Transparent Cisco IOS Firewall
Problem
You want to use a router as a Layer 2 Firewall.
Solution
To enable a transparent Firewall, start by enabling Integrated Routing and Bridging (IRB) between to interfaces:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#bridge 1 protocol ieee Router1(config)#interface FastEthernet0/0 Router1(config-if)#bridge-group 1 Router1(config-if)#interface FastEthernet0/1 Router1(config-if)#bridge-group 1 Router1(config-if)#exit Router1(config)#bridge irb Router1(config)#bridge 1 route ip Router1(config)#interface BVI1 Router1(config-if)#ip address 172.25.1.101 255.255.255.0 Router1(config-if)#no shutdown Router1(config-if)#end Router1#
Next, you have to configure the Firewall inspection rules and ACLs:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#ip inspect name OREILLY tcp Router1(config)#interface FastEthernet0/0 Router1(config-if)#ip inspect OREILLY in Router1(config-if)#exit Router1(config)#access-list 111 deny tcp any host 172.25.1.102 eq 23 Router1(config)#access-list 111 permit ip any any Router1(config)#access-list 112 deny ip any any Router1(config)#interface FastEthernet0/0 Router1(config-if)#ip access-group 111 in Router1(config-if)#interface FastEthernet0/1 Router1(config-if)#ip access-group 112 in Router1(config-if)#end Router1#
Discussion
Beginning with IOS Version 12.3(7)T, Cisco introduced the concept of an IOS-based Layer 2 or transparent Firewall. The name of this feature can be somewhat misleading because even though the Firewall sits at a Layer 2 level, it supports the filtering of IP packets (including IP, TCP, UDP, and ICMP protocols). The transparent Firewall is a Layer 2 bridge acting as a Firewall, with the capability of filtering IP-based packets using Context-Based Access Control (CBAC).
A typical layer 3 Firewall filters packets as they transverse from one IP subnet to another. We've seen an excellent example of this in out CBAC Recipe 27.2. A Layer 2 Firewall has the distinct advantage of being able to insert a transparent Firewall into a pre-existing subnet without having to readdress or reconfigure the attached devices. In effect, you can insert a Firewall between neighbors on the same wire.
We have implemented Layer 2 firewalls in several different types of situations. The biggest reason for using a Layer 2 firewall is its complete invisibility at Layer 3. A Layer 2 firewall has no IP addresses, so it can't be detected by devices, even if they are on the same physical segment.
Another common reason for using Layer 2 firewalls is to provide security even when the protocols in use don't really lend themselves to security. Suppose, for example, that you have an application that relies heavily on broadcasts from the server to the clients, but you need to protect this server against possible attack from the client devices. In this case, a Layer 3 firewall will break the application, so your only real option is a Layer 2 firewall configureation like the one shown in this recipe.
The first step in configuring a transparent Firewall is to configure transparent bridging on two of the interfaces. What's more, you need to configure Integrated Routing and Bridging (IRB) and create an associated BVI interface. The result of this is to bridge two physical interfaces together. For more information on IRB, please see Chapter 15.
Once transparent bridging is enabled, you must enable CBAC and configure the required ACLs on the router. In our example, we only enabled CBAC to inspect generic TCP sessions, but you can configure the router to inspect any CBAC supported protocol. For more information on CBAC, please see Recipe 27.2.
After CBAC is configured, you need to create and apply your ACLs to prevent unwanted traffic from passing through the Firewall. In our example, we configured access-list 112 to deny all IP packets. Keep in mind that CBAC will dynamically create session-specific ACL entries in access-list 112, as required.
To view the configuration of the transparent Firewall, use the following show command:
Router1#show ip inspect all Session audit trail is disabled Session alert is enabled one-minute (sampling period) thresholds are [400:500] connections max-incomplete sessions thresholds are [400:500] max-incomplete tcp connections per host is 50. Block-time 0 minute. tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec tcp idle-time is 3600 sec -- udp idle-time is 30 sec dns-timeout is 5 sec Inspection Rule Configuration Inspection name OREILLY tcp alert is on audit-trail is off timeout 3600 Interface Configuration Interface FastEthernet0/0 Inbound inspection rule is OREILLY tcp alert is on audit-trail is off timeout 3600 Outgoing inspection rule is not set Inbound access list is 111 Outgoing access list is not set Established Sessions Session 63FA3224 (172.25.1.1:2618)=>(172.25.1.102:21) tcp SIS_OPEN Router1#
This command shows the CBAC global configuration as well as the interface-specific configuration as well. Notice that interface FastEthernet0/0 has inspection rule OREILLY configured and inbound access-list 111.
Once the transparent Firewall is configured, we initiated an FTP session from a host on one side of the Firewall to a server on another side. If we view the detailed session information we will see that CBAC dynamically created an ACL entry in access list 112 to permit returning session traffic:
Router1#show ip inspect session detail Established Sessions Session 63FA3224 (172.25.1.1:2618)=>(172.25.1.102:21) tcp SIS_OPEN Created 00:02:17, Last heard 00:02:14 Bytes sent (initiator:responder) [35:150] In SID 172.25.1.102[21:21]=>172.25.1.1[2618:2618] on ACL 112 (5 matches) Router1#
The command output also keeps track of all actively inspected sessions and their current status.
As we've seen, Cisco's transparent Firewall feature is a combination of CBAC and IRB working together to provide a Layer 2 Firewall.
See Also
Recipe 27.2; Chapter 15