Cisco 877 Zone Based Firewall

From Bit Binary Wiki
Revision as of 15:22, 30 June 2015 by Jelloir (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search



Warning: This document is in the process of being completed and is not finished

Full configuration overview of a Cisco 877 with IOS Version 12.4(15)T17

Base Configuration

Enable SSH

hostname ROUTER
ip domain-name EXAMPLE.LOCAL
crypto key generate rsa general-keys modulus 1024


ip name-server
ip name-server

Configure Router Access

aaa new-model
aaa session-id common
aaa authentication login local_auth local
enable secret PASSWORD
no enable password
username admin privilege 15 secret PASSWORD
security passwords min-length 6
security authentication failure rate 10 log
login block-for 30 attempts 3 within 30
ip ssh time-out 60
ip ssh authentication-retries 3
line con 0
 login authentication local_auth
 privilege level 15
 exec-timeout 20 0
 transport output all
line aux 0
 login authentication local_auth
 privilege level 15
 exec-timeout 10 0
 transport output all
line vty 0 4
 login authentication local_auth
 transport input ssh
 transport output all
 privilege level 15
 exec-timeout 10 0
Note: Generally we trust connections from the router and may need to test from it so we use transport output all

Securing access to the router

Optional as can be set using ZBF - make note here

ip access-list standard MGMT_V4
 deny   any log
line vty 0 4
 access-class MGMT_V4 in

Add a note about the self zone and that by default it is a permissive zone

Set Time Zone and NTP

clock timezone AEDT 10
clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
clock set 19:59:00 Aug 19 2013
sntp server
sntp server
sntp source-interface Vlan1

Configure/Secure Services

no service finger
no service pad
no service tcp-small-servers
no service udp-small-servers
service password-encryption
service sequence-numbers
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no cdp run
no ip bootp server
no ip http server
no ip http secure-server
no ip finger
no ip source-route
no ip gratuitous-arps

Create Login Banner

banner login "
* Unauthorised access may be subject to prosecution *
*    under the Crimes Act or State legislation.     *


Configure Logging

logging facility local2
logging trap debugging
logging console critical
logging buffered

Secure Interfaces

interface dialer0
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
 no cdp enable
interface Vlan1
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
access-list 199 remark UNICAST RPF
access-list 199 permit udp any any eq bootpc
interface dialer0
 ip verify unicast source reachable-via rx allow-default 199

Configure DSL Interface

interface ATM0
 no shutdown
interface ATM0.1 point-to-point
 pvc 8/35
  dialer pool-member 1
  protocol ppp dialer
interface dialer0
 ip address negotiated
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname USERNAME
 ppp chap password PASSWORD

Set Default Route

ip route Dialer0

Configure VLAN1

interface Vlan1
 ip address
 ip route-cache cef

Adjust MSS

the MAximum Send Size blah blah

Add link to MSS for VPN's

ip tcp adjust-mss 1412

Enable Cisco Express Forwarding

ip cef
Note: Ensure that cef is not disabled per interface.

Configure NAT

interface Vlan1
 ip nat inside
interface Dialer0
 ip nat outside
ip access-list extended NAT_CONTROL
 ! deny ip
 permit ip any
route-map INTERNET_NAT permit 1
 match ip address NAT_CONTROL
ip nat inside source route-map INTERNET_NAT interface Dialer0 overload

DHCP Server

Local DHCP Server for LAN

ip dhcp excluded-address
ip dhcp excluded-address
ip dhcp pool ht
   import all
   domain-name ht.local
   lease infinite

Authoratative DNS Server for Lan

ip dns server

Refer to ===Set DNS=== and ensure forwarders are working

ip dhcp pool ht
   no dns-server
   no dns-server
ip dns primary ht.local soa 21600 900 172800 86400

Add some hosts.

ip host
ip host
Warning: Unless you restrict access to the self zone DNS will be open to OUTSIDE hosts, self zone access is covered later in the guide.

Zone Based Firewall

Enabled logging of dropped packets.

ip inspect log drop-pkt
ip access-list extended ACL_GRE
 permit gre any any

Class Maps

Warning: Ensure you understand the difference between match-all and match-any
class-map type inspect match-all CLASS_ICMP
 match protocol icmp
class-map type inspect match-all CLASS_TCP
 match protocol tcp
class-map type inspect match-all CLASS_UDP
 match protocol udp
class-map type inspect match-any CLASS_GRE
 match access-group name ACL_GRE
class-map type inspect match-all CLASS_PPTP
 match protocol pptp

Policy Maps

Note: The order of inspection is important, higher level protocols should be inspected before lower levels.
policy-map type inspect POLICY_INSIDE_TO_OUTSIDE
 class type inspect CLASS_PPTP
 class type inspect CLASS_GRE
 class type inspect CLASS_TCP
 class type inspect CLASS_UDP
 class type inspect CLASS_ICMP
 class class-default
  drop log
policy-map type inspect POLICY_OUTSIDE_TO_INSIDE
 class type inspect CLASS_GRE
 class class-default
  drop log
Tip: To re-order policy-maps you have to remove them and replace with the correct ordering. BUT BE SURE TO READD THE POLICY TO THE ZONE PAIR - maybe I should make special example?

Security Zones

zone security INSIDE
zone security OUTSIDE

Zone Pairs

Configure Inside to Outside traffic

zone-pair security INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
 service-policy type inspect POLICY_INSIDE_TO_OUTSIDE
zone-pair security OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
 service-policy type inspect POLICY_OUTSIDE_TO_INSIDE

Apply Zones to Interfaces

interface vlan 1
 zone-member security INSIDE
interface dialer 0
 zone-member security OUTSIDE

Example Custom Entries

An example of allowing a port from OUTSIDE to an INSIDE server.

ip access-list extended ACL_SUBSONIC
 permit tcp any any eq 4043
class-map type inspect match-all CLASS_SUBSONIC
 match access-group name ACL_SUBSONIC
policy-map type inspect POLICY_OUTSIDE_TO_INSIDE
 class type inspect CLASS_SUBSONIC
ip nat inside source static tcp 4043 interface Dialer0 4043

The Self Zone

By default the self zone is a permissive zone so it should be secured. However securing it also means ensuring that services that need to communicate with the self zone are able to, such as routing protocols, VPN protocols etc.

ip access-list extended ACL_REMOTE_MANAGEMENT_V4
 permit tcp host any eq 22
 permit tcp host any eq 22

Not sure about whether this works to log traffic as testing was inconclusive..

deny   tcp any any
Tip: The last deny has the effect of enabling logging if class-default is set to log
class-map type inspect match-any CLASS_REMOTE_MANAGEMENT
 match access-group name ACL_REMOTE_MANAGEMENT_V4
 !match access-group name ACL_REMOTE_MANAGEMENT_V6
policy-map type inspect POLICY_OUTSIDE_TO_SELF
 class type inspect CLASS_REMOTE_MANAGEMENT
Warning: ICMP is mandatory for IPV6 so ensure the self zone allows it if your using IPv6
 class type inspect CLASS_ICMP
 class class-default
  drop log
zone-pair security OUTSIDE_TO_SELF source OUTSIDE destination self
 service-policy type inspect POLICY_OUTSIDE_TO_SELF
Personal tools