
*Apr 15 22:19:25.793: L2FW: Packet dropped by inspection
*Apr 15 22:19:27.793: L2FW:insp_l2_flood: input is GigabitEthernet0/1.20 output is GigabitEthernet0/0.10
*Apr 15 22:19:27.793: L2FW: FLOOD number of i/fs in bridge-group is exactly 2. Calling Inspection
*Apr 15 22:19:27.793: L2FW:insp_l2_inspection: input is GigabitEthernet0/1.20 output is GigabitEthernet0/0.10
*Apr 15 22:19:27.793: L2FW*:Src 10.0.0.3 dst 10.0.0.1 protocol icmp
*Apr 15 22:19:27.793: TBAP: Check AuthProxy is configured on idb=GigabitEthernet0/1.20 path=0 linktype=38
*Apr 15 22:19:27.793: L2FW:Input ACL not configured or the ACL is bypassed
*Apr 15 22:19:27.793: L2FW:Output ACL is not configured or ACL is bypassed
*Apr 15 22:19:27.793: L2FW:Inspection is not configured on input or output interface.
*Apr 15 22:19:27.793: L2FW:fw_inspection_wrapper returned TRUE.Drop the packet
*Apr 15 22:19:27.793: L2FW: Packet dropped by inspection
*Apr 15 22:19:29.793: L2FW:insp_l2_flood: input is GigabitEthernet0/1.20 output is GigabitEthernet0/0.10
*Apr 15 22:19:29.793: L2FW: FLOOD number of i/fs in bridge-group is exactly 2. Calling Inspection
*Apr 15 22:19:29.793: L2FW:insp_l2_inspection: input is GigabitEthernet0/1.20 output is GigabitEthernet0/0.10
*Apr 15 22:19:29.793: L2FW*:Src 10.0.0.3 dst 10.0.0.1 protocol icmp
*Apr 15 22:19:29.793: TBAP: Check AuthProxy is configured on idb=GigabitEthernet0/1.20 path=0 linktype=38
*Apr 15 22:19:29.793: L2FW:Input ACL not configured or the ACL is bypassed
*Apr 15 22:19:29.793: L2FW:Output ACL is not configured or ACL is bypassed
*Apr 15 22:19:29.793: L2FW:Inspection is not configured on input or output interface.
*Apr 15 22:19:29.793: L2FW:fw_inspection_wrapper returned TRUE.Drop the packet
*Apr 15 22:19:29.793: L2FW: Packet dropped by inspection
It looks like the CBAC is active instead of ZBPF, why ?
r2#debug policy-firewall L2-transparent
Policy-Firewall L2 transparent debugging is on
r2#sh policy-map type inspect zone-pair sessions
policy exists on zp INSIDE-OUTSIDE
Zone-pair: INSIDE-OUTSIDE
Service-policy inspect : ZBFW-POLICY
Class-map: ZBFW-CLASS (match-all)
Match: protocol icmp
Match: protocol telnet
Inspect
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
r2#conf t
r2#debug policy-firewall detail ?
<cr>
r2#debug policy-firewall detail
Policy-Firewall detailed debugging is on
r2#
*Apr 15 22:36:23.883: FIREWALL: ret_val 0 is not PASS_PAK
*Apr 15 22:36:23.883: FIREWALL: ret_val NO_ACTION, but not valid router traffic .Dropping pak
*Apr 15 22:36:25.879: FIREWALL: ret_val 0 is not PASS_PAK
*Apr 15 22:36:25.879: FIREWALL: ret_val NO_ACTION, but not valid router traffic .Dropping pak
*Apr 15 22:36:27.879: FIREWALL: ret_val 0 is not PASS_PAK
*Apr 15 22:36:27.879: FIREWALL: ret_val NO_ACTION, but not valid router traffic .Dropping pak
*Apr 15 22:36:29.879: FIREWALL: ret_val 0 is not PASS_PAK
*Apr 15 22:36:29.879: FIREWALL: ret_val NO_ACTION, but not valid router traffic .Dropping pak
*Apr 15 22:36:31.879: FIREWALL: ret_val 0 is not PASS_PAK
*Apr 15 22:36:31.879: FIREWALL: ret_val NO_ACTION, but not valid router traffic .Dropping pak
It looks like a bug, I found one similar issue but only for 12.4 IOS, this one is:
r2#sh ver
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.0(1)M5, RELEASE SOFTWARE (fc2)
Let’s try tomorrow with different IOS version.
..day later…
I reload R2 with the new software: “Version 15.2(1)” and I see exactly the same error messages:
r2_newIOS#debug policy-firewall detail
Policy-Firewall detailed debugging is on
r2_newIOS#
Apr 16 08:26:03.107: FIREWALL*: ret_val 0 is not PASS_PAK
Apr 16 08:26:03.107: FIREWALL*: ret_val NO_ACTION, but not valid router traffic .Dropping pak
Apr 16 08:26:05.107: FIREWALL*: ret_val 0 is not PASS_PAK
Apr 16 08:26:05.107: FIREWALL*: ret_val NO_ACTION, but not valid router traffic .Dropping pak
Apr 16 08:26:07.107: FIREWALL*: ret_val 0 is not PASS_PAK
Apr 16 08:26:07.107: FIREWALL*: ret_val NO_ACTION, but not valid router traffic .Dropping pak
Apr 16 08:26:09.107: FIREWALL*: ret_val 0 is not PASS_PAK
Apr 16 08:26:09.107: FIREWALL*: ret_val NO_ACTION, but not valid router traffic .Dropping pak
Apr 16 08:26:11.107: FIREWALL*: ret_val 0 is not PASS_PAK
Apr 16 08:26:11.107: FIREWALL*: ret_val NO_ACTION, but not valid router traffic .Dropping pak
r2_newIOS#
r2_newIOS#
Apr 16 08:29:18.911: L2FW*:insp_l2_fast_inspection: pak 308BE9E8, input-interface GigabitEthernet0/0.10, output-interface GigabitEthernet0/1.20
Apr 16 08:29:18.911: L2FW*:Src 10.0.0.1 dst 10.0.0.3 protocol icmp
Apr 16 08:29:18.911: TBAP: Check AuthProxy is configured on idb=GigabitEthernet0/0.10 path=1 linktype=38
Apr 16 08:29:18.911: L2FW:Input ACL not configured or the ACL is bypassed
Apr 16 08:29:18.911: L2FW:Output ACL is not configured or ACL is bypassed
Apr 16 08:29:18.911: L2FW*:IP inspect firewall is not cfged on input or output interface.PASS
Apr 16 08:29:18.911: L2FW*:CCE FW l2 fast returning INSP_L2_DROP
Apr 16 08:29:20.911: L2FW*:insp_l2_fast_inspection: pak 308BE9E8, input-interface GigabitEthernet0/0.10, output-interface GigabitEthernet0/1.20
During this investigation I discovered one my mistake:
interface GigabitEthernet0/0.20
zone-member security INSIDE
Instead of Gig0/1.20 I added non-existing sub-interface to the INSIDE zone:
r2#sh run int gig0/0.20
Building configuration...
Current configuration : 87 bytes
!
interface GigabitEthernet0/0.20
zone-member security INSIDE
no ip route-cache
end
r2#sh run int gig0/1.20
Building configuration...
Current configuration : 98 bytes
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 1
end
r2#
As we see the sub-interface was added but the Vlan and the bridge group are not specified.
Let’s fix the interface settings:
r2#sh run int gig0/1.20
Building configuration...
Current configuration : 127 bytes
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
zone-member security INSIDE
no ip route-cache
bridge-group 1
end
r2#
and do some tests:
r3#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r3#
r3#telnet 10.0.0.1
Trying 10.0.0.1 ...
% Connection timed out; remote host not responding
r3#
on R2 we can see:
*Apr 16 08:34:41.575: %FW-6-LOG_SUMMARY: 4 packets were dropped from 10.0.0.3:25987 => 10.0.0.1:23 (target:class)-(INSIDE-OUTSIDE:class-default)
*Apr 16 08:35:13.047: %FW-6-DROP_PKT: Dropping tcp session 10.0.0.3:28705 10.0.0.1:23 on zone-pair INSIDE-OUTSIDE class class-default due to DROP action found in policy-map with ip ident 0
*Apr 16 08:35:41.575: %FW-6-LOG_SUMMARY: 4 packets were dropped from 10.0.0.3:28705 => 10.0.0.1:23 (target:class)-(INSIDE-OUTSIDE:class-default)
Why the ping and telnet are processed by the class-default?
r2#sh run | s class-map
class-map type inspect match-all ZBFW-CLASS
match protocol icmp
match protocol telnet
r2#
ok, as we see the class has wrong parameter: ‘match-all’ - the packet can’t be ‘icmp’ and ‘tcp/23’ at the same time. The correct one should be:
!
class-map type inspect match-any ZBFW-CLASS1
match protocol icmp
match protocol telnet
!
policy-map type inspect ZBFW-POLICY
class type inspect ZBFW-CLASS1
inspect
class class-default
drop log
!
Time for the final test:
r3#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
r3#telnet 10.0.0.1
Trying 10.0.0.1 ... Open
C
***********************************************************************
* Warning Notice: *
* PLEASE after you finish load DEFAULT_config.txt *
***********************************************************************
Password required, but none set
[Connection to 10.0.0.1 closed by foreign host]
r3#
and now everything works as expected:
r2#sh policy-map type inspect zone-pair sessions
policy exists on zp INSIDE-OUTSIDE
Zone-pair: INSIDE-OUTSIDE
Service-policy inspect : ZBFW-POLICY
Class-map: ZBFW-CLASS1 (match-any)
Match: protocol icmp
1 packets, 80 bytes
30 second rate 0 bps
Match: protocol telnet
2 packets, 48 bytes
30 second rate 0 bps
Inspect
Number of Established Sessions = 1
Established Sessions
Session 298FB200 (10.0.0.3:55798)=>(10.0.0.1:23) telnet:tcp SIS_OPEN
Created 00:00:00, Last heard 00:00:00
Bytes sent (initiator:responder) [27:348]
Class-map: class-default (match-any)
Match: any
Drop
13 packets, 592 bytes
r2#
traffic from the outside to the inside is silently dropped:
r1#ping 10.0.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r1#
as there is no policy map and zone pair with direction OUTSIDE-INSIDE. Be careful when you configure class maps, the default parameter is ‘match-all’.
4
Kudos
4
Kudos