Search This Blog

Sunday, January 6, 2013

Cisco IOS ZBFW with IPSec remote access

This post I’m going to show how to configure VPN remote access on Cisco IOS which configured with ZBFW (Zone-Based Firewall).

This is the network topology:

The following configuration is related to setup VPN remote access policy using ZBFW and I assume you already have basic ZBFW configuration configured already with inside (LAN) and outside (WAN) zones.

1.       First configure AAA for user authentication and group authorization:
Aaa new-model
aaa authentication login VPN_CLIENT_AUTH local
aaa authorization network VPN_GROUP_AUTH local

2.       Configure IP pool which will provide IP addresses to remote users:
ip local pool VPN_POOL

3.       Configure ISAKMP Phase 1 policy:
crypto isakmp enable
crypto isakmp policy 10
 authentication pre-share
 encryption aes 256
 hash sha
 group 2
 lifetime 3600

In this policy I have used AES 256bit as encryption algorithm.

4.       Configure ISAKMP client group configuration:
crypto isakmp client configuration group VPN_GRP
 domain network.local
 pool VPN_POOL
 max-users 5
 acl 108

Note that Cisco uses another layer of security where configuring the VPN client software you will have to provide group password (key <SECRET_KEY>) once, beside the account username and password which you will have to enter each time you connect.

5.       Configure the ACL which define local and remote ident:
Ip access-list extended 100
 permit ip
 permit ip

6.       Define the crypto transform-set:
crypto ipsec transform-set TRANS-SET esp-aes 256 esp-sha-hmac

7.       Configure ISAKMP profile:
crypto isakmp profile ISAKMP_PROFILE
 match identity group VPN_GRP
 isakmp authorization list VPN_GROUP_AUTH
 client configuration address respond
 virtual-template 1

Note we are bonding three items here: the VPN group (configured in step 4), client authentication and group authorization (configured in step 1).

8.       Configure IPSEC profile:
crypto ipsec profile IPSEC_PROFILE
 set transform-set TRANS-SET
 set isakmp-profile ISAKMP_PROFILE

9.       Configure virtual-template interface:
interface Virtual-Template1 type tunnel
 ip unnumbered vlan1
 zone-member security vpn
 tunnel source Dialer1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC_PROFILE

Note that the VTI is in vpn security zone.

Now let’s move to the ZBFW configuration, there are three zones which we need to configure: inside, outside and vpn

1.       First configure an ACL which allow IPSEC traffic to pass:
ip access-list extended ACL_ISAKMP-IPSEC1
 permit ahp any any
 permit esp any any
 permit udp any any eq non500-isakmp

2.       Configure another ACL which allow IPSEC traffic to be inspected:
ip access-list extended ACL_ISAKMP-IPSEC2
 permit udp any any eq isakmp

3.       Configure class-map for IPSEC traffic to pass:
Class-map type inspect CM_ISAKMP-IPSEC1
 match access-group name ACL_ISAKMP-IPSEC1

4.       Configure class-map for IPSEC traffic to inspect:
Class-map type inspect CM_ISAKMP-IPSEC2
 match access-group name ACL_ISAKMP-IPSEC2

5.       Now configure policy-map from zone outside to self:
Policy-map type inspect PM_OUTSIDE-TO-SELF
 class type inspect CM_ISAKMP-IPSEC1
 class type inspect CM_ISAKMP-IPSEC2
 class class-default
  drop log

6.       Configure the same from zone self to zone outside:
Policy-map type inspect PM_SELF-TO-OUTSIDE
 class type inspect CM_ISAKMP-IPSEC1
 class type inspect CM_ISAKMP-IPSEC2
 class class-default
  drop log

7.       Configure ACL, class-map and policy-map for VPN remote access to LAN:
ip access-list standard ACL_VPN_REMOTE
 permit ip
Class-map type inspect CM_VPN_REMOTE_ACCESS
 match access-group name ACL_VPN_REMOTE
Policy-map type inspect PM_VPN-TO-INSIDE
 Class type inspect CM_VPN_REMOTE_ACCESS
 class class-default
  drop log

8.       Configure zone-pair between outside and self-zone:
Zone-pair security outside-to-self source outside destination self
 Service-policy type inspect PM_OUTSIDE-TO-SELF

9.       Configure zone-pair between self and outside zone:
Zone-pair security self-to-outside source self destination outside
 Service-policy type inspect PM_SELF-TO-OUTSIDE

10.   And configure zone-pair between vpn and inside zone:
Zone-pair security vpn-to-inside source vpn destination inside
 Service-policy type inspect PM_VPN-TO-INSIDE

Assuming that you LAN interface is in inside zone and WAN interface is in outside zone this configuration should be work fine.
Configuring the Cisco VPN client software is pretty much easy, after installing the client software follow these steps:

1.       Click New for new connection
2.       Enter the connection name
3.       Enter the router outside IP address
4.       Enter the VPN group name (configured on step 4)
5.       Enter group password

Click save and connect.

1 comment:

  1. Great job on the hard effort you've put in. I appreciate it and thank you for sharing it.
    SetupVPN Lifetime Free