Transparent Cisco IOS Firewall
Problem
You want to use a router as a Layer 2 Firewall.
Solution
To enable a transparent Firewall, start by enabling Integrated Routing and Bridging (IRB) between to interfaces:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#bridge 1 protocol ieee
Router1(config)#interface FastEthernet0/0
Router1(config-if)#bridge-group 1
Router1(config-if)#interface FastEthernet0/1
Router1(config-if)#bridge-group 1
Router1(config-if)#exit
Router1(config)#bridge irb
Router1(config)#bridge 1 route ip
Router1(config)#interface BVI1
Router1(config-if)#ip address 172.25.1.101 255.255.255.0
Router1(config-if)#no shutdown
Router1(config-if)#end
Router1#
Next, you have to configure the Firewall inspection rules and ACLs:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip inspect name OREILLY tcp
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip inspect OREILLY in
Router1(config-if)#exit
Router1(config)#access-list 111 deny tcp any host 172.25.1.102 eq 23
Router1(config)#access-list 111 permit ip any any
Router1(config)#access-list 112 deny ip any any
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip access-group 111 in
Router1(config-if)#interface FastEthernet0/1
Router1(config-if)#ip access-group 112 in
Router1(config-if)#end
Router1#
Discussion
Beginning with IOS Version 12.3(7)T, Cisco introduced the concept of an IOS-based Layer 2 or transparent Firewall. The name of this feature can be somewhat misleading because even though the Firewall sits at a Layer 2 level, it supports the filtering of IP packets (including IP, TCP, UDP, and ICMP protocols). The transparent Firewall is a Layer 2 bridge acting as a Firewall, with the capability of filtering IP-based packets using Context-Based Access Control (CBAC).
A typical layer 3 Firewall filters packets as they transverse from one IP subnet to another. We've seen an excellent example of this in out CBAC Recipe 27.2. A Layer 2 Firewall has the distinct advantage of being able to insert a transparent Firewall into a pre-existing subnet without having to readdress or reconfigure the attached devices. In effect, you can insert a Firewall between neighbors on the same wire.
We have implemented Layer 2 firewalls in several different types of situations. The biggest reason for using a Layer 2 firewall is its complete invisibility at Layer 3. A Layer 2 firewall has no IP addresses, so it can't be detected by devices, even if they are on the same physical segment.
Another common reason for using Layer 2 firewalls is to provide security even when the protocols in use don't really lend themselves to security. Suppose, for example, that you have an application that relies heavily on broadcasts from the server to the clients, but you need to protect this server against possible attack from the client devices. In this case, a Layer 3 firewall will break the application, so your only real option is a Layer 2 firewall configureation like the one shown in this recipe.
The first step in configuring a transparent Firewall is to configure transparent bridging on two of the interfaces. What's more, you need to configure Integrated Routing and Bridging (IRB) and create an associated BVI interface. The result of this is to bridge two physical interfaces together. For more information on IRB, please see Chapter 15.
Once transparent bridging is enabled, you must enable CBAC and configure the required ACLs on the router. In our example, we only enabled CBAC to inspect generic TCP sessions, but you can configure the router to inspect any CBAC supported protocol. For more information on CBAC, please see Recipe 27.2.
After CBAC is configured, you need to create and apply your ACLs to prevent unwanted traffic from passing through the Firewall. In our example, we configured access-list 112 to deny all IP packets. Keep in mind that CBAC will dynamically create session-specific ACL entries in access-list 112, as required.
To view the configuration of the transparent Firewall, use the following show command:
Router1#show ip inspect all
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [400:500] connections
max-incomplete sessions thresholds are [400:500]
max-incomplete tcp connections per host is 50. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name OREILLY
tcp alert is on audit-trail is off timeout 3600
Interface Configuration
Interface FastEthernet0/0
Inbound inspection rule is OREILLY
tcp alert is on audit-trail is off timeout 3600
Outgoing inspection rule is not set
Inbound access list is 111
Outgoing access list is not set
Established Sessions
Session 63FA3224 (172.25.1.1:2618)=>(172.25.1.102:21) tcp SIS_OPEN
Router1#
This command shows the CBAC global configuration as well as the interface-specific configuration as well. Notice that interface FastEthernet0/0 has inspection rule OREILLY configured and inbound access-list 111.
Once the transparent Firewall is configured, we initiated an FTP session from a host on one side of the Firewall to a server on another side. If we view the detailed session information we will see that CBAC dynamically created an ACL entry in access list 112 to permit returning session traffic:
Router1#show ip inspect session detail
Established Sessions
Session 63FA3224 (172.25.1.1:2618)=>(172.25.1.102:21) tcp SIS_OPEN
Created 00:02:17, Last heard 00:02:14
Bytes sent (initiator:responder) [35:150]
In SID 172.25.1.102[21:21]=>172.25.1.1[2618:2618] on ACL 112 (5 matches)
Router1#
The command output also keeps track of all actively inspected sessions and their current status.
As we've seen, Cisco's transparent Firewall feature is a combination of CBAC and IRB working together to provide a Layer 2 Firewall.