I’ve been using the Cisco Zone Based Firewall features in IOS for a little while now. Mostly at home and in a lab environment. One of the things that was kind of frustrating was that was the lack of outbound traceroute support from the trusted network to the untrusted network. I only use Linux and MacOS X at work and at home, so I never tried it out with a Microsoft based computer. I’ve also haven’t really been able to spend a lot of time to really debug the issue. Recently, I did some digging through the documentation on Cisco’s website and it hit me and it was such a simple answer. Linux/UNIX based operating systems use a UDP method for sending traceroute packets, while Windows based operating systems use a ICMP based method. As UDP is a connectionless protocol and there isn’t any method for keeping a state table for UDP packets in the firewall, you have to allow ICMP host-unreachables and time-exceeded packets IN to the untrusted interface, destined for the trusted network. Here is a sample configuration.

jtdub-rtr#sh run | s ^ip access-list extended udp-icmp|^class-map|^policy-map|^zone|^interface Vlan[1,2]|^interface FastEthernet0
class-map type inspect match-any UDP_ICMP
  match access-group name udp-icmp
class-map type inspect match-any All_Protocols
  match protocol icmp
  match protocol tcp
  match protocol udp
policy-map type inspect Traceroute
  class type inspect UDP_ICMP
   pass
  class class-default
   drop
policy-map type inspect All_Protocols
   class type inspect All_Protocols
    inspect 
  class class-default
   drop
policy-map type inspect UnTrusted
  class class-default
   drop
zone security Trusted
zone security Internet
zone-pair security Trusted source Trusted destination Internet
  service-policy type inspect All_Protocols
zone-pair security Internet source Internet destination Trusted
  service-policy type inspect Traceroute
interface FastEthernet0
  ip address dhcp
  ip verify unicast source reachable-via rx allow-default 101
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nbar protocol-discovery
  ip nat outside
  ip virtual-reassembly
  zone-member security Internet
  duplex auto
  speed auto
  no cdp enable
interface Vlan1
  ip address 172.16.1.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  ip virtual-reassembly
  zone-member security Trusted
interface Vlan2
  ip address 172.16.2.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  ip virtual-reassembly
  zone-member security Trusted
ip access-list extended udp-icmp
  permit icmp any any time-exceeded
  permit icmp any any host-unreachable

As you can see, there is an extended ip access-list called udp-icmp that permits time-exceeded and host-unreachable icmp types, then a class map called UDP_ICMP was created to match that access-list, Then a policy-map called Traceroute was created to allow that class-map, from there, the policy-map was applied to a zone-member and applied to the untrusted interface.

Share on FacebookTweet about this on TwitterShare on LinkedInShare on RedditEmail this to someone

I recently found a new command to help with the securing of Cisco Routers. The command is “auto secure“, which is executed from privileged enable mode. When executed, it asks a few questions and executes several commands based on security best practices for Cisco Routers. Below is an example from a router in my test lab.

2610-4#sh run
Building configuration...
Current configuration : 750 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 2610-4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
ip cef
!
!
!
!
!
!
!
!
interface Ethernet0/0
no ip address
shutdown
half-duplex
!
interface Serial1/0
ip address 10.1.0.1 255.255.255.0
encapsulation ppp
clock rate 128000
!
interface Serial1/1
no ip address
shutdown
!
interface Serial1/2
no ip address
shutdown
!
interface Serial1/3
ip address 10.0.1.2 255.255.255.0
!
router ospf 1
router-id 10.0.1.2
log-adjacency-changes
network 10.0.1.0 0.0.0.255 area 0
network 10.1.0.0 0.0.0.255 area 2
!
ip http server
ip classless
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
2610-4#auto
2610-4#auto se
2610-4#auto secure
--- AutoSecure Configuration ---
*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***
AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.
If this device is being managed by a network management station,
AutoSecure configuration may block network management traffic.
Continue with AutoSecure? [no]: yes
Gathering information about the router for AutoSecure
Is this router connected to internet? [no]:
Securing Management plane services...
Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol
Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp
Here is a sample Security Banner to be shown
at every access to device. Modify it to suit your
enterprise requirements.
Authorized Access only
This system is the property of So-&-So-Enterprise.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this
device. All activities performed on this device
are logged. Any violations of access policy will result
in disciplinary action.
Enter the security banner {Put the banner between
k and k, where k is any character}:
#
Authorized Access only
This system is the property of So-&-So-Enterprise.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this
device. All activities performed on this device
are logged. Any violations of access policy will result
in disciplinary action.
#
Enable secret is either not configured or
is the same as the enable password
Enter the new enable secret:
Confirm the enable secret :
Enable password is not configured or its length
is less than minimum no. of characters configured
Enter the new enable password:
Confirm the enable password:
Configuration of local user database
Enter the username: james
Enter the password:
Confirm the password:
Configuring AAA local authentication
Configuring Console, Aux and VTY lines for
local authentication, exec-timeout, and transport
Configuring interface specific AutoSecure services
Disabling the following ip services on all interfaces:
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
Securing Forwarding plane services...
Enabling CEF (This might impact the memory requirements for your platform)
This is the configuration generated:
no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
banner #
Authorized Access only
This system is the property of So-&-So-Enterprise.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this
device. All activities performed on this device
are logged. Any violations of access policy will result
in disciplinary action.
#
security passwords min-length 6
security authentication failure rate 10 log
enable secret 5 $1$U3Md$NLdPY5lpIOUf8Ht9L5omi/
enable password 7 00141215170A5955
username james password 7 082B4D5900405D40
aaa new-model
aaa authentication login local_auth local
line console 0
login authentication local_auth
exec-timeout 5 0
transport output telnet
line aux 0
login authentication local_auth
exec-timeout 10 0
transport output telnet
line vty 0 4
login authentication local_auth
transport input telnet
service timestamps debug datetime localtime show-timezone msec
service timestamps log datetime localtime show-timezone msec
logging facility local2
logging trap debugging
service sequence-numbers
logging console critical
logging buffered
int Ethernet0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
int Serial1/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
int Serial1/1
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
int Serial1/2
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
int Serial1/3
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
ip cef
!
end

Apply this configuration to running-config? [yes]: yes
Applying the config generated to running-config
2610-4#
2610-4#sh run
Building configuration...
Current configuration : 2122 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname 2610-4
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096 debugging
logging console critical
enable secret 5 $1$U3Md$NLdPY5lpIOUf8Ht9L5omi/
enable password 7 00141215170A5955
!
aaa new-model
!
!
aaa authentication login local_auth local
aaa session-id common
ip subnet-zero
no ip source-route
no ip gratuitous-arps
ip cef
!
!
!
no ip bootp server
!
username james password 7 082B4D5900405D40
!
!
!
!
interface Ethernet0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
half-duplex
!
interface Serial1/0
ip address 10.1.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
clock rate 128000
!
interface Serial1/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
!
interface Serial1/2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
!
interface Serial1/3
ip address 10.0.1.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
!
router ospf 1
router-id 10.0.1.2
log-adjacency-changes
network 10.0.1.0 0.0.0.255 area 0
network 10.1.0.0 0.0.0.255 area 2
!
no ip http server
ip classless
!
!
logging trap debugging
logging facility local2
no cdp run
banner motd ^C
Authorized Access only
This system is the property of So-&-So-Enterprise.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this
device. All activities performed on this device
are logged. Any violations of access policy will result
in disciplinary action.
^C
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
line aux 0
login authentication local_auth
transport output telnet
line vty 0 4
login authentication local_auth
transport input telnet
!
!
Share on FacebookTweet about this on TwitterShare on LinkedInShare on RedditEmail this to someone