An alternative to ASA
Supposed your customer has budget constraint, and wanted security but does not want to pay for an ASA until more budget is planned for the next work year. You can suggest to use router as firewall as a temporary solution until your customer is ready to purchase an ASA. Zone based inspect layer 3, 4 and 7 packets and determine whether it should pass (without inspection), drop or inspect (stateful packet inspection, i.e. unsolicited traffic which is not originated from the inside will be dropped otherwise let the traffic passes.)
Zone based firewall configuration is the default behaviour of all ASA and PIX products, in ASA/PIX using ASDM you can specify which is trusted and untrusted, after specified the interfaces will be defined as inside and outside based on your choice, once interfaces are defined; a default value will be configured by ASA i.e. inside interface as security level 100 and outside as security level 0, 100 being fully trusted, 0 being not trusted at all. Default behaviour will be traffic from inside to outside will be allowed and inspected, traffic solicited from inside to outside will be allowed to return from outside to inside, unsolicited traffic that is not originated from the inside interface will be dropped unless you specify an ACL or do policy to allow certain traffic to be allowed from outside to inside.
Stateful packet inspection
Modern firewalls, hardware or software, are using stateful packet inspection. Traffic action (drop or pass) is based on the packet type (L3, L4 and L7), for TCP it is able to easily determined by firewalls as there’s a window, after certain period of time of idle firewall will close the “door” of outside interface. UDP is hard, this connectionless protocol is sent and forget, firewall has no way to know if the return udp packet is a solicited one or unsolicited one, hence for udp there will be a timer for the “door” to be opened. ICMP is worst, it is neither a tcp nor udp, it is hard to determine if the icmp is malicious or just normal testing, in ASA there’s a special statement just for icmp echo test, default icmp is dropped.
Configuration example
Step 1: Classify packet types (aka interesting traffic)
class-map type inspect match-any cmap-1
description Allow telnet and icmp traffic from inside to outside
match protocol icmp
match protocol telnet
match protocol ssh
Class map is used for MQC for classifying interesting traffic for QoS as well, for this type of class-map is exclusively for zone based firewall, this class map is a classification of traffic type which you want firewall to inspect.
Step 2: Configure policy map based on configured class map. Policy map is an action list based on traffic classified by class-map.
policy-map type inspect pmap-1
description action for telnet, ssh and icmp traffic as classified in cmap-1
class type inspect cmap-1
inspect
police rate 8000 burst 1500
class class-default
drop
Step 3: Create zones
zone security inside
description Inside zone
zone security outside
description Outside zone
Step 4: Assign zones to interfaces
interface FastEthernet0/0
description Inside zone
ip address 172.16.10.1 255.255.255.252
zone-member security inside
duplex auto
speed auto
end
interface FastEthernet0/1
description Outside zone
ip address 192.168.10.1 255.255.255.252
zone-member security outside
duplex auto
speed auto
end
Step 5: Create zone pairs. Zone pairs is unidirectional, it defines action for traffic from one location to another location, we apply policy map into zone pairs to make router works as a firewall.
zone-pair security in-to-out source inside destination outside
description Inside to outside policy is applied in this zone pair
service-policy type inspect pmap-1
Verification using icmp echo
1841-2#ping 192.168.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
1841-2#
2651-1#ping 172.16.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.2, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
ICMP from 2651-1 to 1841-2 is dropped because this is unsolicited.
Testing the rate limiter
1841-2#ping 192.168.10.2 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.
!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.
!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.
!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.
!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.
!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.!!!!!!.
Success rate is 85 percent (342/399), round-trip min/avg/max = 1/1/4 ms
1841-2#
Show statistics for dropped and passed traffic
1841-1#sh policy-map type inspect zone-pair
policy exists on zp in-to-out
Zone-pair: in-to-out
Service-policy inspect : pmap-1
Class-map: cmap-1 (match-any)
Match: protocol icmp
2 packets, 160 bytes
30 second rate 0 bps
Match: protocol telnet
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ssh
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Packet inspection statistics [process switch:fast switch]
icmp packets: [0:751]
Session creations since subsystem startup or last reset 2
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:1:0]
Last session created 00:08:07
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 1
Last half-open session total 0
Police
rate 8000 bps,1500 limit
conformed 751 packets, 85614 bytes; actions: transmit
exceeded 57 packets, 6498 bytes; actions: drop
conformed 0 bps, exceed 0 bps
Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes
Telnet test
2651-1#telnet 172.16.10.2
Trying 172.16.10.2 …
% Connection timed out; remote host not responding
1841-2#telnet 192.168.10.2
Trying 192.168.10.2 … Open
User Access Verification
Username: cisco
Password:
2651-1#
Secure shell test
1841-2#ssh -l cisco 192.168.10.2
Password:
2651-1#
2651-1#ssh -l cisco 172.16.10.2
2651-1#
cyruslab 