Wednesday, April 16, 2014

Transparent Firewall (IOS) and ZBPF.

I would like to continue working with transparent firewalls and today we try to implement the Zone Base Policy Firewall:

         OUTSIDE     L2 firewall      INSIDE
        [10.0.0.1]                   [10.0.0.3] 
          /----\        /----\         /----\ 
         |  R1  |------|  R2  |-------|  R3  |
          \----/      / \----/ \       \----/ 
                gig0/0.10   gig0/1.20  
                      icmp, telnet

                      <---------      

R2 - firewall is not enabled:
 
bridge irb
!
bridge 1 protocol ieee
!
interface GigabitEthernet0/0
 no sh
!
interface GigabitEthernet0/0.10
 encapsu dot 10
 no ip address
 bridge-group 1
!
interface GigabitEthernet0/1
 no sh
!
interface GigabitEthernet0/1.20
 encapsu dot 20
 no ip address
 bridge-group 1
!
no ip routing
!

R2 is configured as the L2 device and it doesn’t do any traffic control:
 
r1#ping 10.0.0.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
r1#telnet 10.0.0.3
Trying 10.0.0.3 ... Open


Password required, but none set

[Connection to 10.0.0.3 closed by foreign host]
r1#

r3#ping 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r3#telnet 10.0.0.1
Trying 10.0.0.1 ... Open
C
 ***********************************************************************
 *  Warning Notice:                                                    *
 *    PLEASE after you finish load DEFAULT_config.txt                  *
 ***********************************************************************


Password required, but none set

[Connection to 10.0.0.1 closed by foreign host]
r3#


Now we implement the ZBPF with icmp and telnet inspection. Traffic should be allowed only from R3 to R1, but R1 can’t initiate any traffic.
 
 
class-map type inspect match-all ZBFW-CLASS
 match protocol icmp
 match protocol telnet
!
!
policy-map type inspect ZBFW-POLICY
 class type inspect ZBFW-CLASS
  inspect
 class class-default
  drop log
!
zone security INSIDE
zone security OUTSIDE
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
 service-policy type inspect ZBFW-POLICY
!
interface GigabitEthernet0/0.10
 zone-member security OUTSIDE
!
interface GigabitEthernet0/0.20
 zone-member security INSIDE
!

r2#sh policy-map type inspect zone-pair sessions 

policy exists on zp INSIDE-OUTSIDE
 Zone-pair: INSIDE-OUTSIDE

  Service-policy inspect : ZBFW-POLICY

    Class-map: ZBFW-CLASS (match-all)
      Match: protocol icmp
      Match: protocol telnet

   Inspect

    Class-map: class-default (match-any)
      Match: any 
      Drop
        0 packets, 0 bytes
r2#

Let’s try send traffic:

a) inside->outside:
 
r3#ping 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r3#


Let’s check what is doing the inspection engine:
 
 
r2#debug ip inspect L2-transparent packets 
INSPECT L2 firewall debugging is on
r2#
*Apr 15 22:19:21.793: L2FW:insp_l2_flood: input is GigabitEthernet0/1.20 output is GigabitEthernet0/0.10
*Apr 15 22:19:21.793: L2FW: FLOOD number of i/fs in bridge-group is exactly 2. Calling Inspection
*Apr 15 22:19:21.793: L2FW:insp_l2_inspection: input is GigabitEthernet0/1.20 output is GigabitEthernet0/0.10
*Apr 15 22:19:21.793: L2FW*:Src 10.0.0.3 dst 10.0.0.1 protocol icmp
*Apr 15 22:19:21.793: TBAP: Check AuthProxy is configured on idb=GigabitEthernet0/1.20 path=0 linktype=38
*Apr 15 22:19:21.793: L2FW:Input ACL not configured or the ACL is bypassed
*Apr 15 22:19:21.793: L2FW:Output ACL is not configured or ACL is bypassed
*Apr 15 22:19:21.793: L2FW:Inspection is not configured on input or output interface.
*Apr 15 22:19:21.793: L2FW:fw_inspection_wrapper returned TRUE.Drop the packet
*Apr 15 22:19:21.793: L2FW: Packet dropped by inspection
*Apr 15 22:19:23.793: L2FW:insp_l2_flood: input is GigabitEthernet0/1.20 output is GigabitEthernet0/0.10
*Apr 15 22:19:23.793: L2FW: FLOOD number of i/fs in bridge-group is exactly 2. Calling Inspection
*Apr 15 22:19:23.793: L2FW:insp_l2_inspection: input is GigabitEthernet0/1.20 output is GigabitEthernet0/0.10
*Apr 15 22:19:23.793: L2FW*:Src 10.0.0.3 dst 10.0.0.1 protocol icmp
*Apr 15 22:19:23.793: TBAP: Check AuthProxy is configured on idb=GigabitEthernet0/1.20 path=0 linktype=38
*Apr 15 22:19:23.793: L2FW:Input ACL not configured or the ACL is bypassed
*Apr 15 22:19:23.793: L2FW:Output ACL is not configured or ACL is bypassed
*Apr 15 22:19:23.793: L2FW:Inspection is not configured on input or output interface.
*Apr 15 22:19:23.793: L2FW:fw_inspection_wrapper returned TRUE.Drop the packet
*Apr 15 22:19:23.793: L2FW: Packet dropped by inspection
*Apr 15 22:19:25.793: L2FW:insp_l2_flood: input is GigabitEthernet0/1.20 output is GigabitEthernet0/0.10
*Apr 15 22:19:25.793: L2FW: FLOOD number of i/fs in bridge-group is exactly 2. Calling Inspection
*Apr 15 22:19:25.793: L2FW:insp_l2_inspection: input is GigabitEthernet0/1.20 output is GigabitEthernet0/0.10
*Apr 15 22:19:25.793: L2FW*:Src 10.0.0.3 dst 10.0.0.1 protocol icmp
*Apr 15 22:19:25.793: TBAP: Check AuthProxy is configured on idb=GigabitEthernet0/1.20 path=0 linktype=38
*Apr 15 22:19:25.793: L2FW:Input ACL not configured or the ACL is bypassed
*Apr 15 22:19:25.793: L2FW:Output ACL is not configured or ACL is bypassed
*Apr 15 22:19:25.793: L2FW:Inspection is not configured on input or output interface.
*Apr 15 22:19:25.793: L2FW:fw_inspection_wrapper returned TRUE.Drop the packet
*Apr 15 22:19:25.793: L2FW: Packet dropped by inspection
*Apr 15 22:19:27.793: L2FW:insp_l2_flood: input is GigabitEthernet0/1.20 output is GigabitEthernet0/0.10
*Apr 15 22:19:27.793: L2FW: FLOOD number of i/fs in bridge-group is exactly 2. Calling Inspection
*Apr 15 22:19:27.793: L2FW:insp_l2_inspection: input is GigabitEthernet0/1.20 output is GigabitEthernet0/0.10
*Apr 15 22:19:27.793: L2FW*:Src 10.0.0.3 dst 10.0.0.1 protocol icmp
*Apr 15 22:19:27.793: TBAP: Check AuthProxy is configured on idb=GigabitEthernet0/1.20 path=0 linktype=38
*Apr 15 22:19:27.793: L2FW:Input ACL not configured or the ACL is bypassed
*Apr 15 22:19:27.793: L2FW:Output ACL is not configured or ACL is bypassed
*Apr 15 22:19:27.793: L2FW:Inspection is not configured on input or output interface.
*Apr 15 22:19:27.793: L2FW:fw_inspection_wrapper returned TRUE.Drop the packet
*Apr 15 22:19:27.793: L2FW: Packet dropped by inspection
*Apr 15 22:19:29.793: L2FW:insp_l2_flood: input is GigabitEthernet0/1.20 output is GigabitEthernet0/0.10
*Apr 15 22:19:29.793: L2FW: FLOOD number of i/fs in bridge-group is exactly 2. Calling Inspection
*Apr 15 22:19:29.793: L2FW:insp_l2_inspection: input is GigabitEthernet0/1.20 output is GigabitEthernet0/0.10
*Apr 15 22:19:29.793: L2FW*:Src 10.0.0.3 dst 10.0.0.1 protocol icmp
*Apr 15 22:19:29.793: TBAP: Check AuthProxy is configured on idb=GigabitEthernet0/1.20 path=0 linktype=38
*Apr 15 22:19:29.793: L2FW:Input ACL not configured or the ACL is bypassed
*Apr 15 22:19:29.793: L2FW:Output ACL is not configured or ACL is bypassed
*Apr 15 22:19:29.793: L2FW:Inspection is not configured on input or output interface.
*Apr 15 22:19:29.793: L2FW:fw_inspection_wrapper returned TRUE.Drop the packet
*Apr 15 22:19:29.793: L2FW: Packet dropped by inspection


It looks like the CBAC is active instead of ZBPF, why ?
 
 
r2#debug policy-firewall L2-transparent 
Policy-Firewall L2 transparent debugging is on
r2#sh policy-map type inspect zone-pair sessions 

policy exists on zp INSIDE-OUTSIDE
 Zone-pair: INSIDE-OUTSIDE

  Service-policy inspect : ZBFW-POLICY

    Class-map: ZBFW-CLASS (match-all)
      Match: protocol icmp
      Match: protocol telnet

   Inspect

    Class-map: class-default (match-any)
      Match: any 
      Drop
        0 packets, 0 bytes
r2#conf t

r2#debug policy-firewall detail ?
  <cr>

r2#debug policy-firewall detail 
Policy-Firewall detailed debugging is on
r2#
*Apr 15 22:36:23.883: FIREWALL: ret_val 0 is not PASS_PAK
*Apr 15 22:36:23.883: FIREWALL: ret_val NO_ACTION, but not valid router traffic .Dropping pak
*Apr 15 22:36:25.879: FIREWALL: ret_val 0 is not PASS_PAK
*Apr 15 22:36:25.879: FIREWALL: ret_val NO_ACTION, but not valid router traffic .Dropping pak
*Apr 15 22:36:27.879: FIREWALL: ret_val 0 is not PASS_PAK
*Apr 15 22:36:27.879: FIREWALL: ret_val NO_ACTION, but not valid router traffic .Dropping pak
*Apr 15 22:36:29.879: FIREWALL: ret_val 0 is not PASS_PAK
*Apr 15 22:36:29.879: FIREWALL: ret_val NO_ACTION, but not valid router traffic .Dropping pak
*Apr 15 22:36:31.879: FIREWALL: ret_val 0 is not PASS_PAK
*Apr 15 22:36:31.879: FIREWALL: ret_val NO_ACTION, but not valid router traffic .Dropping pak


It looks like a bug, I found one similar issue but only for 12.4 IOS, this one is:
 
 
r2#sh ver
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.0(1)M5, RELEASE SOFTWARE (fc2)

Let’s try tomorrow with different IOS version.


..day later…


 
I reload R2 with the new software: “Version 15.2(1)” and I see exactly the same error messages:

r2_newIOS#debug policy-firewall detail 
Policy-Firewall detailed debugging is on
r2_newIOS#
Apr 16 08:26:03.107: FIREWALL*: ret_val 0 is not PASS_PAK
Apr 16 08:26:03.107: FIREWALL*: ret_val NO_ACTION, but not valid router traffic .Dropping pak
Apr 16 08:26:05.107: FIREWALL*: ret_val 0 is not PASS_PAK
Apr 16 08:26:05.107: FIREWALL*: ret_val NO_ACTION, but not valid router traffic .Dropping pak
Apr 16 08:26:07.107: FIREWALL*: ret_val 0 is not PASS_PAK
Apr 16 08:26:07.107: FIREWALL*: ret_val NO_ACTION, but not valid router traffic .Dropping pak
Apr 16 08:26:09.107: FIREWALL*: ret_val 0 is not PASS_PAK
Apr 16 08:26:09.107: FIREWALL*: ret_val NO_ACTION, but not valid router traffic .Dropping pak
Apr 16 08:26:11.107: FIREWALL*: ret_val 0 is not PASS_PAK
Apr 16 08:26:11.107: FIREWALL*: ret_val NO_ACTION, but not valid router traffic .Dropping pak
r2_newIOS#

r2_newIOS#
Apr 16 08:29:18.911: L2FW*:insp_l2_fast_inspection: pak 308BE9E8, input-interface GigabitEthernet0/0.10, output-interface GigabitEthernet0/1.20
Apr 16 08:29:18.911: L2FW*:Src 10.0.0.1 dst 10.0.0.3 protocol icmp
Apr 16 08:29:18.911: TBAP: Check AuthProxy is configured on idb=GigabitEthernet0/0.10 path=1 linktype=38
Apr 16 08:29:18.911: L2FW:Input ACL not configured or the ACL is bypassed
Apr 16 08:29:18.911: L2FW:Output ACL is not configured or ACL is bypassed
Apr 16 08:29:18.911: L2FW*:IP inspect firewall is not cfged on  input or output interface.PASS
Apr 16 08:29:18.911: L2FW*:CCE FW l2 fast returning INSP_L2_DROP
Apr 16 08:29:20.911: L2FW*:insp_l2_fast_inspection: pak 308BE9E8, input-interface GigabitEthernet0/0.10, output-interface GigabitEthernet0/1.20

During this investigation I discovered one my mistake:
 
interface GigabitEthernet0/0.20
 zone-member security INSIDE

Instead of Gig0/1.20 I added non-existing sub-interface to the INSIDE zone:
 
r2#sh run int gig0/0.20
Building configuration...

Current configuration : 87 bytes
!
interface GigabitEthernet0/0.20
 zone-member security INSIDE
 no ip route-cache
end

r2#sh run int gig0/1.20
Building configuration...

Current configuration : 98 bytes
!
interface GigabitEthernet0/1.20
 encapsulation dot1Q 20
 no ip route-cache
 bridge-group 1
end

r2#

As we see the sub-interface was added but the Vlan and the bridge group are not specified.
Let’s fix the interface settings:
 
r2#sh run int gig0/1.20
Building configuration...

Current configuration : 127 bytes
!
interface GigabitEthernet0/1.20
 encapsulation dot1Q 20
 zone-member security INSIDE
 no ip route-cache
 bridge-group 1
end

r2#

and do some tests:
 
r3#ping 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r3#

r3#telnet 10.0.0.1
Trying 10.0.0.1 ... 
% Connection timed out; remote host not responding

r3#

on the R2 we can see:
 
*Apr 16 08:34:41.575: %FW-6-LOG_SUMMARY: 4 packets were dropped from 10.0.0.3:25987 => 10.0.0.1:23 (target:class)-(INSIDE-OUTSIDE:class-default)
*Apr 16 08:35:13.047: %FW-6-DROP_PKT: Dropping tcp session 10.0.0.3:28705 10.0.0.1:23 on zone-pair INSIDE-OUTSIDE class class-default due to  DROP action found in policy-map with ip ident 0 
*Apr 16 08:35:41.575: %FW-6-LOG_SUMMARY: 4 packets were dropped from 10.0.0.3:28705 => 10.0.0.1:23 (target:class)-(INSIDE-OUTSIDE:class-default)

Why the ping and telnet are processed by the class-default?
 
r2#sh run | s class-map
class-map type inspect match-all ZBFW-CLASS
 match protocol icmp
 match protocol telnet
r2#

ok, as we see the class has wrong parameter: ‘match-all’ - the packet can’t be ‘icmp’ and ‘tcp/23’ at the same time. The correct one should be:
 
!
class-map type inspect match-any ZBFW-CLASS1
 match protocol icmp
 match protocol telnet
!
policy-map type inspect ZBFW-POLICY
 class type inspect ZBFW-CLASS1
  inspect 
 class class-default
  drop log
!

Time for the final test:
 
r3#ping 10.0.0.1  

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
r3#telnet 10.0.0.1
Trying 10.0.0.1 ... Open
C
 ***********************************************************************
 *  Warning Notice:                                                    *
 *    PLEASE after you finish load DEFAULT_config.txt                  *
 ***********************************************************************


Password required, but none set

[Connection to 10.0.0.1 closed by foreign host]
r3#

and now everything works as expected:
 
r2#sh policy-map type inspect zone-pair sessions 

policy exists on zp INSIDE-OUTSIDE
 Zone-pair: INSIDE-OUTSIDE

  Service-policy inspect : ZBFW-POLICY

    Class-map: ZBFW-CLASS1 (match-any)
      Match: protocol icmp
        1 packets, 80 bytes
        30 second rate 0 bps
      Match: protocol telnet
        2 packets, 48 bytes
        30 second rate 0 bps

   Inspect

      Number of Established Sessions = 1
      Established Sessions
        Session 298FB200 (10.0.0.3:55798)=>(10.0.0.1:23) telnet:tcp SIS_OPEN
          Created 00:00:00, Last heard 00:00:00
          Bytes sent (initiator:responder) [27:348]


    Class-map: class-default (match-any)
      Match: any 
      Drop
        13 packets, 592 bytes
r2#

traffic from the outside to the inside is silently dropped:
 
r1#ping 10.0.0.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r1#

as there is no policy map and zone pair with direction OUTSIDE-INSIDE. Be careful when you configure class maps, the default parameter is ‘match-all’.


No comments:

Post a Comment