Cisco Zone Based Firewall and UDP based Traceroute

I’ve been using the Cisco Zone Based Firewall features in IOS for a little while now. Mostly at home and in a lab environment. One of the things that was kind of frustrating was that was the lack of outbound traceroute support from the trusted network to the untrusted network. I only use Linux and MacOS X at work and at home, so I never tried it out with a Microsoft based computer. I’ve also haven’t really been able to spend a lot of time to really debug the issue. Recently, I did some digging through the documentation on Cisco’s website and it hit me and it was such a simple answer. Linux/UNIX based operating systems use a UDP method for sending traceroute packets, while Windows based operating systems use a ICMP based method. As UDP is a connectionless protocol and there isn’t any method for keeping a state table for UDP packets in the firewall, you have to allow ICMP host-unreachables and time-exceeded packets IN to the untrusted interface, destined for the trusted network. Here is a sample configuration.

As you can see, there is an extended ip access-list called udp-icmp that permits time-exceeded and host-unreachable icmp types, then a class map called UDP_ICMP was created to match that access-list, Then a policy-map called Traceroute was created to allow that class-map, from there, the policy-map was applied to a zone-member and applied to the untrusted interface.

April 11, 2013

Posted In: Cisco Firewalls, Cisco Zone Based Firewall, IOS, IOS Security

Cisco Auto Secure

I recently found a new command to help with the securing of Cisco Routers. The command is “auto secure“, which is executed from privileged enable mode. When executed, it asks a few questions and executes several commands based on security best practices for Cisco Routers. Below is an example from a router in my test lab.

October 10, 2011

Posted In: IOS, IOS Security, Security