In this post I will explain how to configure Cisco IOS
device for remote VPN access along with ZBF (Zone-Based Firewall) and about
strange and frustrating case that I had with that.
First let’s look on the topology:
Short description on the topology - the Cisco router
connects to my ISP with dynamic IP using ADSL connection and I also subscribe
to dynamic DNS service. The dialer on the router belongs to outside security
zone.
The internal interface, which is VLAN 1, holds IP segment
192.168.0.0/24 and runs DHCP and DNS services for the LAN, this interface is
the default gateway for this segment and belongs to inside security zone.
ADSL dialer:
interface Dialer1
description LOGICAL_ADSL_$FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
zone-member security outside
encapsulation ppp
ip tcp adjust-mss 1452
load-interval 30
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp pap sent-username xxxxx password xxxxx
no cdp enable
|
VLAN1 configuration:
interface Vlan1
description LOCAL_NETWORK
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
load-interval 30
|
NAT configuration:
ip nat inside source list
ACL_LAN_NAT interface Dialer1 overload
!
ip access-list extended
ACL_LAN_NAT
permit ip 192.168.0.0
0.0.0.255 any
|
I won’t show the entire ZBF configuration else only the
relative to this post.
ZBF INSIDE and OUTSIDE policy:
zone security inside
zone security outside
!
zone-pair security
INSIDE_TO_OUTSIDE source inside destination outside
service-policy type inspect
PM_INSIDE_TO_OUTSIDE
!
zone-pair security
OUTSIDE_TO_INSIDE source outside destination inside
service-policy type inspect
PM_OUTSIDE_TO_INSIDE
|
The policy-maps include all kind of class-maps (type
inspection) which define the parameters I allow to pass or inspect by the ZBF.
ZBF outside to self-policy:
ip access-list extended
ACL_ISAKMP-IPSEC1
permit ahp any any
permit esp any any
permit udp any any eq non500-isakmp
ip access-list extended
ACL_ISAKMP-IPSEC2
permit udp any any eq isakmp
!
class-map type inspect
match-all CM_ISAKMP-IPSEC1
match access-group name ACL_ISAKMP-IPSEC1
class-map type inspect
match-all CM_ISAKMP-IPSEC2
match access-group name ACL_ISAKMP-IPSEC2
!
policy-map type inspect
PM_SELF_TO_OUTSIDE
class type inspect CM_ISAKMP-IPSEC1
pass
class type inspect CM_ISAKMP-IPSEC2
inspect
!
policy-map type inspect
PM_OUTSIDE_TO_SELF
class type inspect CM_ISAKMP-IPSEC1
pass
class type inspect CM_ISAKMP-IPSEC2
inspect
class class-default
drop log
!
zone-pair security
SELF_TO_OUTSIDE source self destination outside
service-policy type inspect
PM_SELF_TO_OUTSIDE
!
zone-pair security
OUTSIDE_TO_SELF source outside destination self
service-policy type inspect
PM_OUTSIDE_TO_SELF
|
ZBF policy to allow VPN encrypted traffic from outside to
self; hence ISAKMP, ESP and AHP traffic to the router himself.
ZBF VPN policy:
zone security vpn
!
ip access-list standard
ACL_VPN_REMOTE
permit 172.16.0.0 0.0.0.255
!
ip access-list standard ACL_LAN_ACCESS
permit 192.168.0.0 0.0.0.255
!
class-map type inspect
match-all CM_LAN_TO_VPN
match access-group name ACL_LAN_ACCESS
!
class-map type inspect
match-all CM_VPN_REMOTE_ACCESS
match access-group name ACL_VPN_REMOTE
!
policy-map type inspect
PM_VPN_TO_INSIDE
class type inspect CM_VPN_REMOTE_ACCESS
pass
class class-default
drop log
!
policy-map type inspect
PM_INSIDE_TO_VPN
class type inspect CM_INSIDE_TO_VPN
pass
class class-default
drop log
!
zone-pair security
VPN_TO_INSIDE source vpn destination inside
service-policy type inspect PM_VPN_TO_INSIDE
!
zone-pair security
INSIDE_TO_VPN source inside destination vpn
service-policy type inspect PM_LAN_TO_VPN
!
|
This ZBF policy basically allows traffic between
172.16.0.0/24 (remote VPN network) to 192.168.0.0/24 (LAN), of course we can
change this policy to allow or deny more specific access.
ISAKMP policy:
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 3600
|
The ISAKMP policy is as is, encryption and authentication
configuration.
IP local pool:
ip local pool VPN_POOL
172.16.0.1 172.16.0.10
|
The IP address pool which will be given to the remote users.
Split tunnel ACL:
access-list 110 permit ip 192.168.0.0
0.0.0.255 172.16.0.0 0.0.0.255
|
This ACL will define which networks will be forward to the
VPN tunnel on the client side, here our local LAN 192.168.0.0/24.
ISAKMP client group profile:
crypto isakmp client
configuration group VPN_REMOTE_GROUP
key xxxxxxxx
dns 192.168.0.1
wins 192.168.0.1
domain network.local
pool REMOTE_VPN_POOL
acl 110
max-users 5
|
The ISAKMP client group configuration let us configure the
group name (VPN_REMOTE_GROUP) and the PSK (which will be needed later ),
DNS and WINS, the IP pool name (REMOTE_VPN_POOL),
split-tunnel ACL (access-list 110) and the maximum users which can connect on
any given time (concurrent connections).
AAA authentication and authorization:
aaa new-model
aaa authentication login
VPN_CLIENT_AUTH local
aaa authorization network
VPN_GROUP_AUTH local
|
I made two lists for authentication (VPN_CLIENT_AUTH) and authorization (VPN_GROUP_AUTH) which both use local
database.
Virtual-template:
interface Virtual-Template10
type tunnel
ip unnumbered vlan1
ip mtu 1300
ip nat inside
ip virtual-reassembly in
zone-member security vpn
no ip route-cache cef
ip tcp adjust-mss 1000
tunnel source Dialer1
tunnel mode ipsec ipv4
tunnel protection ipsec profile
IPSEC_PROFILE
|
The virtual template defines the interface configuration
(virtual-access) that will be set for every remote user which will connect.
Note that the command ip
nat inside will save us the need for NAT exempt.
Transform set:
crypto ipsec transform-set
TRANS_SET esp-3des esp-md5-hmac
|
ISAKMP profile:
crypto isakmp profile
ISAKMP_PROFILE
match identity group VPN_GRP
client authentication list VPN_CLIENT_AUTH
isakmp authorization list VPN_GROUP_AUTH
client configuration address respond
virtual-template 10
|
IPSec profile:
crypto ipsec profile
IPSEC_PROFILE
set transform-set TRANS_SET
set isakmp-profile ISAKMP_PROFILE
|
After finish the configuration of the router let’s configure
the client, first install Cisco 5.x VPN client, the latest version can be download
from here:
Open the VPN client software and click New
Set the entry name, WAN IP address of the router, under
group authentication in the name field type the name of the client configuration
group which we configured earlier in ISAKMP client group profile (VPN_REMOTE_GROUP) and the key.
After that you should have working remote VPN access with
ZBF working!
almost forgot, here is a story that i had:
I configured the router almost the same as i described here, the VPN client managed to connect and i even had ping to the router but no access to the local resources on the LAN!?
on the status->statistics window i didn't see any encrypt/decrypt packets going through although my client was connected.
A normal VPN client statistics
after a lot of frustrating hours i found the cause - i didn't configure the ZBF policy from inside to vpn!
