Using Management Center for Firewalls 1.3
Configuring Routing Rules
Download this chapter
Configuring Routing RulesConfiguring Routing Rules
Download the complete book
Using Management Center for Firewalls 1.3 - PDF VersionUsing Management Center for Firewalls 1.3 - PDF Version (PDF - 7 MB)
give_us_feedback

Table Of Contents

Configuring Routing Rules

Learn More About Routing

Configuring Static Routes

Adding or Editing a Static Route

Deleting a Static Route

Configuring RIP

RIP Version 2 Important Notes

Adding or Editing a RIP Rule

Deleting a RIP Rule

Configuring Proxy ARP Settings

Disabling Proxy ARP


Configuring Routing Rules

Routing refers to the delivery of network packets to their destinations over a network. To communicate with a gateway, every network object must have either a defined routing rule that permits the network object to reach the gateway, or use either the default route or Address Resolution Protocol (ARP) to find the MAC address of the gateway on the network segment. In addition, the gateway must have a rule defined that permits it to reach the network on which the network object resides or to select the next gateway object in the path.

The firewall devices managed by Firewall MC accomplish routing by using one or more of the following:

Implicit routes. Implicit routes are static routes based on the networks attached directly to the firewall device. You cannot change or delete these routes. They are never specified as part of the device-specific command set that you generate and deploy to a firewall device. (They are not included in the command sets that are generated for a firewall device.) However, they are discussed here to provide the full picture of the routing rules active on a firewall device,

Static routes. Static routes are manual routes defined by an administrator of a firewall device. Static routes are useful when you need to route to network objects that are not along the default route, when you want to define a preferred route, or when you want to define an alternate route to use if the default route goes down.

Dynamic routes. Dynamic routes are routes discovered from neighbor gateways via specialized protocols, such as the Routing Information Protocol (RIP). To enable dynamic routes, ensure that the gateways in your network also support the same dynamic routing protocol. Otherwise, the routing information will not be propagated automatically. Because dynamic routing rules are updated via router-to-router communications, the dynamic routes can be vulnerable to attack because of the inherent security weakness in some dynamic routing protocols. RIP version 2, which is supported by the firewall devices, provides encrypted communications to lessen the weaknesses of dynamic routing. However, only those devices that support RIP version 2 can participate in authenticated, encrypted sessions.

Proxy Address Resolution Protocol (ARP). ARP can serve in place of actual routing rules on a per interface basis. When proxy ARP is enabled for an interface, a firewall device answers ARP requests intended for another host. By assuming the identity of the destination host, the firewall accepts responsibility for routing packets to the actual host. If proxy ARP is enabled, hosts on a subnet can reach remote subnets without configuring routing or a default gateway. In addition, the firewall devices can operate using only the implicit routes, which are initialized automatically when an IP address is assigned to an interface in the firewall.

As the administrator of firewall devices, you must determine which method to use to obtain routing information on your network.

Topics to be discussed are:

Learn More About Routing

Configuring Static Routes

Configuring RIP

Configuring Proxy ARP Settings

Learn More About Routing

To define rules properly, you must understand how routing works. The following is a high-level discussion about routing network packets and how a gateway selects which routing rule to apply for a specific communication.

Note For this discussion, a network object is a host or consumer of network services. This host has layer 3 (OSI model) intelligence, and it is an endpoint that acts as the initiator or recipient of a network communication.

Before any network packet can traverse the network from NetObject A to NetObject B, for example, routes must exist for NetObject B on every gateway along the path from NetObject A to NetObject B. Each gateway moves the network packet one step farther down the path, using routing rules to determine the next gateway. The address of the next gateway is the hop IP address. For a network session to occur between NetObject A and NetObject B, the inverse routes must exist on every gateway along the path from NetObject B to NetObject A. The two paths do not have to be symmetric.

Just because a computer exists on your internal networks does not mean that gateways have a routing rule defined for it. If a computer cannot communicate with a gateway, most likely no routing rule is defined to reach that computer (or the computer does not have a routing rule to reach the gateway). Even when the computer resides on your trusted networks, a gateway drops all network packets destined for that computer if a route is not defined directly to that computer or the network on which that computer resides.

Defining routing rules is similar to charting a course of travel. When you look at a map, you can plan an optimal route to a specific destination. When a gateway determines what route to use, it selects the most specific routing rule (based on the highest netmask).

To understand how netmasks are used, consider a gateway that is attached to the 10.0.0.0 network.

Example: Consider two routing rules:

1. address: 10.1.2.0 netmask: 255.255.255.0 gateway: 10.0.0.4

2. address: 10.1.0.0 netmask: 255.255.0.0 gateway: 10.0.0.5

Rule 1 applies for network packets that are destined for the more exclusive 10.1.2.* subnetwork, whereas Rule 2 applies to those network packets destined to the 10.1.*.* subnetwork, but not to the 10.1.2.* subnetwork. For example, Rule 2 would apply to network packets destined for 10.1.3.13, and Rule 1 would apply to network packets destined for 10.1.2.13.

In this example, the most specific netmask value determines which rule to use. This value is selected from the list of available rules that are applicable to the destination address of a network packet.

Because the netmask value in Rule 1 is 255.255.255.0, we know that the first three octets in the address must match when determining whether to apply this routing rule. In Rule 2, we know that only the first two octets must match when determining whether to apply it. Because Rule 1 has three significant octets, it has the highest netmask value. When the gateway receives a network packet destined for a host on the 10.1.2 network, Rule 1 is always applied instead of Rule 2. Rule 1 applies because it is a valid rule for routing the network packet (as is Rule 2) and Rule 1 has a larger netmask value than Rule 2.

Currently, gateways support the concept of classless networks, or Classless Inter-Domain Routing (CIDR). For more information, see RFC 1517, 1518, and 1519 at http://www.rfc-editor.org/rfc-index2.html.

Each gateway maintains two sets of routing rules: dynamic and static. The dynamic routing rules are updated by router-to-router communications if such protocols are enabled.

Related Topics

Configuring Static Routes

Configuring RIP

Configuring Proxy ARP Settings

Configuring Static Routes

A static route is a routing rule that is configured explicitly and entered into the routing table of the firewall device. The Static Route feature allows you to define static routes for a specified interface. To enter a default route, set the destination IP address and mask to 0.0.0.0.

Note Routes are displayed in the "best-match" order. Routes with larger mask bit counts appear first. This follows the running order on the firewall device.

Adding or Editing a Static Route

Unless one of the following criteria is met, you should define a static route to ensure that the firewall device correctly forwards the network packets it receives.

Proxy ARP is enabled for the interface to discover the routes. By default, proxy ARP is enabled. See Configuring Proxy ARP Settings.

Dynamic routing (RIP) is enabled for the interface to discover the routes.

A more general static route, such as the default route, is already defined.

You can also use a static route to override any dynamic routes that are discovered for this host. Specify a static route with a lower metric than the discovered dynamic routes. To create a static route for a host or network, you must define the IP address and metric for the hop gateway to which the firewall will forward packets destined to the selected host or network. You can also define multiple static routes for a host or network.

Caution Carefully consider the implications of new routes on the CiscoWorks Server-to-managed devices communications. Each firewall device must be able to reach the CiscoWorks Server (and vice versa) before Firewall MC can manage that firewall device. You must bootstrap any managed device with the correct routes and HTTPS settings to enable administrative communications. Any changes to the routes in Firewall MC that affect connectivity between the CiscoWorks Server and the firewall device could prevent the deployment to device from succeeding. For more information on bootstrapping, see Preparing Your Firewall Devices

Step 1 Select Configuration >  Device Settings > Routing > Static Route.

The Static Route page appears.

Step 2 Do one of the following:

To add a new row, click Add.

To edit a row, select the check box, then click Edit.

Step 3 From the Interface Name list, select the interface that is expected to receive the traffic that you want to route.

The list displays all interfaces defined at the current scope.

Step 4 In Destination IP Address field, enter the address of the network or host to which you are routing.

You can enter 0.0.0.0 to specify a default route. The default route is used when a packet is destined for a network that is unknown to the firewall device receiving that packet. In this case, all traffic is forwarded to the gateway IP address that you specify in Step 6.

Step 5 Enter the network mask that corresponds with the Destination IP Address.

You can enter 0.0.0.0 to specify a default route mask.

Step 6 Enter the Gateway IP Address to specify the default gateway (or the next hop gateway) that forwards any network packets destined to this network or host.

If the static route uses the IP address from one of the firewall device's interfaces as the gateway IP address, the firewall uses ARP to locate the destination IP address in the packet instead of using ARP to locate the gateway IP address. In this case, the firewall device is the last hop.

Step 7 Verify the metric setting.

The metric setting identifies the cost of the route. Values are 1-15. The default is 1.

Note Use the default metric of 1 unless you know the cost of the route.

Step 8 Click OK.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 9-1 describes the elements in the Static Route page.

Table 9-1 Static Route 

Element
Description

Inherit settings check box

When selected, the subgroup or devices inherit the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Interface Name

Logical name of interface that relates to use, for example, inside or outside.

Note When adding or editing a static route, the wizard displays all interfaces defined at the current scope.

Destination IP Address

Identifies the internal or external destination network address and mask. Enter 0.0.0.0 to specify default route.

Note Because routes to all directly connected networks are derived automatically, this value identifies the address of a network that is not directly connected to one of the firewall device's network interfaces.

Destination IP Mask

Network mask for destination IP address. You can express the value in dotted decimal format (for example, 255.255.255.0) or by entering the number of bits in the network mask (for example, 24).

Note If you are using the default route, you can enter the mask as 0 or leave the field blank.

Gateway IP Address

Identifies the IP address of a gateway that
either

Forwards, to another gateway, any network packets destined to the network or host.

or

Delivers the network packets to the final destination because the network is directly attached to the gateway.

Metric

Identifies the priority for using a specific route. When routing network packets, a PIX Firewall uses the rule with the most specific network within the rule's definition. Only in cases where two routing rules have the same network is the metric used to determine which rule is applied. If they are the same, the lowest metric value takes priority. If no routing rule exists, the network packet is dropped, and if the gateway is not detected (dead), the network packet is dropped.

A metric is a measurement of the cost of a route based on the number of hops (hop count) to the network on which a specific host resides. Hop count refers to the number of networks that a network packet must traverse, including the destination network, before it reaches its final destination. Because the hop count includes the destination network, all directly connected networks have a metric of 1. For the metric value, you can specify a number from 1-15.


Deleting a Static Route

If you enable dynamic routing or use another solution, such as proxy ARP, you might find it necessary to delete a previously defined static route. However, before you delete a static route, ensure that the traffic is addressed using another routing solution or via a more general routing rule, such as a default route. Otherwise, network traffic will be interrupted.

Step 1 Select Configuration >  Device Settings > Routing >  Static Route.

The Static Route table appears.

Step 2 Select the check box for the row, then click Delete.

You are prompted to confirm the delete request.

Step 3 Click OK.

The row is removed from the table, and the information is removed from the assigned firewall device configuration files when the files are deployed.

Configuring RIP

Routing Information Protocol (RIP) is a distance-vector, intra-domain routing protocol. When this feature is enabled, the firewall devices exchange RIP broadcasts with neighboring devices to learn about and advertise route updates. In other words, dynamic routing is enabled on the firewall.

RIP works well in small, homogeneous networks. However, in larger, more complex internetworks, it has many limitations. These limitations include a maximum hop count of 15, lack of support for variable-length subnet masks (VLSMs), inefficient use of bandwidth, and slow convergence. The default configuration enables IP routing table updates from RIP broadcast packets received from neighbor routers and other devices; however, the firewall device cannot pass RIP updates between its own interfaces.

The firewall devices support both RIP version 1 and version 2. Version 2 supports VLSMs. It enables neighbor authentication and can use MD5-based encryption to protect the RIP packets. When configured, neighbor authentication occurs whenever routing updates are exchanged between neighboring devices. This authentication ensures that the device receives reliable routing information from a trusted source.

You should configure for neighbor authentication any firewall device that meets all of the following conditions:

It supports RIP version 2.

It could receive a false route update.

The network could be compromised if the device receives a false route update.

The device's neighboring routers or firewalls are configured for neighbor authentication.

RIP Version 2 Important Notes

The key and key ID must be the same as those used by neighbor devices that provide RIP version 2 updates.

In passive mode, PIX Firewall version 5.3 and later accepts RIP version 2 multicast updates with an IP destination of 224.0.0.9. This address is also valid for FWSM.

In the RIP version 2 default mode, the firewall device transmits default route updates using an IP destination of 224.0.0.9.

When RIP version 2 is configured, it registers the multicast address 224.0.0.9 on the respective interface to accept multicast RIP version 2 updates.

When the RIP version 2 commands for an interface are removed, the multicast address is unregistered from that interface.

Adding or Editing a RIP Rule

For each interface in a firewall device, you can define one or more RIP rules.

Step 1 Select Configuration >  Device Settings > Routing > RIP.

The RIP page appears.

Step 2 Do one of the following:

To add a row, click Add.

To edit a row, select the check box, then click Edit.

Step 3 Select the interface name from the list.

Step 4 Select the action for each interface. Options are:

Broadcast/multicast default route—Enables IP routing table updates from RIP broadcast packets received from routers and other devices.

Passive RIP—No broadcasts; listens on network for routing updates and uses those updates to route traffic.

Step 5 Select the version of RIP (1 or 2) enabled for this interface.

We recommend version 2, but you can use version 1 for backward compatibility.

Step 6 Do one of the following:

If you selected RIP 2, go to Step 7.

If you selected RIP 1, click Next.

The RIP summary page appears. Go to Step 8.

Step 7 Select the Enable Authentication check box, then click Next.

The Configure RIP Authentication page appears.

a. Select the type of authentication.

Note Although supported, we do not recommend plain text authentication for use as part of your security strategy. Its primary use is to avoid accidental changes to the routing infrastructure. Using MD-5 authentication, however, is a recommended security practice.

b. Enter the authentication key shared with routers and other RIP version 2 devices communicating with a firewall device. The key is an encrypted text string with a maximum of 16 characters.

Tip As with all keys, passwords, and other security secrets, it is imperative that you closely guard authentication keys used in neighbor authentication. The security benefits of this feature rely on your keeping all authenticating keys confidential.

c. Enter the key identification number that must be shared with routers and other version 2 devices communicating with a firewall device. Values are 1-255.

d. Click Next.

The wizard summary page appears.

Step 8 Verify the information, then click Finish.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 9-2 describes the elements in the RIP page.

Table 9-2 RIP 

Element
Description

Inherit settings check box

When selected, the subgroup or devices inherit the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Interface Name

Logical name of interface that relates to use, for example, inside or outside.

Note If you are using a wizard, the list displays all interfaces defined at the current scope.

Action

Action configured for each interface in Add RIP Configuration page.

Broadcast/multicast default route—Enables IP routing table updates from RIP broadcast packets received from routers and other devices.

Passive RIP—No broadcasts; listens on network for routing updates and uses those updates to route traffic.

Version

RIP Version 1. Use for backward compatibility.

RIP Version 2 (recommended). Use to enable authentication type.

Authentication type

Supports RIP version 2.

Clear text.

MD5 (recommended).

Authentication key

Encrypted text string (up to 16 characters) shared with routers and other RIP version 2 devices communicating with firewall device.

Key ID

Identification number of key that must be shared with routers and other RIP version 2 devices communicating with firewall device. Values are 1-255.


Deleting a RIP Rule

If you prefer to use static routes or another solution, such as proxy ARP, you might need to delete a previously defined RIP route. However, before you delete a RIP route, ensure that the traffic is addressed using another routing solution or via a more general routing rule, such as a default route. Otherwise, network traffic will be interrupted.

Step 1 Select Configuration >  Device Settings > Routing > RIP.

The RIP table appears.

Step 2 Select the check box for the row, then click Delete.

You are prompted to confirm the delete.

Step 3 Click OK.

The row is removed from the table, and the information is removed from the assigned firewall device configuration files when the files are deployed.

Configuring Proxy ARP Settings

When the proxy Address Resolution Protocol (ARP) feature is enabled, a firewall device answers ARP requests intended for another host. By assuming the identity of the destination, the gateway accepts responsibility for routing packets to the actual destination. When proxy ARP is enabled, hosts on a subnet can reach remote subnets without configuring routing or a default gateway.

The main advantage of using proxy ARP is that firewall devices can enable it and be inserted into the network without disturbing the routing tables of other routers. In addition, you should enable proxy ARP when network hosts are not configured with default gateway information or have no routing intelligence, such as that provided by standard DHCP or WINS configurations.

When proxy ARP is enabled, hosts are unaware of the network and assume that any destination can be reached by sending an ARP request. Therefore, proxy ARP has the following disadvantages:

ARP traffic on the network segment increases.

Hosts require larger ARP tables to handle IP-to-MAC address mappings.

Security can be undermined. A host can claim to be another in order to intercept packets, an act called "spoofing."

It does not work for networks that do not use ARP for address resolution.

It does not generalize to all network topologies (for example, more than one router connecting two physical networks).

Disabling Proxy ARP

For each interface in a firewall device, you can enable or disable proxy ARP. By default, all interfaces have proxy ARP enabled.

Step 1 Select Configuration >  Device Settings > Routing >  Proxy ARP.

The Proxy ARP page appears.

Step 2 Select the appropriate check boxes if you want to disable the Proxy ARP feature for the inside or outside interface at the current scope.

Step 3 Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 9-3 describes the elements in the Proxy ARP page.

Table 9-3 Proxy ARP 

Element
Description

Inherit settings check box

When selected, the subgroup or devices inherit the settings of the enclosing group to current scope. You can override a default setting by deselecting the check box and specifying other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Disable Proxy ARP check boxes

When selected, Firewall MC disables the Proxy ARP feature for that interface at the current scope. Choices may include inside or outside.