Backgroound Image

Cisco ISR Project – Router access rules (9 of ?)

Now that most connectivity has been configured the next step will be creating access rules to restrict access as needed, as well as grant access where needed.  This is going to primarily apply to the branch routers, but the HQ routers can (and should) be configured similarly.

Before we get into what that means let’s cover how this is going to work.

Much to my chagrin, gone are the days of the “permit any any established” rules.  Those have been replaced with packet inspection to perform the stateful firewall feature.  What this means is that inbound packets are inspected to see if they match an existing outbound flow.  If the traffic is part of an established flow then it is allowed.  If not, then it’s dropped.

This gets a bit more complicated with the addition of the Zone-based Firewall (ZBF) in the ISR.  Instead of applying rules to the interface they are applied to the zone pairs.

Here’s the high level flow.

  1. Class maps are created (and specify ACLs as needed)
  2. Policy maps are created (and specify class maps as needed)
  3. Security zones are created
  4. Zone pairs are created, with source and destination specified, then the policy map is applied
  5. Interfaces are assigned to security zones
  6. ACLs are created for traffic definitions

Maybe a diagram will help.  This diagram shows the commands needed to allow traffic to flow from the inside IP range of 10.0.0.0/8 from the inside interface Gi0/0/0 to any IP on the outside interface Gi0/0/1.  Lines in red are the commands.

Access Control

For the ISR deployment there are a number of rules that we need to allow for the creation of VPN tunnels on the external interfaces.  Now, let’s get to what the basic config will look like.

This is all CLI commands, so you will need to be at a config prompt.  The first command is simply logging packets that are dropped by the policies.

parameter-map type inspect global

 log dropped-packets

The next step will be class maps.  There are five maps, inside to outisde, and then both pass and inspect traffic between the outside and the router.

class-map type inspect match-any Inside-Outside-Class

    match protocol ftp

    match protocol icmp

    match protocol udp

    match protocol tcp

class-map type inspect match-any Inspect-ACL-Out-Class

    match access-group name ACL-RTR-Out

class-map type inspect match-any PASS-ACL-In-Class

    match access-group name ESP-In

    match access-group name GRE-In

class-map type inspect match-any PASS-ACL-Out-Class

    match access-group name ESP-Out

class-map type inspect match-any Inspect-ACL-In-Class

    match access-group name ACL-RTR-In

Next comes the policy maps.  These are the policies that specify the classes that were just created.

Policy-map type inspect Inside-Outside-Policy

    class type inspect Inside-Outside-Class

    inspect

    class class-default

    drop

Policy-map type inspect ACL-In-Policy

    class type inspect Inspect-ACL-In-Class

    inspect

    class type inspect PASS-ACL-In-Class

    pass

    class class-default

    drop

Policy-map type inspect ACL-Out-Policy

    class type inspect Inspect-ACL-Out-Class

    inspect

    class type inspect PASS-ACL-Out-Class

    pass

    class class-default

    drop

By looking at the policies it’s easy to see that we will be passing inbound ESP and GRE traffic (the ACLs will follow), as well as outbound ESP traffic.  Everything else that is allowed through the ACLs will be inspected.

The next step will be to create the security zones for the ZBF.

zone security Internet

zone security MPLS

zone security default

For now we are just creating a zone for each connection type.  More zones will be added later as the config is built out.

Now that the zones are created we create zone pairs, which link a source and destination zone and apply one of the policies that were created to the traffic between those zones.  One thing to be aware of is the router itself uses the “Self” zone.  That means that traffic to the router will use the “Self” zone, so we can use that in the zone pairs.

zone-pair security Router-Internet source self destination Internet

    service-Policy type inspect ACL-Out-Policy

zone-pair security Router-MPLS source self destination MPLS

    service-Policy type inspect ACL-Out-Policy

zone-pair security Inside-Internet source default destination Internet

    service-Policy type inspect Inside-Outside-Policy

zone-pair security Inside-MPLS source default destination MPLS

    service-Policy type inspect Inside-Outside-Policy

zone-pair security Internet-Router source Internet destination self

    service-Policy type inspect ACL-In-Policy

zone-pair security MPLS-Router source MPLS destination self

    service-Policy type inspect ACL-In-Policy

The next step is to associate the interfaces with the corresponding security zones.  Since there are only two actual zones (Internet and MPLS) this is pretty straightforward.  All the other interfaces are using the default zone for now.  Replace the interface in red with the correct interface for your deployment.

int gi0/0/1

    zone-member security Internet

int gi0/0/2

    zone-member security MPLS

Now the only thing left to do would be to create the ACLs.  The ACLs here are based off a Cisco IWAN document.  There are a number of areas where they can be tweaked.  The obvious change would be disabling ICMP if that is a requirement for your environment.  Another change would be to put in specific addresses instead of “any” for the VPN related rules.  I would strongly recommend making at least the inbound rules more restrictive.

ip access-list extended ACL-RTR-In

    permit udp any any eq non500-isakmp

    permit udp any any eq isakmp

    permit icmp any any echo

    permit icmp any any echo-reply

    permit icmp any any ttl-exceeded

    permit icmp any any port-unreachable

    permit udp any any gt 1023 ttl eq 1

ip access-list extended ACL-RTR-Out

    permit udp any any eq non500-isakmp

    permit udp any any eq isakmp

    permit icmp any any

    permit tcp any any eq 8080

    permit udp any any eq domain

ip access-list extended ESP-In

    permit esp any any

ip access-list extended ESP-Out

    permit esp any any

ip access-list extended GRE-In

    permit gre any any

Now that these rules are in place the routers should still establish the VPN tunnels, and traffic from the outside world should be restricted.

Leave a Reply

Your email address will not be published. Required fields are marked *