Cisco Zone firewall config question: capture any traffic, send to host

[Dieselboy]

With budget internet firewalls / routers like netgear and similar, they have this concept of "DMZ Host". What you do here is put in the IP address of anything you want to be publicly accessible such as a video conference system. The firewall then, when receiving traffic on it's single internet WAN IP, if the traffic does not match any inbound rules and would normally be dropped, it instead sends it to the DMZ host. The result is that you don't need to put in many complex rules, you can just allow any and all to the inbound DMZ host. The down side is that since the DMZ host is not really within a DMZ but normally on the internal network it's a bit of a risk but for many this gets the job done.

I have a Cisco 877, and I have a PS4 console. The online gaming servers with PS4 is rubbish. Example, unlike Microsoft your Playstation apparently don't use Playstations game servers. So, any game you would like to play with online needs to have a bunch of ports open on the firewall. I spent the best part of half a day working out a config for one game to only find that their documentation must be incorrect since my firewall is still dropping traffic. If I disconnect the WAN internet line and plug it directly into the PS4 then all works very well.

I'm wondering if I could modify the last rule in the zone firewall I have. Instead of drop-all, can I do a match any any and run it through a policy map to change the next hop IP or something along those lines? I've looked through the CLI and it doesn't seem like it.

Has anyone done anything like this before?

[wintermute000]

To my knowledge you can't set next hop with ZBFW, that's a NAT function.

This was literally 5 years ago but yes also 877 with IOS 12.4T
I have since given up and went back to a consumer grade router, ticked the uPnP box and pretended that security wasn't a concern. Haven't been bothered to touch it since  
I also recall I ran into issues with packet fragmentation reassembly until I either increased the buffer or just said sod it and turned it off, can't remember
Basically lots of niggly issues with stuff that assumes dumb home routers with happy uPNP and no inspection

Though IIRC, when I NAT all the PS3 ports (this was 5 years ago) and the 'NAT test' in the OS said OK, I didn't recall any real issues with online gaming - but I didn't do a lot of it either. I never specifically setup anything for a specific game, just the laundry list.

[Dieselboy]

ZBFW only really works with IOS 15.. I ran into those same problems with IOS 12.4. You can sort out the packet framentation reassembly issues and OOB (out of order packet buffer). There's a few more config options under this same area that I've not needed to play with.

Sometimes, ZBFW is a bit of a let down but I guess Cisco would rather flog ASA's.

My internet test in the PS4 comes back as fine, but it also does a speed test and this reports 0.5mb up and 6mb down. If I connect my internet line directly to the ps4 the speed test shows true at 5mb up and 25mb down.. My mate in England also has the slow speed result problem but I only realised this week that it's fine when it's directly on the internet  so have not asked him to check.

Problems are disconnections from the game, unable to connect to a game. All of this goes away when i plug the ps4 into the internet directly. I've had the ps4 for a year and 4 months.. Of course the firewall is set up 100% correctly, so as I had ADSL before, I just put the issues down to poor servers. I only played the one game really.
Since Microsoft has their own servers, they only have a few IP ranges and a few ranges of ports. The config is tiny, and the online experience is nothing compared to the issues here.. Oh well

I have telstras modem in the cupboard - gonna set that up quick... But first, need to get the super user login details so I can turn off the Telstra wifi.

[deanwebb]

Yes, Cisco would rather flog ASAs. Ironic that the Microsoft gaming servers only have a wee tiny port range when their Active Directory explicitly calls for over half of all the ports from 0-65535 to be open.

Having that permit all at the end means that all the packets are being inspected with all the other rules before being allowed out. That will slow thing down and increase the ping, for sure. Direct connection for the PS4 means that there's no filtering, so look at it go! It's just also exposed to everything that the Dark Side can throw at it... consumer routers are built to handle that stuff. Cisco 877s are geared more towards business stuff, where folks want to limit traffic inbound to tight parameters. After that, it's a 5505/5506 ASA in Cisco's view.

Reminds me of 1997, when Windows NT 4.0 came out. Thing was bulletproof for business apps, so gamers wanted it as a more stable OS for their boxes. Problem was that NT wouldn't allow direct writes to the video card. That's part of why it was so stable. NT 4.0 SP2 was a dream to work with... then SP3 came out for the gamers. It allowed direct writes to video and that meant that all the crappy GUIs on server software crashed and crashed HARD. There were also inherent instabilities in the way the video code got opened up, so it took a ton of patches and SP4 to get things stable-ish again, but it was never the same for NT. To this day, I wish that MSFT kept three versions of Windows, one for business, one for general home use, and one for gamers.

Cisco, to its credit, keeps its tiers separate.

[SofaKing]

How about setting up VRF and have the PS4 on a guest VRF by itself.  Since this would be on its own VRF it would not need to be a part of the ZBFW.  I've done this on a 871 and a 891.  Have not tried it with an 877.

Sent from my SM-G920V using Tapatalk

[SimonV]

Are you filtering connections outbound as well, or just allowing any trusted sessions? In any case, you should be able to log whatever is being dropped and work from there. Can't imagine any services being "hosted" on your PS4, where other players would directly connect to your console. Although I have never ever owned any console beyond Sega Saturn

[DanC]

With regards to speed, check your CPU - I found that when running ZBFW on my 877 it used to top out at 99% cpu usage running 25Mbps download on a torrent.

Does it do the same if you use CBAC?

[wintermute000]

I found similar issues with ZBFW and CBAC, though I suspect it main culprit was good old NAT (torrent connections etc.) on the dinky old 877

[Dieselboy]

To this day, I wish that MSFT kept three versions of Windows, one for business, one for general home use, and one for gamers.

Cisco, to its credit, keeps its tiers separate.

I like how you worded that, and I agree with you on the M$ front.
So to put it simply, are my expectations from technology unrealistic? And if yes, then why? Speaking about the Windows NT front, I agree with you because Microsoft should not have made those changes knowing it would make the OS unstable. They should have tackled that problem some other way. The same goes for the Cisco things, but they still do these changes. I Still have a TAC case open where Cisco have implemented some DTLS check on the IOS SSL VPN front, so I'm stuck with a buggy IOS with a memory leak because it's the best one out there and I cannot upgrade  to any newer versions as the DTLS check does not support AnyConnect VPN phones.

How about setting up VRF and have the PS4 on a guest VRF by itself.  Since this would be on its own VRF it would not need to be a part of the ZBFW.  I've done this on a 871 and a 891.  Have not tried it with an 877.

The 800 series are all very similar. I have 256MB RAM in my 877 so I'm running the later 15.x code. I could set up a VRF but not sure how to implement it. I have a single WAN IP which is DHCP from the ISP. The problem is I need to be able to accept and forward any incoming packets which do not have a rule configured, towards the PS4. It would be way simpler with a second IP address from the ISP. I could then put the PS4 in the WAN VLAN, and have it talk to the ISP's network directly.

Are you filtering connections outbound as well, or just allowing any trusted sessions? In any case, you should be able to log whatever is being dropped and work from there. Can't imagine any services being "hosted" on your PS4, where other players would directly connect to your console. Although I have never ever owned any console beyond Sega Saturn

I wouldn't exclude the possibility of users PS4's talking directly to each other without going via a server somewhere.  When Cisco fixed the bug where SELF to X zone's on the ZBFW had broken inspection, I am now inspecting traffic so that things like DNS from the 877 work without being configured to pass. I'm not filtering outbound, I just inspect tcp / udp. class-default is set to pass for outbound.
Even with all this configured I get very near to 25MB download and 5MB upload when using the wired connection. With this same config on a 100MB ethernet presented internet line but instead using a C881 we were still getting around 90mb download through the ZBFW. (long story as to why the 881 was all that we had, last minute changes while I was there in Switzerland setting it up).

With regards to speed, check your CPU - I found that when running ZBFW on my 877 it used to top out at 99% cpu usage running 25Mbps download on a torrent.

Does it do the same if you use CBAC?

CPU on the 877 seemed ok during use at approx. 60% on average. Looking at the historical data though there were 99% on occasions but not sustained. the 15.x IOS I'm using was difficult to find one that actually functioned as a firewall. I still get the odd crash and reboot though, according to the files in the flash it's been happening once a month. But I must be asleep or out when this happens as I've never had a drop while using it. And I stream Foxtel TV through the PS4 as well. I would guess that your high cpu issues were a bug in the IOS. I had to keep going back to 12.4 for a while before there was a nice one of the 15.xMx
Not used CBAC in ages so havent tested.

The speed tests I mentioned which were coming back as slow, this is a known issue with Playstation. But I'm now thinking that this is not an issue, it's actually something being blocked to the PS network.. Since swapping my 877 for the Technicolor ISP router, I got poor speed when the PS4 was not in the "DMZ" but when it was open I get 23.7mb down and 4.8up or something like that - very close. The only real problem with speed was through wifi. I configured it as a BVI as I was doing something fancy there, plus there's a number of 802.11b/g networks around me which interfere.

I found similar issues with ZBFW and CBAC, though I suspect it main culprit was good old NAT (torrent connections etc.) on the dinky old 877

I've never had number of connections causing me problems. May be because I have upgraded the RAM? In uTorrent I set the max number of connections to 2000 with no download limits and I also had QoS set up on outbound traffic so that Voip was always 1st, PS4 next, then general web traffic and then class default was last which included torrents.

NAT was an initial problem for me though with the PS4. Because of the high number of ports and ranges needed to be opened, I used a NAT pool which referenced the same class-map which I used in the firewall to allow the inbound ports to try and minimise complexity. I'm not ruling out this being the problem or part of it either though.

The Telstra Technicolor modem / router isn't actually that bad though. My only issues were:
1. Telstra broadcasting their own wifi SSID's and using my bandwidth
2. Telstra getting access to the modem without my consent or knowledge at any time they like

I've fixed point 1 by unsubscribing to that service. This is good, because British Telecom do the same thing in England and you cannot turn it off as far as I'm aware.

Can't fix number 2 as I don't know how they access it. Even if I did, the only way would be to put the 877 in front of it and do some kind of ACL filtering or something.

Aside from the above, it's doing well replacing the 877. I now have 802.11n wifi which gives me better wifi speeds. I was getting 1.6mbps download on a torrent yesterday, which is a bit faster than before. I'm expecting a few retransmissions due to the interference. The PS4 works fine now. Technicolor has in-built SIP ALG so my home phones work fine too, although I did have to move DHCP onto my 3560 switch so that I could set DHCP option 150 as you can't do that on the Technicolor router. The Technicolour probably has more RAM and a faster CPU than the 877 anyway. The Technicolor is called "TG797n". I think the TG stands for Telstra Gateway. I've not been able to find any way to hack it or obtain any generic 797n firmware so I can get full access to the administration pages of the unit. Shame.


I might try and look for an ASA5505, since the ASA-X versions are out I might be able to get one a bit cheap. The 8.3+ code allows you to do a 1-1 NAT but put other rules above it so that it takes priority. I've not tried this specifically, but I should be able to do a 1-1 NAT for the PS4 to the WAN interface, but allow the general internet access PAT to work too, using the same WAN IP.
When we were running out of WAN IP's in the office, I managed to share 1 WAN IP address with a bunch of different internal services. One of those rules was a 1-1 NAT as I had to do this for our SIP CUBE so that the SIP inspection would work. Seems that configuring PAT for SIP does not let the SIP inspection work on the ASA5515-X, FYI.

[DanC]

You can definitely do static NAT and dynamic PAT on the same interface and IP on the ASA no probs...

I'd imagine you can do it on the 877 too, haven't tried it personally though. I guess this would be the answer you're looking for? Static NAT from the ps4 to outside int, then permit IP any any as the last ACE?

Still a bit of a pikey way to do things though... There must be a better way!

[Dieselboy]

I've not tried that NAT lately on my 877, and don't believe I've tried anywhere else with code 15.x. But I think I tried to do something similar years ago and the IOS complains about duplicate nat rules. I cannot be sure though. Looks like I'll have to do a test.

On the Technicolor modem front, looks like someone on Reddit has attempted hacking it. He managed to get a console session into it but he got stuck. Before getting stuck he did say he accidentally found that if he breaks the boot sequence 3 times, then it boots firmware from a different partition. He didn't check which firmware it is though, so fingers crossed it's the default, fully featured Technicolor firmware. The current Telstra firmware has hard coded SIP telephony stuff and you cannot even backup and restore your config. Telstra stick this modem on the end of their Ethernet presented fibre-to-the-home internet line. You do away with your POTS but you plug your home phone into the modem. I assume that theyre using SIP to replace POTS.

If I can get full access to the features of this little Technicolor modem thingy I would be keen to point it to my SIP ITSP and see how well it does instead of my 2901 running CUCME

what am i saying.