Cisconinja’s Blog

Archive for December, 2008

Reflexive ACLs, Classic IOS Firewall (CBAC), and Zone-Based Policy Firewall

Posted by Andy on December 21, 2008

This example is designed to show a simple example of using reflexive ACLs, the Cisco IOS ‘classic’ firewall (CBAC), and the newer zone-based policy firewall to accomplish the same thing.  Although each of these technologies have significant differences, this example is only designed to show a basic configuration of each for comparison.  The topology and initial configurations are shown below:

 fw-topology4

hostname FW
!
interface FastEthernet1/0
 ip address 192.168.1.1 255.255.255.0
 duplex full
 speed 100
!
interface FastEthernet1/1
 ip address 10.1.1.1 255.255.255.0
 duplex full
 speed 100


hostname Inside
!
no ip domain lookup
ip host Outside 10.1.1.2
!
interface FastEthernet1/0
 ip address 192.168.1.2 255.255.255.0
 duplex full
 speed 100
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
line vty 0 4
 privilege level 15
 no login


hostname Outside
!
no ip domain lookup
ip host Inside 192.168.1.2
!
interface FastEthernet1/0
 ip address 10.1.1.2 255.255.255.0
 duplex full
 speed 100
!
ip route 0.0.0.0 0.0.0.0 10.1.1.1
!
line vty 0 4
 privilege level 15
 no login

For this example, we want to be able to initiate telnet connections from Inside to Outside, and allow Outside to respond only if the connection was initiated from Inside. All other traffic should be denied.  We will create a configuration to meet these requirements using each of the previously mentioned 3 technologies, with each one starting with the base configs shown above.

 

Reflexive ACL Configuration

FW:
ip access-list extended InsideACL
 permit tcp 192.168.1.0 0.0.0.255 gt 1024 10.1.1.0 0.0.0.255 eq telnet reflect TelnetResponse
 deny ip any any log
!

ip access-list extended OutsideACL
 evaluate TelnetResponse
 deny ip any any log
!
interface FastEthernet1/0
 ip access-group InsideACL in
!
interface FastEthernet1/1
 ip access-group OutsideACL in


The above configuration  creates an ACL named InsideACL which allows telnet traffic from Inside to Outside.  Any traffic permitted by the ACL causes a temporary entry in the reflexive ACL named TelnetResponse to be created, with the source and destination addresses and port numbers reversed.  All other traffic from Inside is denied and logged.  An ACL named OutsideACL was also created, which first evaluates the reflexive ACL we created.  Anything not permitted by the reflexive ACL is denied and logged.  Let’s test it out.  Outside attempting to telnet to Inside is denied and generates a log message on FW:

outsidetelnettest

outsidedeniedatfw2

Inside attempting to telnet to Outside is successful:

reflexiveacl-insidetelnet

We can also view the reflexive ACL entry that has been created on FW when we telnetted from Inside to Outside:

reflexiveacl1

 

Classic IOS Firewall / CBAC

FW:
ip access-list extended InsideACL
 permit tcp 192.168.1.0 0.0.0.255 gt 1024 10.1.1.0 0.0.0.255 eq telnet
 deny ip any any log
!
ip access-list extended OutsideACL
 deny ip any any log
!
ip inspect name AllowTelnet telnet
!
interface FastEthernet1/0
 ip access-group InsideACL in
 ip inspect AllowTelnet in
!
interface FastEthernet1/1
 ip access-group OutsideACL in

The above configuration creates an ACL named InsideACL which allows telnet traffic from Inside to Outside and denies everything else.  Next, it creates an ACL named OutsideACL which denies everything coming from Outside.  It also creates an inspection rule named AllowTelnet which inspects Telnet traffic from Inside to Outside and allows response traffic from Outside, which our OutsideACL would have otherwise denied.  Let’s test the CBAC configuration out.  Outside attempting to telnet to Inside is denied again and generates a log message on FW:

outsidetelnettest2

outsidedeniedatfw3

Inside attempting to telnet to Outside is successful:

reflexiveacl-insidetelnet1

We can view information about the telnet connection in the session table on FW:

cbac-sessiontable

 

Zone-Based Policy Firewall

FW:

zone security Inside
!
zone security Outside
!
interface FastEthernet1/0
 zone-member security Inside
!
interface FastEthernet1/1
 zone-member security Outside
!
class-map type inspect match-all TelnetClass
 match protocol telnet
!
policy-map type inspect AllowTelnet
 class type inspect TelnetClass
  inspect
!
zone-pair security Inside-Outside source Inside destination Outside
 service-policy type inspect AllowTelnet

 The above configuration creates the security zones Inside and Outside and places F1/0 into Inside and F1/1 into Outside.  Next, it creates the class-map TelnetClass which matches telnet traffic and the policy-map AllowTelnet which specifies that telnet traffic should be inspected in order to allow return traffic.  With the zone-based firewall, all traffic between different zones is denied by default, so no ACLs are necessary.  The last step is to create a zone pair named Inside-Outside with Inside as the source and Outside as the destination and apply our policy-map.  Let’s test the zone-based firewall configuration.  Outside attempting to telnet to Inside is denied, just like the last 2 examples:

outsidetelnettest3

Inside attempting to telnet to Outside is successful:

reflexiveacl-insidetelnet2

Just as with CBAC, we can view information about the telnet session:

zbfw-sessiontable1

Posted in ACL, Security | Leave a Comment »