VRF Aware Cisco IOS Firewall

Transcription

1 VRF Aware Cisco IOS Firewall VRF Aware Cisco IOS Firewall applies Cisco IOS Firewall functionality to VRF (Virtual Routing and Forwarding) interfaces when the firewall is configured on a service provider (SP) or large enterprise edge router. SPs can provide managed services to small and medium business markets. The VRF Aware Cisco IOS Firewall supports VRF-aware URL filtering and VRF-lite (also known as Multi-VRF CE). Feature History for VRF Aware Cisco IOS Firewall Release 12.3(14)T Modification This feature was introduced. Finding Support Information for Platforms and Cisco IOS Software Images Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear. Contents Prerequisites for VRF Aware Cisco IOS Firewall, page 2 Restrictions for VRF Aware Cisco IOS Firewall, page 2 Information About VRF Aware Cisco IOS Firewall, page 2 How to Configure VRF Aware Cisco IOS Firewall, page 11 Configuration Examples for VRF Aware Cisco IOS Firewall, page 15 Additional References, page 24 Command Reference, page 26 Glossary, page 85 Corporate Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA USA Copyright 2005 Cisco Systems, Inc. All rights reserved.

2 Prerequisites for VRF Aware Cisco IOS Firewall Prerequisites for VRF Aware Cisco IOS Firewall Understand Cisco IOS firewalls. Configure VRFs. Verify that the VRFs are operational. Restrictions for VRF Aware Cisco IOS Firewall VRF Aware Cisco IOS Firewall is not supported on Multiprotocol Label Switching (MPLS) interfaces. If two VPN networks have overlapping addresses, VRF-aware network address translation (NAT) is required for them to support VRF-aware Firewalls. When crypto tunnels belonging to multiple VPNs terminate on a single interface, you cannot apply per-vrf firewall policies. Information About VRF Aware Cisco IOS Firewall To configure VRF Aware Cisco IOS Firewall, you need to understand the following concepts: Cisco IOS Firewall, page 2 VRF, page 3 VRF-lite, page 4 Per-VRF URL Filtering, page 5 Alerts and Audit Trails, page 5 MPLS VPN, page 5 VRF-aware NAT, page 5 VRF-aware IPSec, page 6 VRF Aware Cisco IOS Firewall Deployment, page 7 Cisco IOS Firewall The Cisco IOS Firewall provides robust, integrated firewall and intrusion detection functionality for every perimeter of the network. Available for a wide range of Cisco IOS software-based routers, the Cisco IOS Firewall offers sophisticated security and policy enforcement for connections within an organization (intranet) and between partner networks (extranets), as well as for securing Internet connectivity for remote and branch offices. The Cisco IOS Firewall enhances existing Cisco IOS security capabilities such as authentication, encryption, and failover, with state-of-the-art security features such as stateful, application-based filtering (context-based access control), defense against network attacks, per-user authentication and authorization, and real-time alerts. The Cisco IOS Firewall is configurable via Cisco ConfigMaker software, an easy-to-use Microsoft Windows 95, Windows 98, NT 4.0 based software tool. 2

3 Information About VRF Aware Cisco IOS Firewall The Cisco IOS Firewall provides great value in addition to these benefits: Flexibility Provides multiprotocol routing, perimeter security, intrusion detection, VPN functionality, and dynamic per-user authentication and authorization. Scalable deployment Scales to meet any network's bandwidth and performance requirements. Investment protection Leverages existing multiprotocol router investment. VPN support Provides a complete VPN solution based on Cisco IOS IPSec and other CISCO IOS software-based technologies, including L2TP tunneling and quality of service (QoS). The VRF Aware Cisco IOS Firewall is different from the non-vrf Aware Firewall because it does the following: Allows users to configure a per-vrf Firewall. The firewall inspects IP packets that are sent and received within a VRF. Allows SPs to deploy the firewall on the provider edge (PE) router. Supports overlapping IP address space, thereby allowing traffic from nonintersecting VRFs to have the same IP address. Supports per-vrf (not global) firewall command parameters and Denial-of-Service (DoS) parameters so that the VRF-aware Firewall can run as multiple instances (with VRF instances) allocated to various Virtual Private Network (VPN) customers. Performs per-vrf URL filtering. Generates VRF-specific syslog messages that can be seen only by a particular VPN. These alert and audit-trail messages allow network administrators to manage the firewall; that is, they can adjust firewall parameters, detect malicious sources and attacks, add security policies, and so forth. The vrf name is tagged to syslog messages being logged to the syslog server. Both VFR Aware and non-vfr Aware Firewalls now allow you to limit the number of firewall sessions. Otherwise, it would be difficult for VRFs to share router resources because one VRF may consume a maximum amount of resources, leaving few resources for other VRFs. That would cause the denial of service to other VRFs. To limit the number of sessions, enter the ip inspect name command. VRF VPN Routing and Forwarding (VRF) is an IOS route table instance for connecting a set of sites to a VPN service. A VRF contains a template of a VPN Routing/Forwarding table in a PE router. The overlapping addresses, usually resulting from the use of private IP addresses in customer networks, are one of the major obstacles to successful deployment of peer-to-peer VPN implementation. The MPLS VPN technology provides a solution to this dilemma. Each VPN has its own routing and forwarding table in the router, so any customer or site that belongs to a VPN is provided access only to the set of routes contained within that table. Any PE router in the MPLS VPN network therefore contains a number of per-vpn routing tables and a global routing table that is used to reach other routers in the service provider network. Effectively, a number of virtual routers are created in a single physical router. 3

4 Information About VRF Aware Cisco IOS Firewall VRF-lite VRF-lite is a feature that enables a service provider to support two or more VPNs, where IP addresses can be overlapped among the VPNs. VRF-lite uses input interfaces to distinguish routes for different VPNs and forms virtual packet-forwarding tables by associating one or more Layer 3 interfaces with each VRF. Interfaces in a VRF can be physical, such as Ethernet ports, or logical, such as VLAN switched virtual interfaces (SVIs). However, a Layer 3 interface cannot belong to more than one VRF at a time. Note VRF-lite interfaces must be Layer 3 interfaces. VRF-lite includes these devices: Customer edge (CE) devices provide customer access to the service provider network over a data link to one or more provider edge (PE) routers. The CE device advertises the site s local routes to the PE router and learns the remote VPN routes from it. A Catalyst 4500 switch can be a CE. Provider edge (PE) routers exchange routing information with CE devices by using static routing or a routing protocol such as BGP, RIPv1, or RIPv2. Provider routers (or core routers) are any routers in the service provider network that do not attach to CE devices. The PE is only required to maintain VPN routes for those VPNs to which it is directly attached, eliminating the need for the PE to maintain all of the service provider VPN routes. Each PE router maintains a VRF for each of its directly connected sites. Multiple interfaces on a PE router can be associated with a single VRF if all of these sites participate in the same VPN. Each VPN is mapped to a specified VRF. After learning local VPN routes from CEs, a PE router exchanges VPN routing information with other PE routers by using internal BGP (IBPG). With VRF-lite, multiple customers can share one CE, and only one physical link is used between the CE and the PE. The shared CE maintains separate VRF tables for each customer, and switches or routes packets for each customer based on its own routing table. VRF-lite extends limited PE functionality to a CE device, giving it the ability to maintain separate VRF tables to extend the privacy and security of a VPN to the branch office. In a VRF-to-VRF situation, if firewall policies are applied on both inbound and outbound interfaces as shown in Figure 1, the firewall on the inbound interface takes precedence over the firewall on the outbound interface. If the incoming packets do not match against the firewall rules (that is, the inspection protocols) configured on the inbound interface, the firewall rule on the outbound interface is applied to the packet. Figure 1 Firewall in a VRF-to-VRF Scenario VPN1 FW (in) PE FW (out) VPN

5 Information About VRF Aware Cisco IOS Firewall Per-VRF URL Filtering The VRF Aware firewall supports per-vrf URL filtering. Each VPN can have its own URL filter server. The URL filter server typically is placed in the Shared Service segment of the corresponding VPN. (Each VPN has a VLAN segment in the Shared Service network.) It can also be placed at the customer s site. Alerts and Audit Trails CBAC generates real-time alerts and audit trails based on events tracked by the firewall. Enhanced audit trail features use SYSLOG to track all network transactions; recording time stamps, the source host, the destination host, ports used, and the total number of transmitted bytes, for advanced, session-based reporting. Real-time alerts send SYSLOG error messages to central management consoles upon detecting suspicious activity. Using CBAC inspection rules, you can configure alerts and audit trail information on a per-application protocol basis. For example, if you want to generate audit trail information for HTTP traffic, you can specify that in the CBAC rule covering HTTP inspection. MPLS VPN When used with MPLS, the VPN feature allows several sites to interconnect transparently through a service provider s network. One service provider network can support several IP VPNs. Each VPN appears to its users as a private network, separate from all other networks. Within a VPN, each site can send IP packets to any other site in the same VPN. Each VPN is associated with one or more VPN VRF instances. A VRF consists of an IP routing table, a derived Cisco express forwarding (CEF) table, and a set of interfaces that use the forwarding table. The router maintains a separate routing and CEF table for each VRF. This prevents information from being sent outside the VPN and allows the same subnet to be used in several VPNs without causing duplicate IP address problems. The router using Multiprotocol BGP (MP-BGP) distributes the VPN routing information using the MP-BGP extended communities. VRF-aware NAT Network Address Translation (NAT) allows a single device, such as a router, to act as an agent between the Internet (or public network) and a local (or private) network. Although NAT systems can provide broad levels of security advantages, their main objective is to economize on address space. NAT allows organizations to resolve the problem of IP address depletion when they have existing networks and need to access the Internet. Sites that do not yet possess NIC-registered IP addresses must acquire them. Cisco IOS NAT eliminates concern and bureaucratic delay by dynamically mapping thousands of hidden internal addresses to a range of easy-to-get addresses. In general, a NAT system makes it more difficult for an attacker to determine the following: Number of systems running on a network Type of machines and operating systems they are running Network topology and arrangement 5

6 Information About VRF Aware Cisco IOS Firewall NAT integration with MPLS VPNs allows multiple MPLS VPNs to be configured on a single device to work together. NAT can differentiate which MPLS VPN it receives IP traffic from even if the MPLS VPNS are all using the same IP addressing scheme. This enables multiple MPLS VPN customers to share services while ensuring that each MPLS VPN is completely separate from the other. MPLS service providers would like to provide value-added services such as Internet connectivity, domain name servers (DNS), and VoIP service to their customers. This requires that their customers IP addresses be different when reaching the services. Because MPLS VPN allows customers to use overlapped IP addresses in their networks, NAT must be implemented to make the services possible. There are two approaches to implementing NAT in the MPLS VPN network. NAT can be implemented on the CE router, which is already supported by NAT, or it can be implemented on a PE router. The NAT Integration with MPLS VPNs feature enables the implementation of NAT on a PE router in an MPLS cloud. VRF-aware IPSec The VRF-aware IPSec feature maps an IP Security (IPSec) tunnel to an MPLS VPN. Using the VRF-aware IPSec feature, you can map IPSec tunnels to VRF instances using a single public-facing address. Each IPSec tunnel is associated with two VRF domains. The outer encapsulated packet belongs to a VRF domain called the Front Door VRF (FVRF). The inner, protected IP packet belongs to a domain called the Inside VRF (IVRF). In other words, the local endpoint of the IPSec tunnel belongs to the FVRF, whereas the source and destination addresses of the inside packet belong to the IVRF. One or more IPSec tunnels can terminate on a single interface. The FVRF of all these tunnels is the same and is set to the VRF that is configured on that interface. The IVRF of these tunnels can be different and depends on the VRF that is defined in the Internet Security Association and Key Management Protocol (ISAKMP) profile that is attached to a crypto map entry. Figure 2 illustrates a scenario showing IPSec to MPLS and Layer 2 VPNs. 6

7 Information About VRF Aware Cisco IOS Firewall Figure 2 IPSec-to-MPLS and Layer 2 VPNs Branch office SOHO Cisco IOS router Access VPN solution center SP MPLS Network Corporate intranet VPN A Customer A Local or direct-dial ISP Internet SP MPLS Network PE VPN B Customer B Cable/DSL ISDN ISP 7200 IPSec aggregator + PE PE PE VPN C Customer C IP Remote users/ telecommuters Cisco Unity client or software is tunnel sourced IPSec session Device terminates IPSec tunnel and map sessions into 802.1Q or Frame Relay or ATM PVCs MPLS VPN or Layer 2 VPN IP VRF Aware Cisco IOS Firewall Deployment A firewall can be deployed at many points within the network to protect VPN sites from Shared Service (or the Internet) and vice versa. The following firewall deployments are described: Distributed Network Inclusion of VRF Aware Cisco IOS Firewall, page 7 Hub-and-Spoke Network Inclusion of VRF Aware Cisco IOS Firewall, page 9 Distributed Network Inclusion of VRF Aware Cisco IOS Firewall A VRF Aware Cisco IOS Firewall in a distributed network has the following advantages: The firewall is distributed across the MPLS core, so the firewall processing load is distributed to all ingress PE routers. VPN Firewall features can be deployed in the inbound direction. Shared Service is protected from the VPN site at the ingress PE router; therefore, malicious packets from VPN sites are filtered at the ingress PE router before they enter the MPLS core. 7

8 Information About VRF Aware Cisco IOS Firewall However, the following disadvantages exist: There is no centralized firewall deployment, which complicates the deployment and management of the firewall. Shared Service firewall features cannot be deployed in the inbound direction. The MPLS core is open to the Shared Service. Therefore, malicious packets from Shared Service are filtered only at the ingress PE router after traveling through all core routers. Figure 3 illustrates a typical situation in which an SP offers firewall services to VPN customers VPN1 and VPN2, thereby protecting VPN sites from the external network (for example, Shared Services and the Internet) and vice versa. Figure 3 Distributed Network VPN1 site A VPN2 site A CE CE CE VPN1 site B PE1 PE2 MPLS cloud PE3 Shared service VPN1 VPN2 Internet In this example, VPN1 has two sites, Site A and Site B, that span across the MPLS core. Site A is connected to PE1, and Site B is connected to PE2. VPN2 has only one site that is connected to PE2. Each VPN (VPN1 and VPN2) has the following: A VLAN segment in the Shared Service that is connected to the corresponding VLAN subinterface on PE3. Internet access through the PE3 router that is connected to the Internet 8

9 Information About VRF Aware Cisco IOS Firewall A distributed network requires the following firewall policies: VPN Firewall (VPN1-FW and VPN2-FW) Inspects VPN-generated traffic that is destined to Shared Service or the Internet and blocks all non-firewall traffic that is coming from outside (Shared Service or the Internet), thereby protecting the VPN sites from outside traffic. This firewall typically is deployed on the VRF interface of the ingress PE router that is connected to the VPN site being protected. It is deployed in the inbound direction because the VRF interface is inbound to the VPN site being protected. Shared Service Firewall (SS-FW) Inspects Shared Service-originated traffic that is destined to VPN sites and blocks all non-firewall traffic that is coming from outside (the VPN site), thereby protecting the Shared Service network from VPN sites. This firewall typically is deployed on the VRF interface of the ingress PE router that is connected to the VPN site from where the Shared Service is being protected. It is deployed in the outbound direction because the VRF interface is outbound to the Shared Service that is being protected. Generic-VPN Firewall (GEN-VPN-FW) Inspects VPN-generated traffic that is destined to the Internet and blocks all non-firewall traffic that is coming from the Internet, thereby protecting all VPNs from the Internet. This firewall typically is deployed on the Internet-facing interface of the PE router that is connected to the Internet. It is deployed in the outbound direction because the Internet-facing interface is outbound to VPNs being protected. Internet Firewall (INET-FW) Inspects Internet-generated traffic that is destined to Shared Service and blocks all non-firewall traffic that is coming from VPNs or Shared Service, thereby protecting the Internet from VPNs. This firewall typically is deployed on the Internet-facing interface of the PE router that is connected to the Internet. It is deployed in the inbound direction because the Internet-facing interface is inbound to the Internet being protected. Hub-and-Spoke Network Inclusion of VRF Aware Cisco IOS Firewall Figure 4 illustrates a hub-and-spoke network where the firewalls for all VPN sites are applied on the egress PE router PE3 that is connected to the Shared Service. 9

10 Information About VRF Aware Cisco IOS Firewall Figure 4 Hub-and-Spoke Network VPN1 site A VPN2 site A CE CE CE VPN1 site B PE1 PE2 MPLS cloud PE3 Shared service VPN1 VPN2 Internet Typically each VPN has a VLAN and/or VRF subinterface connected to the Shared Service. When a packet arrives from an MPLS interface, the inner tag represents the VPN-ID. MPLS routes the packet to the corresponding subinterface that is connected to Shared Service. A Hub-and-Spoke network requires the following firewall policies: VPN Firewall (VPN1-FW and VPN2-FW) Inspects VPN-generated traffic that is destined to Shared Service and blocks all non-firewall traffic that is coming from Shared Service, thereby protecting the VPN sites from Shared Service traffic. This firewall typically is deployed on the VLAN subinterface of the egress PE router that is connected to the Shared Service network. It is deployed in the outbound direction because the VLAN interface is outbound to the VPN site being protected. Shared Service Firewall (SS-FW) Inspects Shared Service originated traffic that is destined to the VPN/Internet and blocks all non-firewall traffics that is coming from outside, thereby protecting the Shared Service network from VPN/Internet traffic. This firewall typically is deployed on the VLAN interface of the egress PE router that is connected to the Shared Service being protected. It is deployed in the inbound direction because the VLAN interface is inbound to the Shared Service being protected. 10

11 How to Configure VRF Aware Cisco IOS Firewall Generic-VPN firewall (GEN-VPN-FW) Inspects VPN-generated traffic that is destined to the Internet and blocks all non-firewall traffic that is coming from the Internet, thereby protecting all VPNs from the Internet. This firewall typically is deployed on the Internet-facing interface of the PE router that is connected to the Internet. It is deployed in the outbound direction because the Internet-facing interface is outbound to the VPNs being protected. Internet firewall (INET-FW) Inspects Internet-generated traffic that is destined to Shared Service and blocks all non-firewall traffic that is coming from VPNs or Shared Service, thereby protecting the Internet from VPNs. This firewall typically is deployed on the Internet-facing interface of the PE router that is connected to the Internet. It is deployed in the inbound direction because the Internet-facing interface is inbound to the Internet being protected. How to Configure VRF Aware Cisco IOS Firewall This section contains the following procedures: Configuring and Checking ACLs to Ensure that Only Inspected Traffic Can Pass Through the Firewall and that Non-Firewall Traffic is Blocked, page 11 (required) Creating and Naming Firewall Rules and Applying the Rules to the Interface, page 12 (required) Identifying and Setting Firewall Attributes, page 13 (optional) Configuring and Checking ACLs to Ensure that Only Inspected Traffic Can Pass Through the Firewall and that Non-Firewall Traffic is Blocked SUMMARY STEPS To configure ACLs and verify that only inspected traffic can pass through the firewall, perform the following steps. 1. enable 2. configure terminal 3. ip access-list extended access-list-name 4. interface interface-type 5. ip access-group {access-list-number access-list-name} {in out} 6. exit 11

12 How to Configure VRF Aware Cisco IOS Firewall DETAILED STEPS Step 1 Step 2 Command or Action enable Example: Router> enable configure terminal Purpose Enables privileged EXEC mode. Enter your password if prompted. Enters global configuration mode. Step 3 Step 4 Example: Router# configure terminal ip access-list extended access-list-name Example: Router(config)# ip access-list extended vpn-ac1 interface interface-type Example: Router(config)# interface ethernet0/1.10 Step 5 ip access-group {access-list-number access-list-name} {in out} Step 6 Example: Router(config-if)# ip access-group vpn-acl in exit Example: Router(config-if)# exit Defines an extended IP ACL to block non-firewall traffic in both inbound and outbound directions. Enters interface configuration mode and specifies an interface that is associated with a VRF. Controls access to an interface. Applies the previously defined IP access list to a VRF interface whose non-firewall traffic is blocked. Exits interface configuration mode. Returns to global configuration mode. Creating and Naming Firewall Rules and Applying the Rules to the Interface SUMMARY STEPS To create and name firewall rules and apply the rules to the interface, perform the following steps. 1. enable 2. configure terminal 3. ip inspect name inspection-name [parameter max-sessions number] protocol [alert {on off}] [audit-trail {on off}] [timeout seconds] 4. interface interface-id 5. ip inspect rule-name {in out} 6. exit 12

13 How to Configure VRF Aware Cisco IOS Firewall DETAILED STEPS Step 1 Step 2 Command or Action enable Example: Router> enable configure terminal Purpose Enables privileged EXEC mode. Enter your password if prompted. Enters global configuration mode. Step 3 Example: Router# configure terminal ip inspect name inspection-name [parameter max-sessions number] protocol [alert {on off}] [audit-trail {on off}] [timeout seconds] Defines a set of inspection rules. Step 4 Step 5 Step 6 Example: Router(config)# ip inspect name vpn_fw ftp interface interface-id Example: Router(config)# interface ethernet0/1.10 ip inspect rule-name {in out} Example: Router(config-if)# ip inspect vpn_fw in exit Example: Router(config-if)# exit Enters interface configuration mode and specifies an interface that is associated with a VRF. Applies the previously defined inspection role to a VRF interface whose traffic needs to be inspected. Exits interface configuration mode and returns to global configuration mode. Identifying and Setting Firewall Attributes To identify and set firewall attributes, perform the following steps. SUMMARY STEPS 1. enable 2. configure terminal 3. ip inspect tcp max-incomplete host number block-time minutes [vrf vrf-name] 4. exit 13

14 How to Configure VRF Aware Cisco IOS Firewall DETAILED STEPS Step 1 Step 2 Command or Action enable Example: Router> enable configure terminal Purpose Enables privileged EXEC mode. Enter your password if prompted. Enters global configuration mode. Step 3 Example: Router# configure terminal ip inspect tcp max-incomplete host number block-time minutes [vrf vrf-name] Specifies threshold and blocking time values for TCP host-specific denial-of-service detection and prevention. Step 4 Example: Router(config)# ip inspect tcp max-incomplete host 256 vrf bank-vrf exit Exits global configuration mode. Example: Router(config)# exit 14

15 Configuration Examples for VRF Aware Cisco IOS Firewall Verifying the VRF Aware Cisco IOS Firewall Configuration and Functioning SUMMARY STEPS DETAILED STEPS Verify the configuration and functioning of the firewall by entering the commands shown below. For detailed descriptions of these commands and other verification commands, see the Command Reference section on page show ip inspect {name inspection-name config interfaces session [detail] statistics all}[vrf vrf-name] 2. show ip urlfilter {config cache statistics} [vrf vrf-name] Step 1 Step 2 show ip inspect {name inspection-name config interfaces session [detail] statistics all}[vrf vrf-name] Use this command to view the firewall configurations, sessions, statistics, and so forth, pertaining to a specified VRF. For example, to view the firewall sessions pertaining to the VRF bank, enter the following command: Router# show ip inspect interfaces vrf bank show ip urlfilter {config cache statistics} [vrf vrf-name] Use this command to view the configurations, cache entries, statistics, and so forth, pertaining to a specified VRF. For example, to view the URL filtering statistics pertaining to the VRF bank, enter the following command: Router# show ip urlfilter statistics vrf bank Configuration Examples for VRF Aware Cisco IOS Firewall In the example illustrated in Figure 5, a service provider offers firewall service to VPN customers Bank and Shop. The Bank VPN has the following two sites in an MPLS network: Site connected to PE1, whose network address is /24 Site connected to PE2, whose network address is /24 The Bank VPN also has a VLAN network segment in Shared Service that is connected to PE3. The Shop VPN has only one site, which is connected to PE4. The network address /24 is the same network address to which the Bank VPN site is connected. 15

16 Configuration Examples for VRF Aware Cisco IOS Firewall Figure 5 VPN with Two Sites Across MPLS Network Bank ( ) Shop ( ) CE CE E1/1.10 E3/1.10 E3/1.20 CE Bank ( ) PE1 PE2 S3/0 S4/0 Shared service MPLS core S2/0 PE3 S3/0 E1/1.10 E1/1.20 Bank Shop Internet Each VPN needs the following two firewalls: VPN firewall to protect the VPN site from Shared Services Shared Service (SS) firewall to protect SS from the VPN site In addition, the following two firewalls are required: Internet firewall to protect VPNs from the Internet Generic VPN firewall to protect the Internet from VPNs In this example, the security policies for Bank and Shop VPNs are as follows: Bank VPN Firewall bank_vpn_fw (Inspects FTP, HTTP, and ESMTP protocols) Bank SS Firewall bank_ss_fw (Inspects ESMTP protocol) Shop VPN Firewall shop_vpn_fw (Inspects HTTP and RTSP protocols) Shop SS Firewall shop_ss_fw (Inspects H323 protocol) The security policies for the Internet firewall and generic VPN firewall are as follows: Internet firewall inet_fw (Inspects HTTP and ESMTP protocols) Generic VPN firewall gen_vpn_fw (Inspects FTP, HTTP, ESMTP, and RTSP protocols) 16

17 Configuration Examples for VRF Aware Cisco IOS Firewall DISTRIBUTED NETWORK PE1: VRF instance for the Bank VPN ip vrf bank rd 100:10 route-target export 100:10 route-target import 100:10 VPN Firewall for Bank VPN protects Bank VPN from Shared Service ip inspect name bank_vpn_fw ftp ip inspect name bank_vpn_fw http ip inspect name bank_vpn_fw esmtp Shared Service firewall for Bank VPN protects Shared Service from Bank VPN ip inspect name bank_ss_fw esmtp VRF interface for the Bank VPN interface ethernet0/1.10 description of VPN site Bank to PE1 encapsulation dot1q 10 ip vrf forwarding bank ip address ip access-group bank_ss_acl in ip access-group bank_vpn_acl out ip inspect bank_vpn_fw in ip inspect bank_ss_fw out MPLS interface interface Serial3/0 ip unnumbered Loopback0 tag-switching ip serial restart-delay 0 ACL that protects the VPN site Bank from Shared Service ip access-list extended bank_vpn_acl permit ip permit tcp any any eq smtp deny ip any any log ACL that protects Shared Service from VPN site Bank ip access-list extended bank_ss_acl permit ip permit tcp any any eq ftp permit tcp any any eq http permit tcp any any eq smtp deny ip any any log PE2: VRF instance for the Bank VPN ip vrf bank rd 100:10 route-target export 100:10 route-target import 100:10 VRF instance for the Shop VPN ip vrf shop rd 200:20 route-target export 200:20 route-target import 200:20 17

18 Configuration Examples for VRF Aware Cisco IOS Firewall VPN firewall for Bank BPN protects Bank VPN from Shared Service ip inspect name bank_vpn_fw ftp ip inspect name bank_vpn_fw http ip inspect name bank_vpn_fw esmtp Shared Service firewall for Bank VPN protects Shared Service from Bank VPN ip inspect name bank_ss_fw esmtp VPN firewall for Shop VPN protects Shop VPN from Shared Service ip inspect name shop_vpn_fw http ip inspect name shop_vpn_fw rtsp Shared Service firewall for Shop VPN protects Shared Service from Shop VPN ip inspect name shop_ss_fw h323 VRF interface for the Bank VPN interface Ethernet3/1.10 description of VPN site Bank to PE2 encapsulation dot1q 10 ip vrf forwarding bank ip address ip access-group bank_ss_acl in ip access-group bank_vpn_acl out ip inspect bank_vpn_fw in ip inspect bank_ss_fw out interface Ethernet3/1.20 description of VPN site Shop to PE2 encapsulation dot1q 20 ip vrf forwarding shop ip address ip access-group shop_ss_acl in ip access-group shop_vpn_acl out ip inspect shop_vpn_fw in ip inspect shop_ss_fw out interface Serial4/0 ip unnumbered Loopback0 tag-switching ip serial restart-delay 0 ACL that protects the VPN site Bank from Shared Service ip access-list extended bank_vpn_acl permit ip permit tcp any any eq smtp deny ip any any log ACL that protects Shared Service from VPN site Bank ip access-list extended bank_ss_acl permit ip permit tcp any any eq ftp permit tcp any any eq http permit tcp any any eq smtp deny ip any any log 18

19 Configuration Examples for VRF Aware Cisco IOS Firewall ACL that protects VPN site Shop from Shared Service ip access-list extended shop_vpn_acl permit tcp any any eq h323 deny ip any any log ip access-list extended shop_ss_acl permit tcp any any eq http permit tcp any any eq rtsp deny ip any any log PE3: VRF instance for the Bank VPN ip vrf bank rd 100:10 route-target export 100:10 route-target import 100:10 VRF instance for the Shop VPN ip vrf shop rd 200:20 route-target export 200:20 route-target import 200:20 Generic VPN firewall to protect Shop and Bank VPNs from internet ip inspect name gen_vpn_fw esmtp ip inspect name gen_vpn_fw ftp ip inspect name gen_vpn_fw http ip inspect name gen_vpn_fw rtsp Internet firewall to prevent malicious traffic from being passed to internet from Bank and Shop VPNs ip inspect name inet_fw esmtp ip inspect name inet_fw http VRF interface for the Bank VPN interface Ethernet1/1.10 Description of Shared Service to PE3 encapsulation dot1q 10 ip vrf forwarding bank ip address VRF interface for the Shop VPN interface Ethernet1/1.20 Description of Shared Service to PE3 encapsulation dot1q 20 ip vrf forwarding shop ip address interface Serial2/0 ip unnumbered Loopback0 tag-switching ip serial restart-delay 0 VRF interface for the Bank VPN interface Serial3/0 Description of Internet-facing interface ip address ip access-group inet_acl out ip access-group gen_vpn_acl in ip inspect gen_vpn_fw out 19

20 Configuration Examples for VRF Aware Cisco IOS Firewall ip inspect inet_fw in ACL that protects the Bank and Shop VPNs from internet ip access-list extended gen_vpn_acl permit tcp any any eq smtp permit tcp any any eq www deny ip any any log ACL that protects internet from Bank and Shop VPNs ip access-list extended inet_acl permit tcp any any eq ftp permit tcp any any eq http permit tcp any any eq smtp permit tcp any any eq rtsp deny ip any any log HUB-AND-SPOKE NETWORK PE3: VRF instance for the VPN Bank ip vrf bank rd 100:10 route-target export 100:10 route-target import 100:10 VRF instance for the VPN Shop ip vrf shop rd 200:20 route-target export 200:20 route-target import 200:20 VPN firewall for Bank BPN protects Bank VPN from Shared Service ip inspect name bank_vpn_fw ftp ip inspect name bank_vpn_fw http ip inspect name bank_vpn_fw esmtp Shared Service firewall for Bank VPN protects Shared Service from Bank VPN ip inspect name bank_ss_fw esmtp VPN firewall for Shop VPN protects Shop VPN from Shared Service ip inspect name shop_vpn_fw http ip inspect name shop_vpn_fw rtsp Shared Service firewall for Shop VPN protects Shared Service from Shop VPN ip inspect name shop_ss_fw h323 Generic VPN firewall protects Shop and Bank VPNs from internet ip inspect name gen_vpn_fw esmtp ip inspect name gen_vpn_fw ftp ip inspect name gen_vpn_fw http ip inspect name gen_vpn_fw rtsp Internet firewall prevents malicious traffic from being passed to internet from Bank and Shop VPNs ip inspect name inet_fw esmtp ip inspect name inet_fw http VRF interface for the Bank VPN interface Ethernet1/1.10 description of Shared Service to PE3 encapsulation dot1q 10 20

21 Configuration Examples for VRF Aware Cisco IOS Firewall ip vrf forwarding bank ip address ip access-group bank_ss_acl out ip access-group bank_vpn_acl in ip inspect bank_vpn_fw out ip inspect bank_ss_fw in VRF interface for the Shop VPN interface Ethernet1/1.20 description of Shared Service to PE3 encapsulation dot1q 20 ip vrf forwarding shop ip address ip access-group shop_ss_acl out ip access-group shop_vpn_acl in ip inspect shop_vpn_fw out ip inspect shop_ss_fw in interface Serial2/0 ip unnumbered Loopback0 tag-switching ip serial restart-delay 0 VRF interface for the Bank VPN interface Serial3/0 description of Internet-facing interface ip address ip access-group inet_acl out ip access-group gen_vpn_acl in ip inspect gen_vpn_fw out ip inspect inet_fw in ACL that protects the VPN site Bank from Shared Service ip access-list extended bank_vpn_acl permit tcp any any eq smtp deny ip any any log ACL that protects Shared Service from VPN site Bank ip access-list extended bank_ss_acl permit tcp any any eq ftp permit tcp any any eq http permit tcp any any eq smtp deny ip any any log ACL that protects VPN site Shop from Shared Service ip access-list extended shop_vpn_acl permit tcp any any eq h323 deny ip any any log ip access-list extended shop_ss_acl permit tcp any any eq http permit tcp any any eq rtsp deny ip any any log ACL that protects the Bank and Shop VPNs from internet ip access-list extended gen_vpn_acl permit tcp any any eq smtp permit tcp any any eq www deny ip any any log ACL that protects internet from Bank and Shop VPNs ip access-list extended inet_acl 21

22 Configuration Examples for VRF Aware Cisco IOS Firewall permit tcp any any eq ftp permit tcp any any eq http permit tcp any any eq smtp permit tcp any any eq rtsp deny ip any any log In the example illustrated in Figure 6, the Cisco IOS Firewall is configured on PE1 on the VRF interface E3/1. The host on NET1 wants to reach the server on NET2. Figure 6 Sample VRF Aware Cisco IOS Firewall Network Net1 S0/0 S0/0 S0/0 S0/0 MPLS core S0/0 S0/0 S0/0 S0/0 Net The configuration steps are followed by a sample configuration and log messages. 1. Configure VRF on PE routers. 2. Ensure that your network supports MPLS traffic engineering. 3. Confirm that the VRF interface can reach NET1 and NET2. 4. Configure the VRF Aware Cisco IOS Firewall. a. Configure and apply ACLs. b. Create Firewall rules and apply them to the VRF interface. 5. Check for VRF firewall sessions. VRF Configuration on PE1 configure VRF for host1 ip cef ip vrf vrf1 rd 100:1 route-target export 100:1 route-target import 100:1 exit end apply VRF to the interface facing CE interface ethernet3/1 ip vrf forwarding vrf1 ip address make the interface facing the MPLS network an MPLS interface interface serial2/0 mpls ip ip address configure BGP protocol for MPLS network router bgp 100 no synchronization bgp log-neighbor-changes neighbor remote-as 100 neighbor update-source serial2/0 no auto-summary address-family vpnv4 neighbor activate neighbor send-community both exit-address-family 22

23 Configuration Examples for VRF Aware Cisco IOS Firewall address-family ipv4 vrf vrf1 redistribute connected redistribute static no auto-summary no synchronization exit-address-family configure VRF static route to reach CE network ip route vrf vrf VRF Configuration on PE2 configure VRF for host2 ip cef ip vrf vrf1 rd 100:1 route-target export 100:1 route-target import 100:1 apply VRF on CE-facing interface interface fastethernet0/0 ip vrf forwarding vrf1 ip address make MPLS network-facing interface an MPLS interface interface serial1/0 mpls ip ip address configure BGP protocol for MPLS network router bgp 100 no synchronization bgp log-neighbor-changes neighbor remote-as 100 neighbor update-source serial1/0 no auto-summary address-family vpnv4 neighbor activate neighbor send-community both exit-address-family address-family ipv4 vrf vrf1 redistribute connected redistribute static no auto-summary no synchronization exit-address-family configure VRF static route to reach CE network ip route vrf vrf Configuration on CE1 interface e0/1 ip address interface e0/0 ip address ip route

24 Additional References Configuration on CE2 interface e0/1 ip address interface e0/0 ip address ip route Configure Firewall on PE1 and Apply on the VRF Interface configure ACL so that NET2 cannot access NET1 ip access-list extended 105 permit tcp any any fragment permit udp any any fragment deny tcp any any deny udp any any permit ip any any apply ACL to VRF interface on PE1 interface ethernet3/1 ip access-group 105 out configure firewall rule ip inspect name test tcp apply firewall rule on VRF interface interface ethernet3/1 ip inspect test in Check for VRF Firewall Sessions When Host on NET1 Tries to Telnet to Server on NET2 show ip inspect session vrf vrf1 Established Sessions Session 659CE534 ( :38772)=>( :23) tcp SIS_OPEN checking for ACLs show ip inspect session detail vrf vrf1 include ACL 105 Out SID [23:23]=> [38772:38772] on ACL 105 (34 matches) Additional References The following sections provide references related to VRF Aware Cisco IOS Firewall. Related Documents Related Topic Document Title VRF-lite Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide, Release 12.2 MPLS VPN Configuring a Basic MPLS VPN, Document ID VRF Aware IPSec VRF-Aware IPSec feature module, Release 12.2(15)T Cisco IOS Security Configuration Guide, Release 12.3 Cisco IOS Security Command Reference, Release 12.3T 24

25 Additional References Related Topic Document Title VRF management Cisco 12000/10720 Router Manager User s Guide, Release 3.2 NAT NAT and Stateful Inspection of Cisco IOS Firewall, White Paper Configuring Network Address Translation: Getting Started Document ID Standards Standards No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. Title MIBs MIBs No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature. MIBs Link To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: RFCs RFCs No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature. Title 25

26 Command Reference Technical Assistance Description Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content. Link Command Reference This section documents new and modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.3 command reference publications. clear ip urlfilter cache ip inspect alert-off ip inspect audit trail ip inspect dns-timeout ip inspect max-incomplete high ip inspect max-incomplete low ip inspect name ip inspect one-minute high ip inspect one-minute low ip inspect tcp finwait-time ip inspect tcp idle-time ip inspect tcp max-incomplete host ip inspect tcp synwait-time ip inspect udp idle-time ip urlfilter alert ip urlfilter allowmode ip urlfilter audit-trail ip urlfilter cache ip urlfilter exclusive-domain ip urlfilter exclusive-domain ip urlfilter max-request ip urlfilter max-resp-pak ip urlfilter server vendor ip urlfilter urlf-server-log show ip inspect 26

27 Command Reference show ip urlfilter cache show ip urlfilter config show ip urlfilter statistics 27

28 clear ip urlfilter cache clear ip urlfilter cache To clear the cache table, use the clear ip urlfilter cache command in user EXEC mode. clear ip urlfilter cache {ip-address all} [vrf vrf-name] Syntax Description ip-address all vrf vrf-name Clears the cache table of a specified server IP address. Clears the cache table completely. (Optional) Clears the cache table only for the specified Virtual Routing and Forwarding (VRF) interface. Command Modes User EXEC Command History Release 12.2(11)YU 12.2(15)T 12.3(14)T Modification This command was introduced. This command was integrated into Cisco IOS Release 12.2(15)T. The vrf vrf-name keyword/argument pair was added. Usage Guidelines The cache table consists of the most recently requested IP addresses and the respective authorization status for each IP address. Examples The following example shows how to clear the cache table of IP address : clear ip urlfilter cache The following example shows how to clear the cache table of all IP addresses: clear ip urlfilter cache all The following example shows how to clear the cache table of all IP addresses in the vrf named bank. clear ip urlfilter cache all vrf bank Related Commands Command ip urlfilter cache show ip urlfilter cache Description Configures cache parameters. Displays the destination IP addresses that are cached into the cache table. 28

29 ip inspect alert-off ip inspect alert-off To disable Context-based Access Control (CBAC) alert messages, which are displayed on the console, use the ip inspect alert-off command in global configuration mode. To enable CBAC alert messages, use the no form of this command. ip inspect alert-off [vrf vrf-name] no ip inspect alert-off [vrf vrf-name] SyntaxDescription vrf vrf-name (Optional) Disables CBAC alert messages only for the specified Virtual Routing and Forwarding (VRF) interface. Defaults Alert messages are displayed. Command Modes Global configuration Command History Release 12.0(5)T 12.3(14)T Modification This command was introduced. The vrf vrf-name keyword/argument pair was added. Examples The following example turns on CBAC alert messages: ip inspect alert-off 29

30 ip inspect audit trail ip inspect audit trail To turn on Context-based Access Control (CBAC) audit trail messages, which will be displayed on the console after each CBAC session closes, use the ip inspect audit trail command in global configuration mode. To turn off CBAC audit trail messages, use the no form of this command. ip inspect audit trail [vrf vrf-name] no ip inspect audit trail [vrf vrf-name] SyntaxDescription vrf vrf-name (Optional) Turns on CBAC audit trail messages only for the specified Virtual Routing and Forwarding (VRF) interface. Defaults Audit trail messages are not displayed. Command Modes Global configuration Command History Release Modification 11.2 P This command was introduced. 12.3(14)T The vrf vrf-name keyword/argument pair was added. Usage Guidelines Use this command to turn on CBAC audit trail messages. Examples The following example turns on CBAC audit trail messages: ip inspect audit trail Afterward, audit trail messages such as the following are displayed. These messages are examples of audit trail messages. To determine which protocol was inspected, refer to the responder s port number. The port number follows the responder s IP address. %FW-6-SESS_AUDIT_TRAIL: tcp session initiator ( :33192) sent 22 bytes -- responder ( :25) sent 208 bytes %FW-6-SESS_AUDIT_TRAIL: ftp session initiator :33194) sent 336 bytes -- responder ( :21) sent 325 bytes The following example disables CBAC alert messages for VRF interface vrf1: ip inspect audit-trail vrf vrf1 Following are examples of audit trail messages: 00:10:15: %FW-6-SESS_AUDIT_TRAIL: VRF-vrf1:Stop udp session: initiator ( :40801) sent 54 bytes -- responder ( :7) sent 54 bytes 00:10:47: %FW-6-SESS_AUDIT_TRAIL: VRF-vrf1:Stop ftp-data session: initiator ( :20) sent bytes -- responder ( :38766) sent 0 bytes 00:10:47: %FW-6-SESS_AUDIT_TRAIL: VRF-vrf1:Stop ftp session: initiator 30

31 ip inspect audit trail ( :38765) sent 80 bytes -- responder ( :21) sent 265 bytes 00:10:57: %FW-6-SESS_AUDIT_TRAIL: VRF-vrf1:Stop rcmd session: initiator ( :531) sent 31 bytes -- responder ( :514) sent 12 bytes 00:10:57: %FW-6-SESS_AUDIT_TRAIL: VRF-vrf1:Stop rcmd-data session: initiator ( :594) sent 0 bytes -- responder ( :530) sent 0 bytes 31

32 ip inspect dns-timeout ip inspect dns-timeout To specify the Domain Name System (DNS) idle timeout (the length of time during which a DNS name lookup session will still be managed while there is no activity), use the ip inspect dns-timeout command in global configuration mode. To reset the timeout to the default of 5 seconds, use the no form of this command. ip inspect dns-timeout seconds [vrf vrf-name] no ip inspect dns-timeout seconds [vrf vrf-name] SyntaxDescription seconds vrf vrf-name Specifies the length of time in seconds, for which a DNS name lookup session will still be managed while there is no activity. The default is 5 seconds. (Optional) Specifies the DNS idle timeout only for the specified Virtual Routing and Forwarding (VRF) interface. Defaults 5 seconds Command Modes Global configuration Command History Release Modification 11.2 P This command was introduced. 12.3(14)T The vrf vrf-name keyword/argument pair was added. Usage Guidelines When the software detects a valid User Datagram Protocol (UDP) packet for a new DNS name lookup session, if Context-based Access Control (CBAC) inspection is configured for UDP, the software establishes state information for the new DNS session. If the software detects no packets for the DNS session for a time period defined by the DNS idle timeout, the software will not continue to manage state information for the session. The DNS idle timeout applies to all DNS name lookup sessions inspected by CBAC. The DNS idle timeout value overrides the global UDP timeout. The DNS idle timeout value also enters aggressive mode and overrides any timeouts specified for specific interfaces when you define a set of inspection rules with the ip inspect name command. Examples The following example sets the DNS idle timeout to 30 seconds: ip inspect dns-timeout 30 The following example sets the DNS idle timeout back to the default (5 seconds): no ip inspect dns-timeout 32

33 ip inspect max-incomplete high ip inspect max-incomplete high To define the number of existing half-open sessions that will cause the software to start deleting half-open sessions, use the ip inspect max-incomplete high command in global configuration mode. To reset the threshold to the default of 500 half-open sessions, use the no form of this command. ip inspect max-incomplete high number [vrf vrf-name] no ip inspect max-incomplete high Syntax Description number vrf vrf-name Specifies the number of existing half-open sessions that will cause the software to start deleting half-open sessions. The default is 500 half-open sessions. (Optional) Defines the number of existing half-open sessions only for the specified Virtual Routing and Forwarding (VRF) interface. Defaults 500 half-open sessions Command Modes Global configuration Command History Release Modification 11.2 P This command was introduced. 12.3(14)T The vrf vrf-name keyword/argument pair was added. Usage Guidelines An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, half-open means that the session has not reached the established state. For User Datagram Protocol, half-open means that the firewall has detected traffic from one direction only. Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute. When the number of existing half-open sessions rises above a threshold (the max-incomplete high number), the software will delete half-open sessions as required to accommodate new connection requests. The software will continue to delete half-open requests as necessary, until the number of existing half-open sessions drops below another threshold (the max-incomplete low number). The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC. 33

34 ip inspect max-incomplete high Examples The following example causes the software to start deleting half-open sessions when the number of existing half-open sessions rises above 900, and to stop deleting half-open sessions when the number drops below 800: ip inspect max-incomplete high 900 ip inspect max-incomplete low 800 The following example shows an ALERT_ON message generated for the ip inspect max-incomplete high command: ip inspect max-incomplete high 20 vrf vrf1 show log / include ALERT_ON 00:59:00:%FW-4-ALERT_ON: VRF-vrf1:getting aggressive, count (21/20) current 1-min rate: 21 Related Commands Command Description ip inspect max-incomplete low Defines the number of existing half-open sessions that will cause the software to stop deleting half-open sessions. ip inspect one-minute high Defines the rate of new unestablished sessions that will cause the software to start deleting half-open sessions. ip inspect one-minute low Defines the rate of new unestablished TCP sessions that will cause the software to stop deleting half-open sessions. ip inspect tcp max-incomplete host Specifies the threshold and blocking time values for TCP host-specific denial-of-service detection and prevention. 34

35 ip inspect max-incomplete low ip inspect max-incomplete low To define the number of existing half-open sessions that will cause the software to stop deleting half-open sessions, use the ip inspect max-incomplete low command in global configuration mode. To reset the threshold to the default of 400 half-open sessions, use the no form of this command. ip inspect max-incomplete low number [vrf vrf-name] no ip inspect max-incomplete low Syntax Description number vrf vrf-name Specifies the number of existing half-open sessions that will cause the software to stop deleting half-open sessions. The default is 400 half-open sessions. (Optional) Defines the number of existing half-open sessions only for the specified Virtual Routing and Forwarding (VRF) interface. Defaults 400 half-open sessions Command Modes Global configuration Command History Release Modification 11.2 P This command was introduced. 12.3(14)T The vrf vrf-name keyword/argument pair was added. Usage Guidelines An unusually high number of half-open sessions (either absolute or measured as the arrival rate) could indicate that a denial-of-service attack is occurring. For TCP, half-open means that the session has not reached the established state. For User Datagram Protocol (UDP), half-open means that the firewall has detected traffic from one direction only. Context-based Access Control (CBAC) measures both the total number of existing half-open sessions and the rate of session establishment attempts. Both TCP and UDP half-open sessions are counted in the total number and rate measurements. Measurements are made once a minute. When the number of existing half-open sessions rises above a threshold (the max-incomplete high number), the software will delete half-open sessions as required to accommodate new connection requests. The software will continue to delete half-open requests as necessary, until the number of existing half-open sessions drops below another threshold (the max-incomplete low number). The global value specified for this threshold applies to all TCP and UDP connections inspected by CBAC. 35

36 ip inspect max-incomplete low Examples The following example causes the software to start deleting half-open sessions when the number of existing half-open sessions rises above 900, and to stop deleting half-open sessions when the number drops below 800: ip inspect max-incomplete high 900 ip inspect max-incomplete low 800 The following example shows an ALERT_OFF message generated for the ip inspect max-incomplete low command: ip inspect max-incomplete low 10 vrf vrf1 show log / include ALERT_OFF 00:59:31: %FW-4-ALERT_OFF: VRF-vrf1:calming down, count (9/10) current 1-min rate: 100 Related Commands Command Description ip inspect max-incomplete high Defines the number of existing half-open sessions that will cause the software to start deleting half-open sessions. ip inspect one-minute high Defines the rate of new unestablished sessions that will cause the software to start deleting half-open sessions. ip inspect one-minute low Defines the rate of new unestablished TCP sessions that will cause the software to stop deleting half-open sessions. ip inspect tcp max-incomplete host Specifies the threshold and blocking time values for TCP host-specific denial-of-service detection and prevention. 36

37 ip inspect name ip inspect name To define a set of inspection rules, use the ip inspect name command in global configuration mode. To remove the inspection rule for a protocol or to remove the entire set of inspection rules, use the no form of this command. ip inspect name inspection-name [parameter max-sessions number] protocol [alert {on off}] [audit-trail {on off}] [timeout seconds] no ip inspect name inspection-name [parameter max-sessions number] protocol [alert {on off}] [audit-trail {on off}] [timeout seconds] HTTP Inspection Syntax ip inspect name inspection-name http [urlfilter] [java-list access-list] [alert {on off}] [audit-trail {on off}] [timeout seconds] no ip inspect name inspection-name protocol SMTP and ESMTP Inspection Syntax ip inspect name inspection-name {smtp esmtp} [alert {on off}] [audit-trail {on off}] [max-data number] [timeout seconds] remote-procedure call (RPC) Inspection Syntax ip inspect name inspection-name [parameter max-sessions number] rpc program-number number [wait-time minutes] [alert {on off}] [audit-trail {on off}] [timeout seconds] no ip inspect name inspection-name protocol POP3/IMAP Inspection Syntax ip inspect name inspection-name imap [alert {on off}] [audit-trail {on off}] [reset] [secure-login] [timeout number] ip inspect name inspection-name pop3 [alert {on off}] [audit-trail {on off}] [reset] [secure-login] [timeout number] Fragment Inspection Syntax ip inspect name inspection-name [parameter max-sessions number] fragment [max number timeout seconds] no ip inspect name inspection-name [parameter max-sessions number] fragment [max number timeout seconds] Application Firewall Provisioning Syntax ip inspect name inspection-name [parameter max-sessions number] appfw policy-name no ip inspect name inspection-name [parameter max-sessions number] appfw policy-name 37

38 ip inspect name User-Defined Application Syntax ip inspect name inspection-name user-10 [alert {on off}] [audit-trail {on off}] [timeout seconds} no ip inspect name inspection-name user-10 [alert {on off}] [audit-trail {on off}] [timeout seconds} Session Limiting Syntax no ip inspect name inspection-name [parameter max-sessions number] Syntax Description inspection-name Names the set of inspection rules. If you want to add a protocol to an existing set of rules, use the same inspection-name as the existing set of rules. parameter max-sessions number Note The inspection-name cannot exceed 16 characters; otherwise, the name will be truncated to the 16-character limit. (Optional) Limits the number of established firewall sessions that a firewall rule creates. The default is that there is no limit to the number of firewall sessions. protocol A protocol keyword listed in Table 1 or Table 2. alert {on off} (Optional) For each inspected protocol, the generation of alert messages can be set be on or off. If no option is selected, alerts are generated on the basis of the setting of the ip inspect alert-off command. audit-trail {on off} (Optional) For each inspected protocol, audit trail can be set on or off. If no option is selected, an audit trail message are generated on the basis of the setting of the ip inspect audit-trail command. timeout seconds (Optional) To override the global TCP or User Datagram Protocol (UDP), or Internet Control Message Protocol (ICMP) idle timeouts for the specified protocol, specify the number of seconds for a different idle timeout. This timeout overrides the global TCP, UDP, or ICMP timeouts but will not override the global Domain Name System (DNS) timeout. http Specifies the HTTP protocol for Java applet blocking. urlfilter (Optional) Associates URL filtering with HTTP inspection. java-list access-list (Optional) Specifies the numbered standard access list to use to determine friendly sites. This keyword is available only for the HTTP protocol, for Java applet blocking. Java blocking only works with numbered standard access lists. smtp esmtp Specifies the protocol being used to inspect the traffic. max-data number (Optional) Specifies the maximum number of bytes (data) that can be transferred in a single Simple Mail Transport Protocol (SMTP) session. After the maximum value is exceeded, the firewall logs an alert message and closes the session. Default value: 20 MB rpc program-number number Specifies the program number to permit. This keyword is available only for the remote-procedure call protocol. 38

39 ip inspect name wait-time minutes reset secure-login imap pop3 fragment max number timeout seconds (fragmentation) appfw policy-name appname port tcp udp from begin_port_num to end_port_num port_num1... list acl_list_num description description_string (Optional) Specifies the number of minutes to keep a small hole in the firewall to allow subsequent connections from the same source address and to the same destination address and port. The default wait-time is zero minutes. This keyword is available only for the remote-procedure call (RPC) protocol. (Optional) Resets the TCP connection if the client enters a non-protocol command before authentication is complete. (Optional) Causes a user at a non-secure location to use encryption for authentication. Specifies that the Internet Message Access Protocol (IMAP) is being used. Specifies that the Post Office Protocol, Version 3 (POP3) is being used. Specifies fragment inspection for the named rule. (Optional) Specifies the maximum number of unassembled packets for which state information (structures) is allocated by Cisco IOS software. Unassembled packets are packets that arrive at the router interface before the initial packet for a session. The acceptable range is 50 through The default is 256 state entries. Memory is allocated for the state structures, and setting this value to a larger number may cause memory resources to be exhausted. (Optional) Configures the number of seconds that a packet state structure remains active. When the timeout value expires, the router drops the unassembled packet, freeing that structure for use by another packet. The default timeout value is 1 second. If this number is set to a value greater that 1 second, it is automatically adjusted by the Cisco IOS software when the number of free state structures goes below certain thresholds: when the number of free states is fewer than 32, the timeout is divided by 2. When the number of free states is fewer than 16, the timeout is set to 1 second. Specifies application firewall provisioning. Application firewall policy name. Note This name must match the name specified via the appfw policy-name command. Specifies a user- or a system-defined application; for example, user-payroll-sap and user-sametime. Application names can contain hyphens and underscores; however, a user-defined application must have the prefix user- in its title. Specifies the port range for an application. Specifies the protocol being used to inspect the traffic. Specifies the starting and ending port numbers or a range of ports from 1 to 5. You must use the from and to keywords together. (Optional) Specifies an access control list number. Only standard ACLs are supported. (Optional) Specifies a description of up to 40 characters. 39

40 ip inspect name user-10 router-traffic Represents a user-defined application in the port-to-application mapping (PAM) table of the ip port-map command. (Optional) Enables inspection of traffic destined to or originated from a router. Applicable only for H.323, TCP, and UDP protocols. For the command format, see the Note after Table 1. Defaults No inspection rules are defined until you define them using this command. no ip inspect-name protocol removes the inspection rule for the specified protocol. no ip inspect name removes the entire set of inspection rules. Command Modes Global configuration Command History Release Modification 11.2 P This command was introduced. 12.0(5)T Introduced configurable alert and audit trail, IP fragmentation checking, and NetShow protocol support. 12.2(11)YU Support was added for ICMP and SIP protocols and the urlfilter keyword was added to the HTTP inspection syntax. 12.2(15)T Support was added for ICMP, SIP protocols, and the urlfilter keyword was integrated into Cisco IOS Release 12.2(15)T. 12.3(1) Skinny protocol support was added. 12.3(7)T Extended Simple Mail Transfer Protocol (ESMTP) protocol support was added. 12.3(14)T The appfw keyword and the policy-name argument were added to support application firewall provisioning. The parameter max-sessions, secure-login, reset, and router-traffic keywords were added. Support for a larger list of protocols including user-defined applications was added. Usage Guidelines To define a set of inspection rules, enter this command for each protocol that you want the Cisco IOS firewall to inspect, using the same inspection-name. Give each set of inspection rules a unique inspection-name, which should not exceed the 16-character limit. Define either one or two sets of rules per interface you can define one set to examine both inbound and outbound traffic, or you can define two sets: one for outbound traffic and one for inbound traffic. To define a single set of inspection rules, configure inspection for all the desired application-layer protocols, and for ICMP, TCP, and UDP, or as desired. This combination of TCP, UDP, and application-layer protocols join together to form a single set of inspection rules with a unique name. (There are no application-layer protocols associated with ICMP.) To remove the inspection rule for a protocol, use the no form of this command with the specified inspection name and protocol; to remove the entire set of inspection rules, use the no form of this command only; that is, do not list any inspection names or protocols. 40

41 ip inspect name In general, when inspection is configured for a protocol, return traffic entering the internal network will be permitted only if the packets are part of a valid, existing session for which state information is being maintained. Table 1 Protocol Keywords Transport-Layer and Network-Layer Protocols Protocol Keyword ICMP icmp TCP tcp UDP udp Note The TCP, UDP, and H.323 protocols support the router-traffic keyword, which enables inspection of traffic destined to or originated from a router. The command format is as follows: ip inspect name inspection-name {TCP UDP H323} [alert {on off}] [audit-trail {on off}][router-traffic][timeout seconds] TCP and UDP Inspection You can configure TCP and UDP inspection to permit TCP and UDP packets to enter the internal network through the firewall, even if the application-layer protocol is not configured to be inspected. However, TCP and UDP inspection do not recognize application-specific commands, and therefore might not permit all return packets for an application, particularly if the return packets have a different port number from the previous exiting packet. Any application-layer protocol that is inspected will take precedence over the TCP or UDP packet inspection. For example, if inspection is configured for FTP, all control channel information will be recorded in the state table, and all FTP traffic will be permitted back through the firewall if the control channel information is valid for the state of the FTP session. The fact that TCP inspection is configured is irrelevant. With TCP and UDP inspection, packets entering the network must exactly match an existing session: the entering packets must have the same source or destination addresses and source or destination port numbers as the exiting packet (but reversed). Otherwise, the entering packets will be blocked at the interface. Granular protocol inspection allows you to specify TCP or UDP ports by using the PAM table. This eliminates having to inspect all applications running under TCP or UDP and the need for multiple access control lists (ACLs) to filter the traffic. Using the PAM table, you simply pick an existing application or define a new one for inspection thereby simplifying ACL configuration. ICMP Inspection An ICMP inspection session is on the basis of the source address of the inside host that originates the ICMP packet. Dynamic access control lists (ACLs) are created for return ICMP packets of the allowed types (echo-reply, time-exceeded, destination unreachable, and timestamp reply) for each session. There are no port numbers associated with an ICMP session, and the permitted IP address of the return packet is wild-carded in the ACL. The wildcard address is because the IP address of the return packet cannot be known in advance for time-exceeded and destination-unreachable replies. These replies can come from intermediate devices rather than the intended destination. 41

42 ip inspect name Application-Layer Protocol Inspection In general, if you configure inspection for an application-layer protocol, packets for that protocol should be permitted to exit the firewall (by configuring the correct access control list), and packets for that protocol will only be allowed back in through the firewall if they belong to a valid existing session. Each protocol packet is inspected to maintain information about the session state. Java, H.323, RPC, SIP, and SMTP inspection have additional information, described in the next five sections. Table 2 lists the supported application-layer protocols. Table 2 Protocol Keywords Application-Layer Protocols Protocol Keyword Application Firewall appfw CU-SeeMe cuseeme ESMTP smtp FTP ftp IMAP imap Java http H.323 h323 Microsoft NetShow netshow POP3 pop3 RealAudio realaudio RPC rpc SIP sip Simple Mail Transfer Protocol smtp (SMTP) Skinny Client Control Protocol skinny (SCCP) StreamWorks streamworks Structured Query sqlnet Language*Net (SQL*Net) TFTP tftp UNIX R commands (rlogin, rcmd rexec, rsh) VDOLive vdolive WORD user-defined application name; use prefix -user Note All applications that appear under the show ip port-map command are supported. Java Inspection Java inspection enables Java applet filtering at the firewall. Java applet filtering distinguishes between trusted and untrusted applets by relying on a list of external sites that you designate as friendly. If an applet is from a friendly site, the firewall allows the applet through. If the applet is not from a friendly site, the applet will be blocked. Alternately, you could permit applets from all sites except sites specifically designated as hostile. 42

43 ip inspect name Note Before you configure Java inspection, you must configure a numbered standard access list that defines friendly and hostile external sites. You configure this numbered standard access list to permit traffic from friendly sites, and to deny traffic from hostile sites. If you do not configure a numbered standard access list, but use a placeholder access list in the ip inspect name inspection-name http command, all Java applets will be blocked. Note Java blocking forces a strict order on TCP packets. To properly verify that Java applets are not in the response, a firewall will drop any TCP packet that is out of order. Because the network not the firewall determines how packets are routed, the firewall cannot control the order of the packets; the firewall can only drop and retransmit all TCP packets that are not in order. Caution Context-Based Access Control (CBAC) does not detect or block encapsulated Java applets. Therefore, Java applets that are wrapped or encapsulated, such as applets in.zip or.jar format, are not blocked at the firewall. CBAC also does not detect or block applets loaded via FTP, gopher, or HTTP on a nonstandard port. H.323 Inspection If you want CBAC inspection to work with NetMeeting 2.0 traffic (an H.323 application-layer protocol), you must also configure inspection for TCP, as described in the chapter Configuring Context-Based Access Control in the Cisco IOS Security Configuration Guide. This requirement exists because NetMeeting 2.0 uses an additional TCP channel not defined in the H.323 specification. RPC Inspection RPC inspection allows the specification of various program numbers. You can define multiple program numbers by creating multiple entries for RPC inspection, each with a different program number. If a program number is specified, all traffic for that program number will be permitted. If a program number is not specified, all traffic for that program number will be blocked. For example, if you created an RPC entry with the NFS program number, all NFS traffic will be allowed through the firewall. SIP Inspection You can configure SIP inspection to permit media sessions associated with SIP-signaled calls to traverse the firewall. Because SIP is frequently used to signal both incoming and outgoing calls, it is often necessary to configure SIP inspection in both directions on a firewall (both from the protected internal network and from the external network). Because inspection of traffic from the external network is not done with most protocols, it may be necessary to create an additional inspection rule to cause only SIP inspection to be performed on traffic coming from the external network. SMTP Inspection SMTP inspection causes SMTP commands to be inspected for illegal commands. Packets with illegal commands are modified to a xxxx pattern and forwarded to the server. This process causes the server to send a negative reply, forcing the client to issue a valid command. An illegal SMTP command is any command except the following: DATA HELO HELP 43