Skip to main content

Transparent Firewall (IOS) and CBAC - dhcp-passthrough

Today I’d like to implement L2 firewall on cisco router using CBAC. A few months ago I did similar lab but today I’d like to add a new requirement:
  • allowing on DHCP packets across the L2 firewall.



              fa1/0/11                     fa1/0/13
  /----\          \ -----------------------  /          /----\
 |  R2  |----------|          SW            |----------|  R3  |
  \----/ \          -----------------------           / \----/
         gig0/0       /\    /----\   / \            fa0/0
 10.0.0.1        fa1/0/9 - |  R1  |-   fa1/0/10       dhcp client
 dhcp server              / \----/  \                     
                      gig0/0  |     gig0/1
                              |                               
             VLAN 10        L2 FW               VLAN 20
   --------------------------->|<----------------------------



At the beginning, to test connectivity and CBAC, the interface fa0/0 will have static IP of 10.0.0.11/24
 
hostname r1
!         
bridge irb
!
interface GigabitEthernet0/0
 no ip address
 ip access-group 101 in
 bridge-group 1
!
interface GigabitEthernet0/1
 no ip address
 ip inspect L2-FW in
 bridge-group 1
!
ip inspect name L2-FW icmp alert on audit-trail on
ip inspect name L2-FW tcp alert on audit-trail on
ip inspect name L2-FW telnet alert on audit-trail on
!
access-list 101 deny   ip any any
!
 
 
hostname r2
!      
ip dhcp excluded-address 10.0.0.1 10.0.0.10
!         
ip dhcp pool POOL
   network 10.0.0.0 255.255.255.0
!         
!
interface GigabitEthernet0/0
 description link to MP-SW Fas 1/0/11
 ip address 10.0.0.1 255.255.255.0
!         
 
 
hostname r3
!
interface FastEthernet0/0
 ip address 10.0.0.11 255.255.255.0
 duplex auto
 speed auto
!
 
 
hostname MP-SW
!
vlan 10
 name R2-R1
!
vlan 20
 name R1-R3
!
!
interface FastEthernet1/0/9
 description to R1-2911 gi0/0
 switchport access vlan 10
 switchport mode access
!
interface FastEthernet1/0/10
 description to R1-2911 gi0/1
 switchport access vlan 20
 switchport mode access
!         
interface FastEthernet1/0/11
 description to R2-2911 gi0/0
 switchport access vlan 10
 switchport mode access
!         
interface FastEthernet1/0/13
 description to R3-2811 fa0/0
 switchport access vlan 20
 switchport mode access
!

Let’s test the above configuration (R3 -> R2):

a) ping

r3#ping 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r3#

r1#sh ip inspect sessions 
Established Sessions
 Session 30AC590C (10.0.0.11:8)=>(10.0.0.1:0) icmp SIS_OPEN
r1#
*Oct  4 09:59:06.448: %FW-6-SESS_AUDIT_TRAIL_START: Start icmp session: initiator (10.0.0.11:8) -- responder (10.0.0.1:0)
r1#
*Oct  4 09:59:16.816: %FW-6-SESS_AUDIT_TRAIL: Stop icmp session: initiator (10.0.0.11:8) sent 360 bytes -- responder (10.0.0.1:0) sent 360 bytes

b) telnet

r3#telnet 10.0.0.1 
Trying 10.0.0.1 ... Open

 ***********************************************************************
 *  Warning Notice:                                                    *
 *    PLEASE after you finish load DEFAULT_config.txt                  *
 ***********************************************************************


User Access Verification

Password: 
 ***********************************************************************
 *  Warning Notice:                                                    *
 *    PLEASE after you finish load DEFAULT_config.txt                  *
 ***********************************************************************

r2>

r1#
*Oct  4 10:00:11.812: %FW-6-SESS_AUDIT_TRAIL_START: Start telnet session: initiator (10.0.0.11:20805) -- responder (10.0.0.1:23)
r1#
r1#sh ip inspect sessions 
Established Sessions
 Session 30AC590C (10.0.0.11:20805)=>(10.0.0.1:23) telnet SIS_OPEN
r1#
*Oct  4 10:00:46.948: %FW-6-SESS_AUDIT_TRAIL: Stop telnet session: initiator (10.0.0.11:20805) sent 43 bytes -- responder (10.0.0.1:23) sent 682 bytes
r1#

c) www
 
r3#telnet 10.0.0.1 80
Trying 10.0.0.1, 80 ... Open

r1#
*Oct  4 10:02:19.272: %FW-6-SESS_AUDIT_TRAIL_START: Start tcp session: initiator (10.0.0.11:35734) -- responder (10.0.0.1:80)
r1#sh ip inspect sessions 
Established Sessions
 Session 30AC590C (10.0.0.11:35734)=>(10.0.0.1:80) tcp SIS_OPEN
r1#
*Oct  4 10:02:58.024: %FW-6-SESS_AUDIT_TRAIL: Stop tcp session: initiator (10.0.0.11:35734) sent 5 bytes -- responder (10.0.0.1:80) sent 122 bytes
r1#

d) connectivity R2->R3
 
r2#ping 10.0.0.11

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.11, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r2#      
r2#
r2#telnet 10.0.0.11
Trying 10.0.0.11 ... 

r1#sh access-lists 
Extended IP access list 101
    10 deny ip any any (12 matches)
r1#

Ok, as we see we can establish connection only from R3 to R2. Let’s configure a DHCP server on R2 and R3 as a client. We have to add a new inspection to pass DHCP request/offer packets.
 
r3#sh run int fa0/0
Building configuration...

Current configuration : 94 bytes
!
interface FastEthernet0/0
 ip address 10.0.0.11 255.255.255.0
 duplex auto
 speed auto
end

Now I remove the static IP and enable DHCP:
 
r3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
r3(config)#int fa0/0
r3(config-if)#no ip address 
r3(config-if)#ip add
r3(config-if)#ip address dhcp 
r3(config-if)#end
r3# 

On the DHCP server I can monitor the pool:
 
r2#sh ip dhcp pool 

Pool POOL :
 Utilization mark (high/low)    : 100 / 0
 Subnet size (first/next)       : 0 / 0 
 Total addresses                : 254
 Leased addresses               : 0
 Pending event                  : none
 1 subnet is currently in the pool :
 Current index        IP address range                    Leased addresses
 10.0.0.12            10.0.0.1         - 10.0.0.254        0
r2#

As we see any IP address has been assigned yet.

We have to add a new inspection and from below output we can see L2-transparent mode commands:
 
r1(config)#ip inspect ?
  L2-transparent  Transparent Mode commands
  WAAS            Firewall and Cisco WAE interoperability configuration
  alert-off       Disable alert
  audit-trail     Enable the logging of session information (addresses and
                  bytes)
  dns-timeout     Specify timeout for DNS
  hashtable-size  Specify size of hashtable
  log             Inspect packet logging
  max-incomplete  Specify maximum number of incomplete connections before
                  clamping
  name            Specify an inspection rule
  one-minute      Specify one-minute-sample watermarks for clamping
  redundancy      Redundancy settings for firewall sessions
  tcp             Config timeout values for tcp connections
  udp             Config timeout values for udp flows
  <cr>

and there is one option here, exactly this one we need:
 
  r1(config)#ip inspect L2-transparent ?
  dhcp-passthrough  Allow DHCP passthrough

r1(config)#ip inspect L2-transparent dhcp-passthrough 
r1(config)#end
r1#

Let’s enable debug:
 
r1#debug ip inspect ?
  L2-transparent   Transparent firewall
  detailed         Inspection Detailed Debug Records
  events           Inspection events
  function-trace   Inspection function trace
  ha               Debug IOS firewall High Availability
  mib              Debug IOS firewall MIB
  object-creation  Inspection Object Creations
  object-deletion  Inspection Object Deletions
  policy           policy firewall
  protocol         protocol-specific-debug
  timers           Inspection Timer related events

r1#debug ip inspect L2-transparent dhcp-passthrough 
INSPECT L2 firewall DHCP debugging is on
r1#debug ip inspect L2-transparent packets 
INSPECT L2 firewall debugging is on
r1#

After a few seconds:
 
r1#
*Oct  4 10:38:12.720: L2FW:insp_l2_flood: input is GigabitEthernet0/1 output is GigabitEthernet0/0
*Oct  4 10:38:12.720: L2FW: FLOOD number of i/fs in bridge-group is exactly 2. Calling Inspection
*Oct  4 10:38:12.720: L2FW:insp_l2_inspection: input is GigabitEthernet0/1 output is GigabitEthernet0/0
*Oct  4 10:38:12.720: L2FW*:Src 0.0.0.0 dst 255.255.255.255 protocol udp
*Oct  4 10:38:12.720: TBAP: Check AuthProxy is configured on idb=GigabitEthernet0/1 path=0 linktype=38
*Oct  4 10:38:12.720: L2FW:udp ports src 68 dst 67
*Oct  4 10:38:12.720: L2FW:src 0.0.0.0 dst 255.255.255.255
*Oct  4 10:38:12.720: L2FW:DHCP packet seen. Pass-through flag allows the packet
*Oct  4 10:38:12.720: L2FW:Output ACL is not configured or ACL is bypassed
*Oct  4 10:38:12.720: L2FW*:Packet is broadcast or multicast.PASS
*Oct  4 10:38:12.720: L2FW: Packet is passed by Inspection
*Oct  4 10:38:14.720: L2FW:insp_l2_flood: input is GigabitEthernet0/0 output is GigabitEthernet0/1
*Oct  4 10:38:14.720: L2FW: FLOOD number of i/fs in bridge-group is exactly 2. Calling Inspection
*Oct  4 10:38:14.720: L2FW:insp_l2_inspection: input is GigabitEthernet0/0 output is GigabitEthernet0/1
*Oct  4 10:38:14.720: L2FW*:Src 10.0.0.1 dst 255.255.255.255 protocol udp
*Oct  4 10:38:14.720: TBAP: Check AuthProxy is configured on idb=GigabitEthernet0/0 path=0 linktype=38
*Oct  4 10:38:14.720: L2FW:udp ports src 67 dst 68
*Oct  4 10:38:14.720: L2FW:src 10.0.0.1 dst 255.255.255.255
*Oct  4 10:38:14.720: L2FW:DHCP packet seen. Pass-through flag allows the packet
*Oct  4 10:38:14.720: L2FW:Output ACL is not configured or ACL is bypassed
*Oct  4 10:38:14.720: L2FW*:Packet is broadcast or multicast.PASS
*Oct  4 10:38:14.720: L2FW: Packet is passed by Inspection
*Oct  4 10:38:14.720: L2FW:insp_l2_flood: input is GigabitEthernet0/1 output is GigabitEthernet0/0
*Oct  4 10:38:14.720: L2FW: FLOOD number of i/fs in bridge-group is exactly 2. Calling Inspection
*Oct  4 10:38:14.720: L2FW:insp_l2_inspection: input is GigabitEthernet0/1 output is GigabitEthernet0/0
*Oct  4 10:38:14.720: L2FW*:Src 0.0.0.0 dst 255.255.255.255 protocol udp
*Oct  4 10:38:14.720: TBAP: Check AuthProxy is configured on idb=GigabitEthernet0/1 path=0 linktype=38
*Oct  4 10:38:14.720: L2FW:udp ports src 68 dst 67
*Oct  4 10:38:14.720: L2FW:src 0.0.0.0 dst 255.255.255.255
*Oct  4 10:38:14.720: L2FW:DHCP packet seen. Pass-through flag allows the packet
*Oct  4 10:38:14.720: L2FW:Output ACL is not configured or ACL is bypassed
*Oct  4 10:38:14.720: L2FW*:Packet is broadcast or multicast.PASS
*Oct  4 10:38:14.720: L2FW: Packet is passed by Inspection
*Oct  4 10:38:14.724: L2FW:insp_l2_flood: input is GigabitEthernet0/0 output is GigabitEthernet0/1
*Oct  4 10:38:14.724: L2FW: FLOOD number of i/fs in bridge-group is exactly 2. Calling Inspection
*Oct  4 10:38:14.724: L2FW:insp_l2_inspection: input is GigabitEthernet0/0 output is GigabitEthernet0/1
*Oct  4 10:38:14.724: L2FW*:Src 10.0.0.1 dst 255.255.255.255 protocol udp
*Oct  4 10:38:14.724: TBAP: Check AuthProxy is configured on idb=GigabitEthernet0/0 path=0 linktype=38
*Oct  4 10:38:14.724: L2FW:udp ports src 67 dst 68
*Oct  4 10:38:14.724: L2FW:src 10.0.0.1 dst 255.255.255.255
*Oct  4 10:38:14.724: L2FW:DHCP packet seen. Pass-through flag allows the packet
*Oct  4 10:38:14.724: L2FW:Output ACL is not configured or ACL is bypassed
*Oct  4 10:38:14.724: L2FW*:Packet is broadcast or multicast.PASS
*Oct  4 10:38:14.724: L2FW: Packet is passed by Inspection

on the DHCP server (R2) we see:
 
r2#
*Oct  4 09:59:57.548: DHCPD: client's VPN is .
*Oct  4 09:59:57.548: DHCPD: DHCPDISCOVER received from client 0063.6973.636f.2d30.3463.352e.6134.3366.2e64.3664.302d.4661.302f.30 on interface GigabitEthernet0/0.
*Oct  4 09:59:57.548: DHCPD: Allocate an address without class information (10.0.0.0)
*Oct  4 09:59:57.548: DHCPD: Saving workspace (ID=0xDE000005)
*Oct  4 09:59:59.548: DHCPD: Reprocessing saved workspace (ID=0xDE000005)
*Oct  4 09:59:59.548: DHCPD: DHCPDISCOVER received from client 0063.6973.636f.2d30.3463.352e.6134.3366.2e64.3664.302d.4661.302f.30 on interface GigabitEthernet0/0.
*Oct  4 09:59:59.548: DHCPD: Sending DHCPOFFER to client 0063.6973.636f.2d30.3463.352e.6134.3366.2e64.3664.302d.4661.302f.30 (10.0.0.14).
*Oct  4 09:59:59.548: DHCPD: broadcasting BOOTREPLY to client 04c5.a43f.d6d0.
*Oct  4 09:59:59.548: DHCPD: client's VPN is .
*Oct  4 09:59:59.548: DHCPD: DHCPREQUEST received from client 0063.6973.636f.2d30.3463.352e.6134.3366.2e64.3664.302d.4661.302f.30.
*Oct  4 09:59:59.548: DHCPD: No default domain to append - abort update
*Oct  4 09:59:59.548: DHCPD: Sending DHCPACK to client 0063.6973.636f.2d30.3463.352e.6134.3366.2e64.3664.302d.4661.302f.30 (10.0.0.14).
*Oct  4 09:59:59.548: DHCPD: broadcasting BOOTREPLY to client 04c5.a43f.d6d0.
r2#
r2#

Let’s check the pool:
 
r2#sh ip dhcp pool             

Pool POOL :
 Utilization mark (high/low)    : 100 / 0
 Subnet size (first/next)       : 0 / 0 
 Total addresses                : 254
 Leased addresses               : 1
 Pending event                  : none
 1 subnet is currently in the pool :
 Current index        IP address range                    Leased addresses
 10.0.0.15            10.0.0.1         - 10.0.0.254        1

and binding table:
 
r2#sh ip dhcp binding          
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name
10.0.0.14           0063.6973.636f.2d30.    Oct 05 2014 09:59 AM    Automatic
                    3463.352e.6134.3366.
                    2e64.3664.302d.4661.
                    302f.30
r2#

On R3 we see the notification:
 
r3#
*Oct  4 10:25:09.744: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/0 assigned DHCP address 10.0.0.14, mask 255.255.255.0, hostname r3

When you implement L2 firewall and it is installed between DHCP server and DHCP clients you have to add ‘dhcp’ inspection. Without this the DHCP packets will be blocked.

Comments

Popular posts from this blog

What should you know about HA 'override enabled' setting on Fortigate?

High availability is mandatory in most of today's network designs. Only very small companies or branches can run their business without redundancy. When you have Fortigate firewall in your network you have many options to increase network availability. You can use Fortigate Clustering Protocol ( FGCP ) or Virtual Router Redundancy Protocol ( VRRP ). FGCP has two modes: 'override' disabled (default) and 'override' enabled . I'm not going to explain how to set up HA as you can find many resources on Fortinet websites: https://cookbook.fortinet.com/high-availability-two-fortigates-56/ https://cookbook.fortinet.com/high-availability-with-fgcp-56/ Let's recap what is the main difference between them. The default HA setting is 'override' disabled and this is an order of selection an active unit: 1) number of monitored interfaces - when both units have the same number of working (up) interfaces check next parameter 2) HA uptime - an

MAC Authentication Bypass

One of the method to control your network is using MAB feature. It is helpful in case you have devices without dot1x functionality. Today I will try to implement basic configuration and analyze log messages. There is only one switch SW1 and one device attached to port Fa1/0/2.   ! aaa new - model aaa authentication dot1x default group radius ! ! int Fas1 / 0 / 2 authentication host - mode single - host authentication port - control auto mab ! I haven’t configured ACS yet but let’s see what error message I receive:   SW1 ( config - if ) # mab - ev ( Fa1 / 0 / 2 ): Received MAB context create from AuthMgr mab - ev ( Fa1 / 0 / 2 ): Created MAB client context 0x1100000F mab : initial state mab_initialize has enter mab - ev ( Fa1 / 0 / 2 ): Sending create new context event to EAP from MAB for 0x1100000F ( 0000.0000 . 0000 ) mab - sm ( Fa1 / 0 / 2 ): Received event 'MAB_START' on handle 0x1100000F mab : during state mab_initia

Inpection of asymmetric sessions on FortiGate

There is one feature available on FortiGate, and I think you should know it, as it modifies a bit what we know about stateful firewalls. In past every packet was treated individually and you had to create policies in both directions. With stateful firewalls we can track connections, and by checking couple of attributes, we can treat them as part of the same session. For example when you initiate connection from a host1 to host2, the returning connection from host2 to host1 will be treated as part of the same connection (session). They have to have the same source/destination and destination/source IPs, port numbers and interfaces.There is an exception from this rule and FortiGate in some specific cases can accept connections on port which was not used in the initial connection. Let me explain how it works on the below example:      The host1 has a default gateway on R1 (10.0.1.2), but you may notice that it is not the optimal path to host2 subnet. When we analyze the packet flo