Contents
Prerequisites
Requirements
Components Used
WAAS Support With Cisco IOS Firewall
WAAS Branch Deployment with an Off-Path Device
Sample Network Diagram
Configuration and Packet Flow
ZBF Session Information
Working configuration of client side router (R1) with WAAS and ZBF enabled.
WAAS Branch Deployment with an Inline Device
Details
Configuration
Restrictions for ZBF interoperability with WAAS
Related Information
Related Cisco Support Community Discussions
Cisco IOS® Software Release 12.4(6)T introduced Zone-Based Policy Firewall (ZBPFW), a new
configuration model for the Cisco IOS Firewall feature set. This new configuration model offers
intuitive policies for multiple-interface routers, increased granularity of firewall policy application,
and a default deny-all policy that prohibits traffic between firewall security zones until an explicit
policy is applied to allow desirable traffic.
Zone-Based Policy Firewall (also known as Zone-Policy Firewall, or ZFW) changes the firewall
configuration from the older interface-based model (CBAC) to a more flexible, more easily
understood zone-based model. Interfaces are assigned to zones, and inspection policy is applied
to traffic moving between the zones. Inter-zone policies offer considerable flexibility and
granularity, so different inspection policies can be applied to multiple host groups connected to the
same router interface.
Firewall policies are configured with the Cisco® Policy Language (CPL), which employs a
hierarchical structure to define inspection for network protocols and the groups of hosts to which
the inspection will be applied.
Prerequisites
Requirements
Cisco recommends that you have a basic understanding of Cisco IOS® CLI.
Components Used
The information in this document is based on these software and hardware versions:
●
●
Cisco 2900 Series Routers
IOS Software Release 15.2(4) M2
The information in this document was created from the devices in a specific lab environment. All of
the devices used in this document started with a cleared (default) configuration. If your network is
live, make sure that you understand the potential impact of any command.
WAAS Support With Cisco IOS Firewall
WAAS (Wide Area Application Services) support with Cisco IOS firewall was introduced in Cisco
IOS Release 12.4(15)T. It provides an integrated firewall that optimizes security-compliant WANs
and application acceleration solutions with the following benefits:
Optimizes a WAN through full stateful inspection capabilities.
Simplifies Payment Card Industry (PCI) compliance.
Protects transparent WAN accelerated traffic.
Integrates WAAS networks transparently.
Supports the Network Management Equipment (NME) WAE (Wide Area Application Engine)
modules or standalone WAAS device deployment.
WAAS has an automatic discovery mechanism that uses TCP options during the initial three-way
handshake used to identify WAE devices transparently. After automatic discovery, optimized traffic
flows (paths) experience a change in the TCP sequence number to allow endpoints to distinguish
between optimized and nonoptimized traffic flows.
●
●
●
●
●
The WAAS support for IOS firewall allows for the adjustment of internal TCP state variables used
for layer 4 inspection, based on the shift in the sequence number mentioned above. If the Cisco
IOS firewall notices that a traffic flow has successfully completed WAAS automatic discovery, it
permits the initial sequence number shift for the traffic flow and maintains the Layer 4 state on the
optimized traffic flow.
WAAS Traffic Flow Optimization Deployment Scenarios
The following sections describe two different WAAS traffic flow optimization scenarios for branch
office deployments. WAAS traffic flow optimization works with the Cisco firewall feature on a Cisco
Integrated Services Router (ISR).
The figure below shows an example of an end-to-end WAAS traffic flow optimization with the
Cisco firewall. In this particular deployment, a Network Management Equipment (NME)-WAE
device is on the same device as the Cisco firewall. Web Cache Communication Protocol (WCCP)
is used to redirect traffic for interception.
●
●
WAAS Branch Deployment with an Off-Path Device
WAAS Branch Deployment with an Inline Device
WAAS Branch Deployment with an Off-Path Device
A Wide Area Application Engine (WAE) device can be either a standalone Cisco WAN Automation
Engine (WAE) device or a Cisco WAAS Network Module (NME-WAE) that is installed on an
Integrated Services Router (ISR) as an integrated service engine (as shown in the figure Wide
Area Application Service [WAAS] Branch Deployment).
The figure below shows a WAAS branch deployment that uses Web Cache Communication
Protocol (WCCP) to redirect traffic to an off-path, standalone WAE device for traffic interception.
The configuration for this option is the same as the WAAS branch deployment with an NME-WAE.
Sample Network Diagram
Configuration and Packet Flow
The following is a diagram depicting an example setup with WAAS optimization turned on for endto-end traffic and CMS
( Centralized Management System) being present at the Server end. The waas modules present
at the Branch end and the Data Center end need to register with the CMS for their operations. It is
observed that the CMS uses HTTPS for it’s communication with the WAAS modules.
End-to-End WAAS traffic flow
The following example provides an end-to-end WAAS traffic flow optimization configuration for the
Cisco IOS firewall that uses WCCP to redirect traffic to a WAE device for traffic interception
Section 1 : IOS-FW WCCP related Config
Section 2: IOS-FW policy config
Section 3: IOS-FW Zone and Zone-pair config
Section 4 : Interface config
Note The new configuration in Cisco IOS Release 12.4(20)T and 12.4(22)T places the integratedservice-engine in its own zone and need not be part of any zone-pair. The zone-pairs are
configured between zone-in and zone-out.
With no zone configured on the Integrated—Service—Enginel/0 traffic gets dropped with the
following drop message :
CMS Traffic flow ( WAAS device registering with Central Manager)
The following example provides the config for both the scenarios listed below:
end-to-end WAAS traffic flow optimization configuration for the Cisco IOS firewall that uses
WCCP to redirect traffic to a WAE device for traffic interception
Allowing the CMS traffic ( WAAS management traffic flowing to/from CMS from/to WAAS
devices).
Section 1 : IOS-FW WCCP related Config
●
●
Section 2: IOS-FW policy config
Section 2.1 : IOS-FW policy related to CMS traffic
Note The class map below is needed to allow the CMS traffic to go through.
Section 3: IOS-FW Zone and Zone-pair config
Section 3.1 : IOS-FW CMS related Zone and Zone-pair config
Note The zone-pairs waas-out and out-waas are required to apply the policy created above for
CMS traffic.
Section 4 : Interface config
Section 5 : Access-list for CMS traffic
Note Access-list that is used for CMS traffic. It is allowing HTTPS traffic in both the directions as
the CMS traffic is HTTPS.
ZBF Session Information
User at 172.16.11.10 behind Router R1 is accessing the file server hosted behind remote end
with an IP address of 172.16.10.10 , ZBF session is built from in-out zone-pair and thereafter
router redirects the packet to WAAS engine for optimization.
Session built in R1-WAAS and R2-WAAS from inside host to remote server.
R1-WAAS
R2-WAAS
Working configuration of client side router (R1) with WAAS and ZBF enabled.
WAAS Branch Deployment with an Inline Device
The figure below shows a Wide Area Application Service (WAAS) branch deployment that has an inline Wide Area Application Engine (WAE) device that is
physically in front of the Integrated Services Router (ISR). Because the WAE device is in front of the device, the Cisco firewall receives WAAS optimized
packets, and as a result, Layer 7 inspection on the client side is not supported.
The router running the IOS Firewall between WAAS devices, sees only optimized traffic. The ZBF
feature watches for initial three way handshake (TCP option 33 and the sequence number shift)
and it automatically adjusts expected TCP sequence window (doesn’t alter the sequence number
in the packet itself). It applies full L4 stateful firewall features for the WAAS optimized sessions.
WAAS transparent solution facilitates Firewall enforce per session stateful firewall and QoS Policies.
Details
●
Firewall sees a normal TCP SYN packet with the 0x21 option and creates a session for it. There are no issues with the input or output interfaces since
WCCP is not involved.The return SYN-ACK is not a redirected packet and firewall takes note of it.
●
Firewall checks for the 0x21 option in the SYN-ACK and performs the sequence number jump if necessary. It also turns off L7 inspection if the
connection is optimized.
●
It is to be observed that the only aspect which distinguishes this from the Router-1 scenario is that the return traffic is not redirected.There are no 2
“half” connections on this box.
Configuration
Standard ZBF configuration without any specific zone for WAAS traffic. Only Layer 7 inspection
will not be supported.
Restrictions for ZBF interoperability with WAAS
●
WCCP Layer 2 redirect method is not supported on IOS firewall it only supports generic
●
●
●
●
●
●
routing encapsulation (GRE) redirection.
IOS Firewall only supports WCCP redirection. If WAAS uses policy based routing (PBR) to get
packets redirected, this solution will NOT ensure interoperability and hence unsupported.
IOS firewall will not perform L7 inspection on WAAS optimized TCP sessions.
IOS firewall requires “ip inspect waas enable” and “ip wccp notify” CLI commands for
WCCP redirection.
IOS firewall with NAT and WAAS-NM interoperability is not supported at present.
IOS firewall WAAS redirection is only applied for TCP packets.
IOS Firewall does not support active/active topologies. All the packets belonging to a session
MUST flow through the IOS Firewall box.
Related Information
Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T
Zone-Based Policy Firewall Design and Application Guide