Search This Blog

Tuesday, February 11, 2014

Cisco IOS remote access VPN with ZBF



In this post I will explain how to configure Cisco IOS device for remote VPN access along with ZBF (Zone-Based Firewall) and about strange and frustrating case that I had with that.

First let’s look on the topology:




Short description on the topology - the Cisco router connects to my ISP with dynamic IP using ADSL connection and I also subscribe to dynamic DNS service. The dialer on the router belongs to outside security zone.

The internal interface, which is VLAN 1, holds IP segment 192.168.0.0/24 and runs DHCP and DNS services for the LAN, this interface is the default gateway for this segment and belongs to inside security zone.

ADSL dialer:

interface Dialer1
 description LOGICAL_ADSL_$FW_OUTSIDE$
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly in
 ip verify unicast reverse-path
 zone-member security outside
 encapsulation ppp
 ip tcp adjust-mss 1452
 load-interval 30
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp pap sent-username xxxxx password xxxxx
 no cdp enable

VLAN1 configuration:

interface Vlan1
 description LOCAL_NETWORK
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 load-interval 30

NAT configuration:

ip nat inside source list ACL_LAN_NAT interface Dialer1 overload
!
ip access-list extended ACL_LAN_NAT
permit ip 192.168.0.0 0.0.0.255 any

I won’t show the entire ZBF configuration else only the relative to this post.
ZBF INSIDE and OUTSIDE policy:
zone security inside
zone security outside
!
zone-pair security INSIDE_TO_OUTSIDE source inside destination outside
 service-policy type inspect PM_INSIDE_TO_OUTSIDE
!
zone-pair security OUTSIDE_TO_INSIDE source outside destination inside
 service-policy type inspect PM_OUTSIDE_TO_INSIDE

The policy-maps include all kind of class-maps (type inspection) which define the parameters I allow to pass or inspect by the ZBF.

ZBF outside to self-policy:

ip access-list extended ACL_ISAKMP-IPSEC1
 permit ahp any any
 permit esp any any
 permit udp any any eq non500-isakmp
ip access-list extended ACL_ISAKMP-IPSEC2
 permit udp any any eq isakmp
!
class-map type inspect match-all CM_ISAKMP-IPSEC1
 match access-group name ACL_ISAKMP-IPSEC1
class-map type inspect match-all CM_ISAKMP-IPSEC2
 match access-group name ACL_ISAKMP-IPSEC2
!
policy-map type inspect PM_SELF_TO_OUTSIDE
 class type inspect CM_ISAKMP-IPSEC1
  pass
 class type inspect CM_ISAKMP-IPSEC2
  inspect
!
policy-map type inspect PM_OUTSIDE_TO_SELF
 class type inspect CM_ISAKMP-IPSEC1
  pass
 class type inspect CM_ISAKMP-IPSEC2
  inspect
 class class-default
  drop log
!
zone-pair security SELF_TO_OUTSIDE source self destination outside
 service-policy type inspect PM_SELF_TO_OUTSIDE
!
zone-pair security OUTSIDE_TO_SELF source outside destination self
 service-policy type inspect PM_OUTSIDE_TO_SELF

ZBF policy to allow VPN encrypted traffic from outside to self; hence ISAKMP, ESP and AHP traffic to the router himself.

ZBF VPN policy:

zone security vpn
!
ip access-list standard ACL_VPN_REMOTE
 permit 172.16.0.0 0.0.0.255
!
ip access-list standard ACL_LAN_ACCESS
 permit 192.168.0.0 0.0.0.255
!
class-map type inspect match-all CM_LAN_TO_VPN
 match access-group name ACL_LAN_ACCESS
!
class-map type inspect match-all CM_VPN_REMOTE_ACCESS
 match access-group name ACL_VPN_REMOTE
!
policy-map type inspect PM_VPN_TO_INSIDE
 class type inspect CM_VPN_REMOTE_ACCESS
  pass
 class class-default
  drop log
!
policy-map type inspect PM_INSIDE_TO_VPN
 class type inspect CM_INSIDE_TO_VPN
  pass
 class class-default
  drop log
!
zone-pair security VPN_TO_INSIDE source vpn destination inside
 service-policy type inspect PM_VPN_TO_INSIDE
!
zone-pair security INSIDE_TO_VPN source inside destination vpn
 service-policy type inspect PM_LAN_TO_VPN
!

This ZBF policy basically allows traffic between 172.16.0.0/24 (remote VPN network) to 192.168.0.0/24 (LAN), of course we can change this policy to allow or deny more specific access.

ISAKMP policy:

crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600

The ISAKMP policy is as is, encryption and authentication configuration. 

IP local pool:

ip local pool VPN_POOL 172.16.0.1 172.16.0.10

The IP address pool which will be given to the remote users.

Split tunnel ACL:

access-list 110 permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255

This ACL will define which networks will be forward to the VPN tunnel on the client side, here our local LAN 192.168.0.0/24.

ISAKMP client group profile:

crypto isakmp client configuration group VPN_REMOTE_GROUP
 key xxxxxxxx
 dns 192.168.0.1
 wins 192.168.0.1
 domain network.local
 pool REMOTE_VPN_POOL
 acl 110
 max-users 5

The ISAKMP client group configuration let us configure the group name (VPN_REMOTE_GROUP)  and the PSK (which will be needed later ), DNS and WINS, the IP pool name (REMOTE_VPN_POOL), split-tunnel ACL (access-list 110) and the maximum users which can connect on any given time (concurrent connections).

AAA authentication and authorization:

aaa new-model
aaa authentication login VPN_CLIENT_AUTH local
aaa authorization network VPN_GROUP_AUTH local

I made two lists for authentication (VPN_CLIENT_AUTH) and authorization (VPN_GROUP_AUTH) which both use local database.
 
Virtual-template:

interface Virtual-Template10 type tunnel
 ip unnumbered vlan1
 ip mtu 1300
 ip nat inside
 ip virtual-reassembly in
 zone-member security vpn
 no ip route-cache cef
 ip tcp adjust-mss 1000
 tunnel source Dialer1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC_PROFILE

The virtual template defines the interface configuration (virtual-access) that will be set for every remote user which will connect.
Note that the command ip nat inside will save us the need for NAT exempt.

Transform set:

crypto ipsec transform-set TRANS_SET esp-3des esp-md5-hmac

ISAKMP profile:

crypto isakmp profile ISAKMP_PROFILE
   match identity group VPN_GRP
   client authentication list VPN_CLIENT_AUTH
   isakmp authorization list VPN_GROUP_AUTH
   client configuration address respond
   virtual-template 10

IPSec profile:

crypto ipsec profile IPSEC_PROFILE
 set transform-set TRANS_SET
 set isakmp-profile ISAKMP_PROFILE

After finish the configuration of the router let’s configure the client, first install Cisco 5.x VPN client, the latest version can be download from here:

Open the VPN client software and click New



Set the entry name, WAN IP address of the router, under group authentication in the name field type the name of the client configuration group which we configured earlier in ISAKMP client group profile (VPN_REMOTE_GROUP) and the key.

After that you should have working remote VPN access with ZBF working!

almost forgot, here is a story that i had:
I configured the router almost the same as i described here, the VPN client managed to connect and i even had ping to the router but no access to the local resources on the LAN!?
on the status->statistics window i didn't see any encrypt/decrypt packets going through although my client was connected.


A normal VPN client statistics

after a lot of frustrating hours i found the cause - i didn't configure the ZBF policy from inside to vpn!


10 comments:

  1. VPN is a way to reinforce security and access resources on a network that the user may not be physically connected to. VPN service

    ReplyDelete
  2. I have read your blog it is very helpful for me. I want to say thanks to you. I have bookmark your site for future updates. best cheap vpn

    ReplyDelete
  3. This blog is a punchy bit of composing, as it has a solid impact.
    Buy VPN

    ReplyDelete
  4. This comment has been removed by the author.

    ReplyDelete
  5. Fantastic blog you have here. You’ll discover me looking at your stuff often. Saved! top android vpn

    ReplyDelete
  6. On the off chance that that doesn't work power cycle your Cable/DSL modem and switches and reboot your PC again after the organization gadgets are up and stable. Be certain the entirety of your organization links are connected tight. https://onohosting.com/

    ReplyDelete
  7. Regularly, building up an association with a VPN worker nearer to your area will bring about better speed. This is on the grounds that the intricacy of Internet traffic goes up as the distance among you and the VPN worker increments. The more complicated the traffic, and the more prominent the distance information needs to travel, the more slow the VPN speed. best vpn reddit

    ReplyDelete
  8. your content is very inspiring and appriciating I really like it please visit my site for Satta King Result also check Satta king 24X7 and also check sattaking and for quick result check my site Satta matka and for super fast result check Satta king

    ReplyDelete

  9. VPN that doesn't cost you anything front and center. Most free VPN administrations offer just PPTP which is thought of as old. Likewise, cheap web hosting services

    ReplyDelete