Cisco 877 Zone Based Firewall

From Bit Binary Wiki
Jump to: navigation, search

Contents

Introduction

Warning: This document is in the process of being completed and is not finished
.

Full configuration overview of a Cisco 877 with IOS Version 12.4(15)T17

Base Configuration

Enable SSH

hostname ROUTER
ip domain-name EXAMPLE.LOCAL
crypto key generate rsa general-keys modulus 1024

Set DNS

ip name-server 192.231.203.132
ip name-server 192.231.203.3

Configure Router Access

aaa new-model
aaa session-id common
aaa authentication login local_auth local
enable secret PASSWORD
no enable password
username admin privilege 15 secret PASSWORD
security passwords min-length 6
security authentication failure rate 10 log
login block-for 30 attempts 3 within 30
ip ssh time-out 60
ip ssh authentication-retries 3
line con 0
 login authentication local_auth
 privilege level 15
 exec-timeout 20 0
 transport output all
line aux 0
 login authentication local_auth
 privilege level 15
 exec-timeout 10 0
 transport output all
line vty 0 4
 login authentication local_auth
 transport input ssh
 transport output all
 privilege level 15
 exec-timeout 10 0
Note: Generally we trust connections from the router and may need to test from it so we use transport output all

Securing access to the router

Optional as can be set using ZBF - make note here

ip access-list standard MGMT_V4
 permit 202.129.80.80
 permit 103.20.49.138
 permit 10.39.41.0 0.0.0.255
 deny   any log
line vty 0 4
 access-class MGMT_V4 in

Add a note about the self zone and that by default it is a permissive zone

Set Time Zone and NTP

clock timezone AEDT 10
clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
clock set 19:59:00 Aug 19 2013
sntp server 192.168.1.10
sntp server 203.0.178.191
sntp source-interface Vlan1

Configure/Secure Services

no service finger
no service pad
no service tcp-small-servers
no service udp-small-servers
service password-encryption
service sequence-numbers
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no cdp run
no ip bootp server
no ip http server
no ip http secure-server
no ip finger
no ip source-route
no ip gratuitous-arps

Create Login Banner

banner login "
*****************************************************
* UNAUTHORISED ACCESS TO THIS DEVICE IS PROHIBITED! *
*****************************************************
* Unauthorised access may be subject to prosecution *
*    under the Crimes Act or State legislation.     *
*****************************************************

"

Configure Logging

logging facility local2
logging trap debugging
logging console critical
logging buffered

Secure Interfaces

interface dialer0
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
 no cdp enable
interface Vlan1
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
access-list 199 remark UNICAST RPF
access-list 199 permit udp any any eq bootpc
interface dialer0
 ip verify unicast source reachable-via rx allow-default 199

Configure DSL Interface

interface ATM0
 no shutdown
interface ATM0.1 point-to-point
 pvc 8/35
  dialer pool-member 1
  protocol ppp dialer
interface dialer0
 ip address negotiated
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname USERNAME
 ppp chap password PASSWORD
 ! OR USE PAP COMMANDS

Set Default Route

ip route 0.0.0.0 0.0.0.0 Dialer0

Configure VLAN1

interface Vlan1
 ip address 10.39.41.254 255.255.255.0
 ip route-cache cef

Adjust MSS

the MAximum Send Size blah blah

Add link to MSS for VPN's

ip tcp adjust-mss 1412

Enable Cisco Express Forwarding

ip cef
Note: Ensure that cef is not disabled per interface.

Configure NAT

interface Vlan1
 ip nat inside
interface Dialer0
 ip nat outside
ip access-list extended NAT_CONTROL
 ! remark DONT TRANSLATE VPN TRAFFIC
 ! deny ip 192.168.1.0 0.0.0.255
 remark TRANSLATE LAN TRAFFIC TO DIALER0 
 permit ip 10.39.41.0 0.0.0.255 any
route-map INTERNET_NAT permit 1
 match ip address NAT_CONTROL
ip nat inside source route-map INTERNET_NAT interface Dialer0 overload

DHCP Server

Local DHCP Server for LAN

ip dhcp excluded-address 10.39.41.1 10.39.41.99
ip dhcp excluded-address 10.39.41.151 10.39.41.254
ip dhcp pool ht
   import all
   network 10.39.41.0 255.255.255.0
   domain-name ht.local
   default-router 10.39.41.254
   dns-server 192.231.203.132
   dns-server 192.231.203.3
   lease infinite

Authoratative DNS Server for Lan

ip dns server

Refer to ===Set DNS=== and ensure forwarders are working

ip dhcp pool ht
   no dns-server 192.231.203.132
   no dns-server 192.231.203.3
   dns-server 10.39.41.254
ip dns primary ht.local soa htgw01.ht.local hostmaster@example.com 21600 900 172800 86400

Add some hosts.

ip host myriad.ht.local 10.39.41.1
ip host htgw01.ht.local 10.39.41.254
Warning: Unless you restrict access to the self zone DNS will be open to OUTSIDE hosts, self zone access is covered later in the guide.

Zone Based Firewall

Enabled logging of dropped packets.

ip inspect log drop-pkt
ip access-list extended ACL_GRE
 permit gre any any

Class Maps

Warning: Ensure you understand the difference between match-all and match-any
class-map type inspect match-all CLASS_ICMP
 match protocol icmp
class-map type inspect match-all CLASS_TCP
 match protocol tcp
class-map type inspect match-all CLASS_UDP
 match protocol udp
class-map type inspect match-any CLASS_GRE
 match access-group name ACL_GRE
class-map type inspect match-all CLASS_PPTP
 match protocol pptp

Policy Maps

Note: The order of inspection is important, higher level protocols should be inspected before lower levels.
policy-map type inspect POLICY_INSIDE_TO_OUTSIDE
 class type inspect CLASS_PPTP
  inspect
 class type inspect CLASS_GRE
  pass
 class type inspect CLASS_TCP
  inspect
 class type inspect CLASS_UDP
  inspect
 class type inspect CLASS_ICMP
  inspect
 class class-default
  drop log
policy-map type inspect POLICY_OUTSIDE_TO_INSIDE
 class type inspect CLASS_GRE
  pass
 class class-default
  drop log
Tip: To re-order policy-maps you have to remove them and replace with the correct ordering. BUT BE SURE TO READD THE POLICY TO THE ZONE PAIR - maybe I should make special example?

Security Zones

zone security INSIDE
zone security OUTSIDE

Zone Pairs

Configure Inside to Outside traffic

zone-pair security INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
 service-policy type inspect POLICY_INSIDE_TO_OUTSIDE
zone-pair security OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
 service-policy type inspect POLICY_OUTSIDE_TO_INSIDE

Apply Zones to Interfaces

interface vlan 1
 zone-member security INSIDE
interface dialer 0
 zone-member security OUTSIDE

Example Custom Entries

An example of allowing a port from OUTSIDE to an INSIDE server.

ip access-list extended ACL_SUBSONIC
 permit tcp any any eq 4043
class-map type inspect match-all CLASS_SUBSONIC
 match access-group name ACL_SUBSONIC
policy-map type inspect POLICY_OUTSIDE_TO_INSIDE
 class type inspect CLASS_SUBSONIC
  inspect
ip nat inside source static tcp 10.39.41.1 4043 interface Dialer0 4043

The Self Zone

By default the self zone is a permissive zone so it should be secured. However securing it also means ensuring that services that need to communicate with the self zone are able to, such as routing protocols, VPN protocols etc.

ip access-list extended ACL_REMOTE_MANAGEMENT_V4
 permit tcp host 202.129.80.80 any eq 22
 permit tcp host 103.20.49.138 any eq 22

Not sure about whether this works to log traffic as testing was inconclusive..

deny   tcp any any
Tip: The last deny has the effect of enabling logging if class-default is set to log
class-map type inspect match-any CLASS_REMOTE_MANAGEMENT
 match access-group name ACL_REMOTE_MANAGEMENT_V4
 !match access-group name ACL_REMOTE_MANAGEMENT_V6
policy-map type inspect POLICY_OUTSIDE_TO_SELF
 class type inspect CLASS_REMOTE_MANAGEMENT
  pass
Warning: ICMP is mandatory for IPV6 so ensure the self zone allows it if your using IPv6
 class type inspect CLASS_ICMP
  inspect
 class class-default
  drop log
zone-pair security OUTSIDE_TO_SELF source OUTSIDE destination self
 service-policy type inspect POLICY_OUTSIDE_TO_SELF
Personal tools