Wednesday, September 21, 2011

Transparent Cisco IOS Firewall (Filtering with IOS Part 7)

I have R1, R2, R3, and R4. I want to use Transparent Cisco IOS Firewall to help create a security policy that I can apply to R2.


R2's Fa0/1 is connected to R1 and is considered the INSIDE network. R2's Fa0/0 is connected to R3 and is considered the OUTSIDE network. R2's Se0/1/0 will connect to R4's S0/1. R1 and R3's FastEthernet interfaces are part of the 10.1.13.0/24 network, which requires R2 to bridge between the two interfaces.

I want to allow R1 to access R3's http service, but not be allowed to telnet to R3. I want R3 to be allowed to telnet to R1, but not be allowed to access R1's http service. I want both R1 and R3 to be able to access R4.

Since R1 and R3 are both on the same subnet, my first step is to configure bridging on R2. I will apply the bridge group to the two FastEthernet interfaces, enable a BVI interface, and assign it an IP address on the 10.1.13.0/24 network.

R2(config)#bridge 1 protocol ieee
R2(config)#interface fa0/0
R2(config-if)#bridge-group 1
R2(config-if)#interface fa0/0
R2(config-if)#bridge-group 1
R2(config-if)#bridge irb
R2(config)#bridge 1 route ip
R2(config)#interface bvi1
R2(config-if)#ip address 10.1.13.2 255.255.255.0
R2(config-if)#no shut

I'll verify the bridge is operational:


R2#show ip interface brief | inc BVI
BVI1                       10.1.13.2       YES manual up                    up      
R2#show bridge


Total of 300 station blocks, 298 free
Codes: P - permanent, S - self


Bridge Group 1:


    Address       Action   Interface       Age   RX count   TX count
000d.2846.5f60   forward   FastEthernet0/0   0      33392       2831
000c.31ef.3de0   forward   FastEthernet0/1   0      33801       3226
R2#


The fa0/0 and fa0/1 interfaces are already enabled on R2 with no ip addresses assigned, and there have been no rules configured to filter any traffic. At this point, I should be able to ping between R1 and R3.

R1#ping 10.1.13.3


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.13.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
R1#

Next I'll write the ip inspect rules for the OUTSIDE and INSIDE interfaces.

R2(config)#ip inspect name INSIDE http
R2(config)#ip inspect name INSIDE icmp
R2(config)#ip inspect name OUTSIDE telnet
R2(config)#ip inspect name OUTSIDE icmp

I will also need to write ACLs for the INSIDE and OUTSIDE interfaces to allow access for the INSIDE to R3 on TCP 80 as well as sending echo and echo replies. I also want to allow access for the OUTSIDE to telnet to R1 as well as sending echo and echo replies.

R2(config)#ip access-list extended INSIDE_LIST
R2(config-ext-nacl)# permit tcp any host 10.1.13.3 eq www
R2(config-ext-nacl)# permit icmp any host 10.1.13.3 echo
R2(config-ext-nacl)# permit icmp any host 10.1.13.3 echo-reply
R2(config-ext-nacl)# deny   ip any host 10.1.13.3
R2(config-ext-nacl)# permit ip any any
R2(config-ext-nacl)#ip access-list extended OUTSIDE_LIST
R2(config-ext-nacl)# permit tcp any host 10.1.13.1 eq telnet
R2(config-ext-nacl)# permit icmp any host 10.1.13.1 echo
R2(config-ext-nacl)# permit icmp any host 10.1.13.1 echo-reply
R2(config-ext-nacl)# deny   ip any host 10.1.13.1
R2(config-ext-nacl)# permit ip any any

Now I'll apply the ip inspect rules and ACLs to the correct interfaces in the correct directions.

R2(config)#interface fa0/0
R2(config-if)#ip access-group OUTSIDE_LIST in
R2(config-if)#ip inspect INSIDE out
R2(config-if)#interface fa0/1
R2(config-if)#ip access-group OUTSIDE_LIST in
R2(config-if)#ip inspect OUTSIDE out

This completes the configuration.

R1 should still be able to ping R3.

R1#ping 10.1.13.3  


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.13.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

I should be able to ping R4 from both R1 and R3:

R1#ping 10.1.24.4


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.24.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

But, R1 should not be able to telnet to R2 due to the ACL applied to R2's fa0/1.
R1:

R1#telnet 10.1.13.3
Trying 10.1.13.3 ...
% Connection timed out; remote host not responding

Since telnet is allowed for R3 to R1, I'll apply debug ip inspect l2-transparent packets on R2 and see some of the result

R3#telnet 10.1.13.1
Trying 10.1.13.1 ... Open


User Access Verification


Password: 
The resulting Debug on R2:

As expected the ACL allows the sending traffic. The debug should show the result of the return traffic.

R2#debug ip inspect l2-transparent packets
INSPECT L2 firewall debugging is on
*Sep 22 04:03:55.229: L2FW*:insp_l2_fast_inspection: pak 659EA0BC, input-interface FastEthernet0/0, output-interface FastEthernet0/1
*Sep 22 04:03:55.229: L2FW*:Src 10.1.13.3 dst 10.1.13.1 protocol tcp
*Sep 22 04:03:55.229: TBAP: Check AuthProxy is configured on idb=FastEthernet0/0 path=1 linktype=38
*Sep 22 04:03:55.229: L2FW:Input ACL check SUCCESS
*Sep 22 04:03:55.229: L2FW:Output ACL is not configured or ACL is bypassed
*Sep 22 04:03:55.229: L2FW:L2 header length(initiator->responder) is 14
*Sep 22 04:03:55.229: L2FW:info_start is NULL for init->rsp
*Sep 22 04:03:55.229: L2FW*:insp_l2_fast_inspection returning INSP_L2_OK
*Sep 22 04:03:55.229: L2FW*:CCE FW l2 fast returning INSP_L2_OK
*Sep 22 04:03:55.229: TBAP: Check if AP return traffic (fast path) foroutput idb=FastEthernet0/1 IP->prot=6
*Sep 22 04:03:55.233: L2FW*:insp_l2_fast_inspection: pak 65BDC430, input-interface FastEthernet0/1, output-interface FastEthernet0/0

With the telnet session open, I will verify that a session is open and being inspected.

R2#show ip inspect sessions detail 
Established Sessions
 Session 662947E0 (10.1.13.3:33012)=>(10.1.13.1:23) telnet SIS_OPEN
  Created 00:00:32, Last heard 00:00:29
  Bytes sent (initiator:responder) [37:74]
  In  SID 10.1.13.1[23:23]=>10.1.13.3[33012:33012] on ACL OUTSIDE_LIST  (11 matches)







Part 1
Part 2
Part 3
Part 4
Part 5
Part 6
Part 7
Part 8
Part 9
Part 10

No comments:

Post a Comment