As with every Cisco IOS features, a number of show and debug commands are available to network administrators to monitor and troubleshoot the zone-based configurations.
If you would like to see the summary of your zone configuration, the show zone security command is the one you’re looking for (Listing 3-19).
Policy Firewalls in Cisco IOS
LISTING 3-19 Show Zone Security Command Displays Zones and Associated Interfaces
fw#sshhooww zzoonnee sseeccuurriittyy zone self
Description: System defined zone
zone Inside
Description: Inside network Member Interfaces:
FastEthernet0/0
zone Outside
Description: Outside network Member Interfaces:
Serial0/0/0.100
If you would like to see more details about the configured traffic classes and interzone policies, the obvious commands are show class-map type inspect, show policy-map type inspect, and show zone-pair security. They display the speci- fied class map, policy map, or zone pair so that you don’t have to browse through the router configuration. More useful is the show policy-map type inspect zone-pair name command, which displays the traffic and usage statistics for a zone pair, as shown in Listing 3-20.
LISTING 3-20 Output of a show policy-map type inspect zone-pair Command
fw#sshhooww ppoolliiccyy--mmaapp ttyyppee iinnssppeecctt zzoonnee--ppaaiirr IInnssiiddeeTTooOOuuttssiiddee Zone-pair: InsideToOutside
Service-policy inspect : InsideToOutside
Policy Firewalls in Cisco IOS
LISTING 3-20 Output of a show policy-map type inspect zone-pair Command continued 30 second rate 0 bps
Match: protocol ftp 3 packets, 84 bytes 30 second rate 0 bps Match: protocol icmp
1 packets, 40 bytes 30 second rate 0 bps Match: protocol https 0 packets, 0 bytes 30 second rate 0 bps Inspect
Packet inspection statistics [process switch:fast switch] tcp packets: [133:2363]
icmp packets: [0:8] ftp packets: [46:0]
Session creations since subsystem startup or last reset 7 Current session counts (estab/half-open/terminating) [2:0:0] Maxever session counts (estab/half-open/terminating) [2:1:1] Last session created 00:00:13
Last session created 00:00:13 Last statistic reset never Last session creation rate 1 Last half-open session total 0
… printout repeated for other classes of traffic …
WARNING
The per-protocol traffic counters displayed in the
show policy-map type inspect zone-pair
command can be
misleading. For example, the counters for the FTP protocol list only the actual content packets (excluding the TCP setup packets) exchanged in the FTP control session and do not include the data transferred in the FTP data sessions.
Policy Firewalls in Cisco IOS
The show policy-map type inspect zone-pair name sessions command gives an even more detailed printout. It includes all the open sessions, too (see Listing 3-21). The name parameter is optional; without it, the router displays all sessions it tracks.
LISTING 3-21 Sessions Established Between a Pair of Zones
fw#sshhooww ppoolliiccyy--mmaapp ttyyppee iinnssppeecctt zzoonnee--ppaaiirr sseessssiioonnss Zone-pair: InsideToOutside
Service-policy inspect : InsideToOutside Class-map: InternetTraffic (match-any)
Match: protocol http 0 packets, 0 bytes 30 second rate 0 bps Match: protocol ftp 3 packets, 84 bytes 30 second rate 0 bps Match: protocol icmp
1 packets, 40 bytes 30 second rate 0 bps Match: protocol https 0 packets, 0 bytes 30 second rate 0 bps Inspect Established Sessions
Session 478AF96C (172.16.0.1:20)=>(10.0.0.2:1053) ftp-data SIS_OPEN Created 00:04:30, Last heard 00:00:00
Bytes sent (initiator:responder) [1917424:0]
Session 478AFC24 (10.0.0.2:1051)=>(172.16.0.1:21) ftp SIS_OPEN Created 00:06:04, Last heard 00:04:29
Policy Firewalls in Cisco IOS
A few debugging command also support the zone-based policy firewall feature:
■ The debug zone security command is focused on zone security events (for example, interface assignments). ■ The debug ip inspect policy command gives you an in-depth view of individual packet classification. Listing 3-22
shows a printout associated with a single TCP SYN packet trying to open a Finger session to the router.
LISTING 3-22 Output of the debug ip inspect policy Command
00:36:29: CBAC-C3PL : Policy lookup for pak 0x4716467C [insp_c3pl_policy_lookup]
00:36:29: CBAC-C3PL : input i/f is FastEthernet0/0, output i/f is NULL [insp_c3pl_validate_zoning] 00:36:29: CBAC-C3PL : Zone-pair and policy found [insp_c3pl_validate_zoning]
00:36:29: CBAC-C3PL : Packet L7 protocol is 59 L4 prot is 1 [insp_c3pl_classify_packet] 00:36:29: CBAC-C3PL : zeroing out prot_flag [insp_c3pl_packet_classify_class_based_common] 00:36:29: CBAC-C3PL : Checking if the packet(0x4716467C) matches with class RouterManagement [insp_c3pl_packet_classify_class_based_common]
00:36:29: CBAC-C3PL : zeroing out prot_flag [insp_c3pl_packet_classify_class_based_common] 00:36:29: CBAC-C3PL : Checking if the packet(0x4716467C) matches with class class-default [insp_c3pl_packet_classify_class_based_common]
00:36:29: CBAC-C3PL : Packet(0x4716467C) matched with class class-default [insp_c3pl_packet_classify_class_based_common]
00:36:29: CBAC-C3PL : Classification returned protocol-id 0x0 classid 0 [insp_c3pl_classify_packet] 00:36:29: CBAC-C3PL : DROP action found in policy-map [insp_c3pl_process_actions_of_class]
00:36:29: CBAC-C3PL : Action processing returned code 1. [insp_c3pl_classify_packet] 00:36:29: CBAC-C3PL : classify processing returned 1 [insp_c3pl_policy_lookup]
Furthermore, because the zone-based firewall policy feature is closely linked to the Context-Based Access Control (CBAC) code, many debug ip inspect commands work as expected. For example, you might debug DNS and FTP inspection, resulting in the following printout when a user opens an FTP session from the inside to the outside zone (Listing 3-23).
WARNING
Use debug ip inspect
policy only on a lightly
loaded router in a controlled environment (preferably with no logging to the router console); otherwise, you might easily overload its CPU.
Policy Firewalls in Cisco IOS
LISTING 3-23 Debugging FTP and DNS Sessions
fw#ddeebbuugg iipp iinnssppeecctt ddnnss
INSPECT DNS Inspection debugging is on fw#ddeebbuugg iipp iinnssppeecctt ffttpp--ccmmdd
INSPECT FTP commands and responses debugging is on fw#
00:43:01: CBAC FUNC: insp_dns_sis_ext_create
00:43:01: CBAC FUNC: insp_handle_dns_control_stream 00:43:01: CBAC FUNC: insp_handle_dns_control_stream
00:43:01: CBAC FTP sis 478AFEDC FTP-Server: 220 sp IOS-FTP server (version 1.00) ready.~~ 00:43:06: CBAC FUNC: insp_dns_handle_inactivity
00:43:16: CBAC FTP sis 478AFEDC FTP-Client: USER myUser~~
00:43:16: CBAC FTP sis 478AFEDC FTP-Server: 331 Password required for ‘myUser’.~~ 00:43:18: CBAC FTP sis 478AFEDC FTP-Client: PASS xxxxxx
00:43:18: CBAC FTP sis 478AFEDC FTP-Server: 230 Logged in.~~ 00:43:18: CBAC sis 478AFEDC User authenticated
Summary
In this chapter, you’ve seen how you can do almost a one-to-one mapping between your zone-based firewall design and Cisco IOS configuration commands:
■ Traffic specifications described in your design are configured with class-map type inspect commands that can
match individual transport layer or application layer protocols with the match protocol command or IP addresses (or port numbers) with the match access-group command. More complex logical conditions are also possible with the right combination of match-all or match-any keywords, sometimes combined with hierarchical class-maps.
Policy Firewalls in Cisco IOS
■ Interzone policies are expressed as policy-map type inspect commands in Cisco IOS and are assigned to specific
pairs of zones with the zone-pair security command. The two configuration layers allow you to use the same policy on multiple pairs of zones, thus further simplifying the configuration.
■ Interfaces are assigned to security zones with the zone-member security commands. All traffic entering or exiting
these interfaces (apart from traffic to and from the router itself) is subject to security screening, additionally improv- ing the security of the zone-based firewall in Cisco IOS.
■ Traffic to and from the router is not monitored (doing so by default would probably quickly kill routing protocols
and network management in most implementations). To protect the router itself, you specify the interactions of the predefined zone self with other security zones.