Zone Base Firewall Policy - self zone

In my last post I tested some features of ZBFP and how traffic is processed by the firewall and some interfaces are not part of ZBFP configuration. Today I’d like to test ‘self-zone’ because it works a bit different. I’m going to work on a configuration from my last post.

zbfp1.jpg

As you remember I created policy for traffic from R2 to R3. I also tested connection from R2 to R4 and it didn’t work (R4 is not a member of any zone) but traffic from R5 to R4 is allowed (both are not members of any zone).

With ‘self-zone’ is works a bit different. Let’s do one test:

R2->R1:

R2#ping 2.2.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/95/128 ms
R2#

R5->R1:

R5#ping 5.5.5.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/122/132 ms
R5#

As you see both flows are permitted despite a self-zone exists but I don’t have any policy for any zone pair.

I added following configuration:

class-map type inspect match-any CM-TCP
 match protocol tcp

policy-map type inspect PM-TCP
 class type inspect CM-TCP
  inspect

zone-pair security INS->SELF source INSIDE destination self
 service-policy type inspect PM-TCP

it means I should be able telnet from R2 to R1 but I can’t ping:

R2#telnet 2.2.2.1
Trying 2.2.2.1 ... Open


Password required, but none set

[Connection to 2.2.2.1 closed by foreign host]
R2#

On R1 I can see:

Zone-pair: INS->SELF

  Service-policy inspect : PM-TCP

    Class-map: CM-TCP (match-any)
      Match: protocol tcp
        2 packets, 48 bytes
        30 second rate 0 bps
      Inspect
        Established Sessions
         Session 6672BF70 (2.2.2.2:44315)=>(2.2.2.1:23) tcp SIS_OPEN
          Created 00:00:00, Last heard 00:00:00
          Bytes sent (initiator:responder) [24:49]

    Class-map: class-default (match-any)
      Match: any
      Drop (default action)
        5 packets, 400 bytes
R1#

Let’s test a ping now:

R2#ping 2.2.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2#

On R1 we can see 10 packets dropped matched by the class-default:

 Zone-pair: INS->SELF

  Service-policy inspect : PM-TCP

    Class-map: CM-TCP (match-any)
      Match: protocol tcp
        2 packets, 48 bytes
        30 second rate 0 bps
      Inspect

    Class-map: class-default (match-any)
      Match: any
      Drop (default action)
        10 packets, 800 bytes
R1#

Let’s do the same tests but from R1 to R2:

R1#ping 2.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#telnet 2.2.2.2
Trying 2.2.2.2 ...
% Connection timed out; remote host not responding

R1#

As you see both failed what means that despite lack of SELF-INS policy the returning packets are matched by INS-SELF policy. The policy action is ‘inspect’ and ZBFP checks if such session exists. In my case they didn’t exist and it was dropped. Once I change the action from ‘inspect’ to ‘pass’ one of them should work:

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#policy-map type inspect PM-TCP
R1(config-pmap)# class type inspect CM-TCP
R1(config-pmap-c)#no inspect
R1(config-pmap-c)#pass
R1(config-pmap-c)#end
R1#
R1#ping 2.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#telnet 2.2.2.2
Trying 2.2.2.2 ... Open


Password required, but none set

[Connection to 2.2.2.2 closed by foreign host]
R1#

So ping doesn’t work as there is no policy in place for icmp. Telnet works fine as it is allowed in INS->SELF policy and the action ‘pass’ doesn’t check a sessions table.

From R1 I can ping and telnet others:

R1#telnet 5.5.5.4
Trying 5.5.5.4 ... Open


Password required, but none set

[Connection to 5.5.5.4 closed by foreign host]
R1#
R1#ping 5.5.5.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/68/96 ms
R1#ping 4.4.4.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/107/128 ms
R1#telnet 4.4.4.3
Trying 4.4.4.3 ... Open


Password required, but none set

[Connection to 4.4.4.3 closed by foreign host]
R1#

Let’s summarize what we learned so far (from previous post too):

Self-zone:

Standard zone:

 
11
Kudos
 
11
Kudos

Now read this

IPsec High Availability (stateful)

Today I would like to set up HA for VPN using a bit different scenario comparing to the one from previous post: As you see there is only one link from branch router (r5) and in the HQ the routers have the external IP from the same... Continue →