ZBFP and self zone policy.

Let’s continue our tests with the ZBPF. Now I’m going to implement L3 firewall (no transparent) and block EIGRP and OSPF packets sent and received on the outside interface (gig0/0).

                    OUTSIDE     L3 firewall      INSIDE
                  [10.0.0.1]                   [10.0.0.3] 
                    /----\        /----\         /----\ 
                      R1  |------|  R2  |-------|  R3  |
                    \----/      / \----/ \       \----/ 
                            gig0/0     gig0/1  

                               <-X->| <-->
                               eigrp, ospf

R1:

!
interface GigabitEthernet0/0
 ip address 10.0.0.1 255.255.255.0
 !
!
router eigrp 1
 network 0.0.0.0
!
router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0
!

R2:

interface GigabitEthernet0/0
 ip address 10.0.0.2 255.255.255.0
!
interface GigabitEthernet0/1
 ip address 20.0.0.2 255.255.255.
!
router eigrp 1
 network 0.0.0.0
!
router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0
!

R3:

!
interface FastEthernet0/0
 ip address 20.0.0.3 255.255.255.0
 !
!
router eigrp 1
 network 0.0.0.0
!
router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0
!

Let’s try if each router sees his neighbors:

r1#sh ip eigrp neighbors 
EIGRP-IPv4 Neighbors for AS(1)
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0   10.0.0.2                Gi0/0             14 00:03:38    1   200  0  16
r1#sh ip ospf neighbor   

Neighbor ID     Pri   State           Dead Time   Address         Interface
20.0.0.2          1   FULL/DR         00:00:34    10.0.0.2        GigabitEthernet0/0
r1#

r2#sh ip eigrp neighbors 
EIGRP-IPv4 Neighbors for AS(1)
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0   10.0.0.1                Gi0/0             13 00:04:07    1   200  0  45
1   20.0.0.3                Gi0/1             14 00:35:38    1   200  0  47
r2#sh ip ospf neighbor   

Neighbor ID     Pri   State           Dead Time   Address         Interface
33.33.33.33       1   FULL/DR         00:00:35    20.0.0.3        GigabitEthernet0/1
10.0.0.1          1   FULL/BDR        00:00:30    10.0.0.1        GigabitEthernet0/0
r2#

r3#sh ip eigrp neighbors 
IP-EIGRP neighbors for process 1
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0   20.0.0.2                Fa0/0             11 00:36:02    1   300  0  17
r3#sh ip ospf neighbor   

Neighbor ID     Pri   State           Dead Time   Address         Interface
20.0.0.2          1   FULL/BDR        00:00:38    20.0.0.2        FastEthernet0/0
r3#

Now I create class map to match OSPF and EIGRP packets, policy map with action ‘drop & log’:

access-list 101 permit ospf any any
access-list 101 permit eigrp any any
!
class-map type inspect match-any ZBF-L2-SELF-CLASS1
 match access-group 101
!
!
policy-map type inspect ZBF-L2-SELF-POLICY
 class type inspect ZBF-L2-SELF-CLASS1
  drop log
 class class-default
  drop log
!

and then security zones and zone-pairs:

zone security INSIDE
zone security OUTSIDE
zone-pair security OUT-SELF source OUTSIDE destination self
 service-policy type inspect ZBF-L2-SELF-POLICY
zone-pair security SELF-OUT source self destination OUTSIDE
 service-policy type inspect ZBF-L2-SELF-POLICY
! 

The last step is to add interfaces to correct security zones:

!
interface GigabitEthernet0/0
zone-member security OUTSIDE
!
interface GigabitEthernet0/1
zone-member security INSIDE    
! 

Let’s test the applied policy:

r1#
*Apr 16 18:54:14.809: EIGRP-IPv4(1): Neighbor 20.0.0.2 not on common subnet for GigabitEthernet0/0
*Apr 16 18:54:15.749: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.2 (GigabitEthernet0/0) is down: holding time expired
*Apr 16 18:54:28.509: EIGRP-IPv4(1): Neighbor 20.0.0.3 not on common subnet for GigabitEthernet0/0
*Apr 16 18:54:33.265: %OSPF-5-ADJCHG: Process 1, Nbr 20.0.0.2 on GigabitEthernet0/0 from FULL to DOWN, Neighbor Down: Dead timer expired
r1#
r1#sh ip ospf neighbor 

r1#sh ip eigrp neighbors 
EIGRP-IPv4 Neighbors for AS(1)
r1#

r2(config-if)#e
*Apr 16 18:21:10.879: %FW-6-DROP_PKT: Dropping Unknown-l4 session 10.0.0.2:0 224.0.0.5:0 on zone-pair SELF-OUT class ZBF-L2-SELF-CLASS1 due to  DROP action found in policy-map with ip ident 0 nd
r2#
r2#
*Apr 16 18:21:12.843: %SYS-5-CONFIG_I: Configured from console by console
*Apr 16 18:21:15.575: %FW-6-LOG_SUMMARY: 1 packet were dropped from 10.0.0.2:68 => 224.0.0.5:67 (target:class)-(SELF-OUT:ZBF-L2-SELF-CLASS1)
*Apr 16 18:21:15.575: %FW-6-LOG_SUMMARY: 2 packets were dropped from 0.0.0.0:68 => 255.255.255.255:67 (target:class)-(OUT-SELF:class-default)
*Apr 16 18:21:15.575: %FW-6-LOG_SUMMARY: 1 packet were dropped from 10.0.0.1:68 => 224.0.0.5:67 (target:class)-(OUT-SELF:ZBF-L2-SELF-CLASS1)
*Apr 16 18:21:15.575: %FW-6-LOG_SUMMARY: 1 packet were dropped from 10.0.0.1:68 => 224.0.0.10:67 (target:class)-(OUT-SELF:ZBF-L2-SELF-CLASS1)
*Apr 16 18:21:15.575: %FW-6-LOG_SUMMARY: 1 packet were dropped from 10.0.0.2:68 => 224.0.0.10:67 (target:class)-(SELF-OUT:ZBF-L2-SELF-CLASS1)
*Apr 16 18:21:15.575: %FW-6-LOG_SUMMARY: 1 packet were dropped from 20.0.0.3:0 => 224.0.0.10:0 (target:class)-(OUT-SELF:ZBF-L2-SELF-CLASS1)
*Apr 16 18:21:15.575: %FW-6-LOG_SUMMARY: 1 packet were dropped from 20.0.0.2:0 => 224.0.0.10:0 (target:class)-(OUT-SELF:ZBF-L2-SELF-CLASS1)
*Apr 16 18:21:15.575: %FW-6-LOG_SUMMARY: 1 packet were dropped from 20.0.0.3:0 => 224.0.0.5:0 (target:class)-(OUT-SELF:ZBF-L2-SELF-CLASS1)
*Apr 16 18:21:18.119: EIGRP-IPv4(1): Neighbor 10.0.0.1 not on common subnet for GigabitEthernet0/1
*Apr 16 18:21:23.315: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.0.0.1 (GigabitEthernet0/0) is down: holding time expired

r2#sh ip eigrp neighbors 
EIGRP-IPv4 Neighbors for AS(1)
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
1   20.0.0.3                Gi0/1             13 00:57:37    1   200  0  51
r2#sh ip ospf neighbor   

Neighbor ID     Pri   State           Dead Time   Address         Interface
33.33.33.33       1   FULL/DR         00:00:32    20.0.0.3        GigabitEthernet0/1
r2#

r3#sh ip eigrp neighbors 
IP-EIGRP neighbors for process 1
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                            (sec)         (ms)       Cnt Num
0   20.0.0.2                Fa0/0             12 00:58:01    1   200  0  23
r3#sh ip ospf neighbor   

Neighbor ID     Pri   State           Dead Time   Address         Interface
20.0.0.2          1   FULL/BDR        00:00:30    20.0.0.2        FastEthernet0/0
r3#

So, now on R2 we can’t see any adjacency between R2 and R1. You have to remember to implement ‘self’ policy in both directions: outside->self, self->outside.
You should remember following rules for self-zone:

• By default the traffic is allowed (bidirectional to and from any neighbor)
• You can either ‘drop’ or ‘pass’ the traffic, ‘inspect’ action is not valid for self-zone
• Each direction on the interface is treated separately and if you apply policy for example: OUTSIDE->SELF, the traffic from SELF to OUTSIDE is allowed without any restriction until you add the first policy
• Be careful with routing protocols and if you plan to have the policy ‘in’ and ‘out’ on self-zone, you have to permit the routing protocol explicitly
• When you work with the self-zone policy you can find that on the GNS3 some protocols are allowed despite correct configuration. I found there is a difference in processing these packet on the GNS3 and on real devices.

Useful command which allows you to see more details about dropped packets:

Device(config)# parameter-map type inspect-global
Device(config-profile)# log dropped-packets enable*

• non available on all versions of IOS