So far the VPN topology has come along pretty well, there have been a few things that need to be put into OneNote but it's all good learning. Now it's time to implement a zone-based firewall (ZBFW). Which is totally new to me. I have been reading this book:
It's short and easy to read. Definitely worth picking up. Anyway, this is the part of the topology we are looking at:
There is a bit of an overlap with the ASAs, in so much that we have access-lists, but we need use "zones" instead of assigning the ACLs to an interface, we assign the interfaces to these zones, and apply an inspection policy, which in turn calls the ACL. This is the very simplified version, check out Ivan's book (above) for a much better write up.
IOS routers come with one default zone, called "self":
ZBF(config)#int gi0/0 ZBF(config-if)# ZBF(config-if)#zone-member ? security Security zone ZBF(config-if)# ZBF(config-if)#zone-member security ? self System defined Zone ZBF(config-if)#exitThis zone is for traffic to nd from the router; management, routing protocols, that kind of stuff. We will get to those later, for the moment, we will create our own.
Creating ZBFW zones:
We need two zones, keeping in the language of the ASA, we'll call these "Inside" and "Outside":ZBF(config)#zone security Inside ZBF(config-sec-zone)#exit ZBF(config)# ZBF(config)#zone security Outside ZBF(config-sec-zone)#exit ZBF(config)#Next, we need to assign our interfaces to zones:
ZBF(config)#int gi 0/0 ZBF(config-if)# ZBF(config-if)#zone-member security ? self System defined Zone Inside Outside ZBF(config-if)#zone-member security Inside ZBF(config-if)#exit ZBF(config)# ZBF(config)#int gi 0/1 ZBF(config-if)#zone-member security Outside ZBF(config-if)# ZBF(config-if)#exit ZBF(config)#The next stage is to start creating the inspect rules. So, what traffic do we need to permit? I am going to be very strict here, no using "permit ip any any", instead everything will be source, destination, protocol and port specific (and in the correct direction), apart from the ping. So, let's define the traffic:
- Permit OSPF between ZBF and EzVPN-Server
- Permit OSPF between ZBF and GDOI-Server
- Permit BGP between EzVPN-Server and GDOI-Server
- Permit EasyVPN between GDOI-G1 and EzVPN-Server
- Permit FlexVPN between Flex-CA and GDOI-Server
- Permit ping
First of all, let's see, now that we have our zones and assigned interfaces the effect it has on our basic connectivity, and really I am looking to see if we can form an OSPF adjacency between the two routers, we have not set up any inspection to the "self", so will it or won't it?
EzVPN-Server#sh run | s router o router ospf 1 router-id 6.6.6.6 area 1 authentication message-digest network 6.6.6.6 0.0.0.0 area 1 network 10.1.9.0 0.0.0.255 area 1 EzVPN-Server#conf t EzVPN-Server(config)#router ospf 1 EzVPN-Server(config-router)#network 10.1.10.0 0.0.0.255 area 1 *Jul 5: %OSPF-4-NOVALIDKEY: No valid authentication send key is available on interface GigabitEthernet0/0 EzVPN-Server(config-router)#int gi 0/0 EzVPN-Server(config-if)#ip ospf authen message-digest EzVPN-Server(config-if)#ip ospf message-digest-key 1 md5 cisco EzVPN-Server(config-if)# ZBF(config)#router ospf 1 ZBF(config-router)#router-id 10.1.10.1 ZBF(config-router)#network 10.1.10.0 0.0.0.255 area 1 ZBF(config-router)#area 1 authentication message-digest ZBF(config-router)#int gi0/0 ZBF(config-if)#ip ospf authen mess ZBF(config-if)#ip ospf mess 1 md5 cisco ZBF(config-if)# *Jul 5: %OSPF-5-ADJCHG: Process 1, Nbr 6.6.6.6 on GigabitEthernet0/0 from LOADING to FULL, Loading Done ZBF(config-if)#OK, so that's fine, OSPF adjacencies form. What about between ZBF and the GDOI-Server?:
ZBF(config-if)#int gi0/1 ZBF(config-if)#ip ospf authen mess ZBF(config-if)#ip ospf mess 1 md5 cisco ZBF(config-if)#router ospf 1 ZBF(config-router)#network 10.1.11.0 0.0.0.255 area 1 ZBF(config-router)# GDOI-Server#conf t GDOI-Server(config)#router ospf 1 GDOI-Server(config-router)#router-id 7.7.7.7 GDOI-Server(config-router)#area 1 authen message GDOI-Server(config-router)#network 7.7.7.7 0.0.0.0 area 1 GDOI-Server(config-router)#network 10.1.11.0 0.0.0.255 area 1 GDOI-Server(config-router)#exit GDOI-Server(config)# GDOI-Server(config)#int gi 0/1 GDOI-Server(config-if)#ip ospf authen message GDOI-Server(config-if)#ip ospf mess 1 md5 cisco GDOI-Server(config-if)# *Jul 5: %OSPF-5-ADJCHG: Process 1, Nbr 10.1.10.1 on GigabitEthernet0/1 from LOADING to FULL, Loading Doneea 1 GDOI-Server(config-router)#Again, no problem. Can Ez-VPN-Server see 7.7.7.7 and reach it?
EzVPN-Server(config-if)#do sh ip route ospf | b Gate Gateway of last resort is not set 1.0.0.0/32 is subnetted, 1 subnets O E2 1.1.1.1 [110/20] via 10.1.9.2, 01:11:34, GigabitEthernet0/3 4.0.0.0/32 is subnetted, 1 subnets O IA 4.4.4.4 [110/14] via 10.1.9.2, 00:07:16, GigabitEthernet0/3 5.0.0.0/32 is subnetted, 1 subnets O 5.5.5.5 [110/3] via 10.1.9.2, 3d16h, GigabitEthernet0/3 7.0.0.0/32 is subnetted, 1 subnets O 7.7.7.7 [110/3] via 10.1.10.1, 00:01:09, GigabitEthernet0/0 10.0.0.0/8 is variably subnetted, 9 subnets, 2 masks O 10.1.7.0/24 [110/2] via 10.1.9.2, 3d20h, GigabitEthernet0/3 O 10.1.8.0/24 [110/2] via 10.1.9.2, 3d20h, GigabitEthernet0/3 O 10.1.11.0/24 [110/2] via 10.1.10.1, 00:02:50, GigabitEthernet0/0 O 10.1.16.0/24 [110/3] via 10.1.9.2, 16:14:03, GigabitEthernet0/3 O 10.1.26.0/24 [110/3] via 10.1.9.2, 14:09:15, GigabitEthernet0/3 80.0.0.0/32 is subnetted, 1 subnets O IA 80.2.10.1 [110/15] via 10.1.9.2, 00:11:22, GigabitEthernet0/3 EzVPN-Server(config-if)#do ping 7.7.7.7 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 7.7.7.7, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) EzVPN-Server(config-if)#Control plane good, data plane not so much. This is kind of what we want to see. The zones are doing their thing. The OSPF control plane traffic is showing us the routes, but the ZBFW is blocking the data plane, which should also mean that any attempt to form a BGP peering between the GDOI-Server and the EzVPN-Server will fail:
EzVPN-Server(config)#router bgp 101 EzVPN-Server(config-router)#bgp router-id 6.6.6.6 EzVPN-Server(config-router)#neighbor 7.7.7.7 remote-as 101 EzVPN-Server(config-router)#neighbor 7.7.7.7 ebgp-multihop 3 EzVPN-Server(config-router)# GDOI-Server(config)#router bgp 101 GDOI-Server(config-router)#bgp router-id 7.7.7.7 GDOI-Server(config-router)#neigh 6.6.6.6 remote-as 101 GDOI-Server(config-router)#neigh 6.6.6.6 ebgp-multihop 3 GDOI-Server(config-router)#Despite waiting some time, a BGP peering did not form. Let's give it a helping hand. First by creating a couple of ACLs (101 will be our Outside->Inside, 102 will be Inside->Outside), then setting up the class-maps, and policy maps:
ZBF(config)#access-list 101 permit tcp host 7.7.7.7 host 6.6.6.6 eq bgp ZBF(config)#access-list 102 permit tcp host 6.6.6.6 host 7.7.7.7 eq bgp ZBF(config)#! ZBF(config)#! - Creating class-maps ZBF(config)#! ZBF(config)#class-map type inspect match-all Outside->In ZBF(config-cmap)#match access-group 101 ZBF(config-cmap)# ZBF(config-cmap)#exit ZBF(config)# ZBF(config)#class-map type inspect match-all In->Outside ZBF(config-cmap)#match access-group 102 ZBF(config-cmap)# ZBF(config-cmap)#exit ZBF(config)#! ZBF(config)#! - Create policy-maps ZBF(config)#! ZBF(config)#policy-map type inspect Incoming-traffic ZBF(config-pmap)#class type inspect Outside->In ZBF(config-pmap-c)#inspect ZBF(config-pmap-c)#exit ZBF(config-pmap)#class class-default ZBF(config-pmap-c)#exit ZBF(config-pmap)#exit ZBF(config)# ZBF(config)#policy-map type inspect Outgoing-traffic ZBF(config-pmap)#class type inspect In->Outside ZBF(config-pmap-c)#inspect ZBF(config-pmap-c)#exit ZBF(config-pmap)#class class-default ZBF(config-pmap-c)#exit ZBF(config-pmap)#exit ZBF(config)#These then need to be assigned to a zone-pair, which specifies the source and destination zones we set up earlier:
ZBF(config)#zone-pair security Out-In source Outside destination Inside ZBF(config-sec-zone-pair)#service-policy type inspect Incoming-traffic ZBF(config-sec-zone-pair)# ZBF(config-sec-zone-pair)#exit ZBF(config)# ZBF(config)#zone-pair security In-Out source Inside destination Outside ZBF(config-sec-zone-pair)#service-policy type inspect Outgoing-traffic ZBF(config-sec-zone-pair)#exit ZBF(config)#No BGP peering though, let's enable some debugging:
EzVPN-Server#debug ip bgp BGP debugging is on for address family: IPv4 Unicast EzVPN-Server# *Jul 5: BGP: ses global 7.7.7.7 (0xCAE44A8:0) act Reset (Active open failed). *Jul 5: BGP: 7.7.7.7 active went from Active to Idle *Jul 5: BGP: nbr global 7.7.7.7 Active open failed - open timer running *Jul 5: BGP: nbr global 7.7.7.7 Active open failed - open timer running *Jul 5: BGP: 7.7.7.7 active went from Idle to Active *Jul 5: BGP: 7.7.7.7 open active, local address 10.1.10.6We are trying to peer to the loopback address, but from the wrong address, let's fix BGP:
EzVPN-Server(config)#router bgp 101 EzVPN-Server(config-router)#neigh 7.7.7.7 update-source lo0 EzVPN-Server(config-router)# GDOI-Server(config)#router bgp 101 GDOI-Server(config-router)#neigh 6.6.6.6 update lo0 GDOI-Server(config-router)# GDOI-Server(config-router)# *Jul 5: %BGP-5-NBR_RESET: Neighbor 6.6.6.6 active reset (BGP Notification sent) *Jul 5: %BGP-5-ADJCHANGE: neighbor 6.6.6.6 Up GDOI-Server(config-router)# GDOI-Server(config-router)#Straight away we can see a BGP peering form. We only get hits on ACL 102 though:
ZBF#sh access-lists Extended IP access list 101 10 permit tcp host 7.7.7.7 host 6.6.6.6 eq bgp Extended IP access list 102 10 permit tcp host 6.6.6.6 host 7.7.7.7 eq bgp (1 match) ZBF#No matter at the moment, let's open up ICMP so that we have something to test with. At the moment, we have no way of testing whether hosts are reachable or not:
GDOI-Server(config-router)#do ping 6.6.6.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) GDOI-Server(config-router)# ZBF(config)# ZBF(config)#access-list 101 permit icmp any any ZBF(config)# ZBF(config)#access-list 102 permit icmp any any ZBF(config)# GDOI-Server(config-router)#do ping 6.6.6.6 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/9 ms GDOI-Server(config-router)# EzVPN-Server(config-router)#do ping 7.7.7.7 so lo0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 7.7.7.7, timeout is 2 seconds: Packet sent with a source address of 6.6.6.6 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/7 ms EzVPN-Server(config-router)# ZBF(config)#do sh access-lists Extended IP access list 101 10 permit tcp host 7.7.7.7 host 6.6.6.6 eq bgp 20 permit icmp any any (2 matches) Extended IP access list 102 10 permit tcp host 6.6.6.6 host 7.7.7.7 eq bgp (1 match) 20 permit icmp any any (1 match) ZBF(config)#We can now see ACL hits from both sides. OK, nothing too hard here, but also not much else to add until we set up the rest of the network, then we can add rules for the other VPNs.
So, I'll just add a bit of security to BGP, and then a few notes to summarize ZBFW.
EzVPN-Server(config-router)#neigh 7.7.7.7 password cisco GDOI-Server(config-router)#neigh 6.6.6.6 password cisco
ZBFW: Quick reference ! ! Create zones: ! zone security <Zone-Name> ! ! Assign zone: ! int gi0/0 zone-member security <Zone-Name>So, what's left? Well, we have (in order of easiness):! ! Create service-policy: ! access-list 101 permit ip any any class-map type inspect match-all <CM-Name> match access-group 101 policy-map type inspect <PM-Name> class type inspect <CM-Name> inspect exit class class-default exit exit ! ! Assign source and destination to service policy: ! zone-pair security <pair-name> source <source zone> destination <destination zone> security-policy type inspect <PM-Name>
- GET VPN
- EasyVPN
- FlexVPN