CCIE Security Lab: Zone-based firewalls (and BGP)

So far the VPN topology has come along pretty well, there have been a few things that need to be put into OneNote but it’s all good learning. Now it’s time to implement zone-based firewalls (ZBFW).

Zone-Based Firewalls are totally new to me, which is why I have been reading this excellent book:

It’s short and easy to read. Definitely worth picking up. Anyway, this is the part of the topology we are looking at:

Zone-based firewalls

There is a bit of an overlap with the ASAs, in so much that we have access-lists, but we need use “zones” instead of assigning the ACLs to an interface, we assign the interfaces to these zones, and apply an inspection policy, which in turn calls the ACL. This is the very simplified version, check out Ivan’s book (above) for a much better write up.

Zone-based Firewalls

IOS routers come with one default zone, called “self”:
ZBF(config)#int gi0/0                   
ZBF(config-if)#
ZBF(config-if)#zone-member ?
  security  Security zone 

ZBF(config-if)#
ZBF(config-if)#zone-member security ?
  self  System defined Zone

ZBF(config-if)#exit

This zone is for traffic to and from the router; management, routing protocols, that kind of stuff. We will get to those later, for the moment, we will create our own.

Creating zones with Zone-Based Firewalls:

We need two zones, keeping in the language of the ASA, we’ll call these “Inside” and “Outside”:

ZBF(config)#zone security Inside
ZBF(config-sec-zone)#exit
ZBF(config)#
ZBF(config)#zone security Outside
ZBF(config-sec-zone)#exit
ZBF(config)#

Next, we need to assign our interfaces to zones:

ZBF(config)#int gi 0/0
ZBF(config-if)#
ZBF(config-if)#zone-member security ?
  self  System defined Zone
  Inside
  Outside

ZBF(config-if)#zone-member security Inside
ZBF(config-if)#exit
ZBF(config)#
ZBF(config)#int gi 0/1
ZBF(config-if)#zone-member security Outside
ZBF(config-if)#
ZBF(config-if)#exit
ZBF(config)#

The next stage is to start creating the inspect rules. So, what traffic do we need to permit? I am going to be very strict here, no using “permit ip any any”, instead everything will be source, destination, protocol and port specific (and in the correct direction), apart from the ping. So, let’s define the traffic:

  • Permit OSPF between ZBF and EzVPN-Server
  • Permit OSPF between ZBF and GDOI-Server
  • Permit BGP between EzVPN-Server and GDOI-Server
  • Permit EasyVPN between GDOI-G1 and EzVPN-Server
  • Permit FlexVPN between Flex-CA and GDOI-Server
  • Permit ping

I’ll be a little more relaxed when it comes to the ping, but the rest will be more explicit. Some of these rules won’t come till later, but we can certainly take care of the routing protocols, and ICMP.

First of all, let’s see, now that we have our zones and assigned interfaces the effect it has on our basic connectivity, and really I am looking to see if we can form an OSPF adjacency between the two routers, we have not set up any inspection to the “self”, so will it or won’t it?

EzVPN-Server#sh run | s router o
router ospf 1
 router-id 6.6.6.6
 area 1 authentication message-digest
 network 6.6.6.6 0.0.0.0 area 1
 network 10.1.9.0 0.0.0.255 area 1
EzVPN-Server#conf t
EzVPN-Server(config)#router ospf 1
EzVPN-Server(config-router)#network 10.1.10.0 0.0.0.255 area 1
*Jul  5: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface GigabitEthernet0/0
EzVPN-Server(config-router)#int gi 0/0
EzVPN-Server(config-if)#ip ospf authen message-digest 
EzVPN-Server(config-if)#ip ospf message-digest-key 1 md5 cisco
EzVPN-Server(config-if)#

ZBF(config)#router ospf 1
ZBF(config-router)#router-id 10.1.10.1
ZBF(config-router)#network 10.1.10.0 0.0.0.255 area 1
ZBF(config-router)#area 1 authentication message-digest 
ZBF(config-router)#int gi0/0
ZBF(config-if)#ip ospf authen mess
ZBF(config-if)#ip ospf mess 1 md5 cisco
ZBF(config-if)#
*Jul  5: %OSPF-5-ADJCHG: Process 1, Nbr 6.6.6.6 on GigabitEthernet0/0 from LOADING to FULL, Loading Done
ZBF(config-if)#

OK, so that’s fine, OSPF adjacencies form. What about between ZBF and the GDOI-Server?:

ZBF(config-if)#int gi0/1
ZBF(config-if)#ip ospf authen mess     
ZBF(config-if)#ip ospf mess 1 md5 cisco
ZBF(config-if)#router ospf 1
ZBF(config-router)#network 10.1.11.0 0.0.0.255 area 1
ZBF(config-router)#

GDOI-Server#conf t
GDOI-Server(config)#router ospf 1
GDOI-Server(config-router)#router-id 7.7.7.7
GDOI-Server(config-router)#area 1 authen message
GDOI-Server(config-router)#network 7.7.7.7 0.0.0.0 area 1
GDOI-Server(config-router)#network 10.1.11.0 0.0.0.255 area 1
GDOI-Server(config-router)#exit
GDOI-Server(config)#
GDOI-Server(config)#int gi 0/1
GDOI-Server(config-if)#ip ospf authen message
GDOI-Server(config-if)#ip ospf mess 1 md5 cisco
GDOI-Server(config-if)#
*Jul  5: %OSPF-5-ADJCHG: Process 1, Nbr 10.1.10.1 on GigabitEthernet0/1 from LOADING to FULL, Loading Doneea 1
GDOI-Server(config-router)#

Again, no problem. Can Ez-VPN-Server see 7.7.7.7 and reach it?

EzVPN-Server(config-if)#do sh ip route ospf | b Gate
Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
O E2     1.1.1.1 [110/20] via 10.1.9.2, 01:11:34, GigabitEthernet0/3
      4.0.0.0/32 is subnetted, 1 subnets
O IA     4.4.4.4 [110/14] via 10.1.9.2, 00:07:16, GigabitEthernet0/3
      5.0.0.0/32 is subnetted, 1 subnets
O        5.5.5.5 [110/3] via 10.1.9.2, 3d16h, GigabitEthernet0/3
      7.0.0.0/32 is subnetted, 1 subnets
O        7.7.7.7 [110/3] via 10.1.10.1, 00:01:09, GigabitEthernet0/0
      10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks
O        10.1.7.0/24 [110/2] via 10.1.9.2, 3d20h, GigabitEthernet0/3
O        10.1.8.0/24 [110/2] via 10.1.9.2, 3d20h, GigabitEthernet0/3
O        10.1.11.0/24 [110/2] via 10.1.10.1, 00:02:50, GigabitEthernet0/0
O        10.1.16.0/24 [110/3] via 10.1.9.2, 16:14:03, GigabitEthernet0/3
O        10.1.26.0/24 [110/3] via 10.1.9.2, 14:09:15, GigabitEthernet0/3
      80.0.0.0/32 is subnetted, 1 subnets
O IA     80.2.10.1 [110/15] via 10.1.9.2, 00:11:22, GigabitEthernet0/3
EzVPN-Server(config-if)#do ping 7.7.7.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 7.7.7.7, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
EzVPN-Server(config-if)#

Control plane good, data plane not so much. This is kind of what we want to see. The zones are doing their thing. The OSPF control plane traffic is showing us the routes, but the Zone-based Firewall is blocking the data plane, which should also mean that any attempt to form a BGP peering between the GDOI-Server and the EzVPN-Server will fail:

EzVPN-Server(config)#router bgp 101
EzVPN-Server(config-router)#bgp router-id 6.6.6.6
EzVPN-Server(config-router)#neighbor 7.7.7.7 remote-as 101
EzVPN-Server(config-router)#neighbor 7.7.7.7 ebgp-multihop 3
EzVPN-Server(config-router)#

GDOI-Server(config)#router bgp 101
GDOI-Server(config-router)#bgp router-id 7.7.7.7
GDOI-Server(config-router)#neigh 6.6.6.6 remote-as 101  
GDOI-Server(config-router)#neigh 6.6.6.6 ebgp-multihop 3
GDOI-Server(config-router)#

Despite waiting some time, a BGP peering did not form. Let’s give it a helping hand. First by creating a couple of ACLs (101 will be our Outside->Inside, 102 will be Inside->Outside), then setting up the class-maps, and policy maps:

ZBF(config)#access-list 101 permit tcp host 7.7.7.7 host 6.6.6.6 eq bgp
ZBF(config)#access-list 102 permit tcp host 6.6.6.6 host 7.7.7.7 eq bgp  
ZBF(config)#!
ZBF(config)#! - Creating class-maps
ZBF(config)#!
ZBF(config)#class-map type inspect match-all Outside->In
ZBF(config-cmap)#match access-group 101
ZBF(config-cmap)#
ZBF(config-cmap)#exit
ZBF(config)#
ZBF(config)#class-map type inspect match-all In->Outside
ZBF(config-cmap)#match access-group 102
ZBF(config-cmap)#
ZBF(config-cmap)#exit
ZBF(config)#!
ZBF(config)#! - Create policy-maps 
ZBF(config)#!
ZBF(config)#policy-map type inspect Incoming-traffic
ZBF(config-pmap)#class type inspect Outside->In
ZBF(config-pmap-c)#inspect
ZBF(config-pmap-c)#exit
ZBF(config-pmap)#class class-default
ZBF(config-pmap-c)#exit
ZBF(config-pmap)#exit
ZBF(config)#
ZBF(config)#policy-map type inspect Outgoing-traffic
ZBF(config-pmap)#class type inspect In->Outside
ZBF(config-pmap-c)#inspect
ZBF(config-pmap-c)#exit
ZBF(config-pmap)#class class-default
ZBF(config-pmap-c)#exit
ZBF(config-pmap)#exit
ZBF(config)#

These then need to be assigned to a zone-pair, which specifies the source and destination zones we set up earlier:

ZBF(config)#zone-pair security Out-In source Outside destination Inside 
ZBF(config-sec-zone-pair)#service-policy type inspect Incoming-traffic
ZBF(config-sec-zone-pair)#
ZBF(config-sec-zone-pair)#exit
ZBF(config)#
ZBF(config)#zone-pair security In-Out source Inside destination Outside
ZBF(config-sec-zone-pair)#service-policy type inspect Outgoing-traffic
ZBF(config-sec-zone-pair)#exit
ZBF(config)#

No BGP peering, though, let’s enable some debugging:

EzVPN-Server#debug ip bgp 
BGP debugging is on for address family: IPv4 Unicast 
EzVPN-Server#        
*Jul  5: BGP: ses global 7.7.7.7 (0xCAE44A8:0) act Reset (Active open failed).
*Jul  5: BGP: 7.7.7.7 active went from Active to Idle
*Jul  5: BGP: nbr global 7.7.7.7 Active open failed - open timer running
*Jul  5: BGP: nbr global 7.7.7.7 Active open failed - open timer running
*Jul  5: BGP: 7.7.7.7 active went from Idle to Active
*Jul  5: BGP: 7.7.7.7 open active, local address 10.1.10.6

We are trying to peer to the loopback address, but from the wrong address, let’s fix BGP:

EzVPN-Server(config)#router bgp 101
EzVPN-Server(config-router)#neigh 7.7.7.7 update-source lo0
EzVPN-Server(config-router)#

GDOI-Server(config)#router bgp 101
GDOI-Server(config-router)#neigh 6.6.6.6 update lo0
GDOI-Server(config-router)#
GDOI-Server(config-router)#
*Jul  5: %BGP-5-NBR_RESET: Neighbor 6.6.6.6 active reset (BGP Notification sent)
*Jul  5: %BGP-5-ADJCHANGE: neighbor 6.6.6.6 Up 
GDOI-Server(config-router)#
GDOI-Server(config-router)#

Straight away we can see a BGP peering form. We only get hits on ACL 102 though:

ZBF#sh access-lists 
Extended IP access list 101
    10 permit tcp host 7.7.7.7 host 6.6.6.6 eq bgp
Extended IP access list 102
    10 permit tcp host 6.6.6.6 host 7.7.7.7 eq bgp (1 match)
ZBF#

No matter at the moment, let’s open up ICMP so that we have something to test with. At the moment, we have no way of testing whether hosts are reachable or not:

GDOI-Server(config-router)#do ping 6.6.6.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
GDOI-Server(config-router)#

ZBF(config)#
ZBF(config)#access-list 101 permit icmp any any
ZBF(config)#
ZBF(config)#access-list 102 permit icmp any any
ZBF(config)#

GDOI-Server(config-router)#do ping 6.6.6.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/9 ms
GDOI-Server(config-router)#

EzVPN-Server(config-router)#do ping 7.7.7.7 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 7.7.7.7, timeout is 2 seconds:
Packet sent with a source address of 6.6.6.6 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/7 ms
EzVPN-Server(config-router)#

ZBF(config)#do sh access-lists
Extended IP access list 101
    10 permit tcp host 7.7.7.7 host 6.6.6.6 eq bgp
    20 permit icmp any any (2 matches)
Extended IP access list 102
    10 permit tcp host 6.6.6.6 host 7.7.7.7 eq bgp (1 match)
    20 permit icmp any any (1 match)
ZBF(config)#

We can now see ACL hits from both sides. OK, nothing too hard here, but also not much else to add until we set up the rest of the network, then we can add rules for the other VPNs.

So, I’ll just add a bit of security to BGP, and then a few notes to summarize Zone-Based Firewalls.

EzVPN-Server(config-router)#neigh 7.7.7.7 password cisco

GDOI-Server(config-router)#neigh 6.6.6.6 password cisco
ZBFW: Quick reference
!
! Create zones:
!
zone security <Zone-Name>
!
! Assign zone: 
!
int gi0/0
  zone-member security <Zone-Name>
!
! Create service-policy:
!
access-list 101 permit ip any any
class-map type inspect match-all <CM-Name>
  match access-group 101
policy-map type inspect <PM-Name>
  class type inspect <CM-Name>
    inspect
    exit
  class class-default
    exit
  exit
!
! Assign source and destination to service policy:
!
zone-pair security <pair-name> source <source zone> destination <destination zone>
  security-policy type inspect <PM-Name>

So, what’s left? Well, we have (in order of easiness):

  • GET VPN
  • EasyVPN
  • FlexVPN

There is not much standing in the way of the GET VPN. The Zone-Based Firewalls part is in the way of the EasyVPN, and we have the Zone-based firewall, a transparent firewall and a routed firewall pair in the path for the FlexVPN. So, we’ll tackle GET VPN next.