Zone based firewall and IPsec dialin

pfoerster — Fri, 21 Feb 2020 14:16:12 GMT

I have a Cisco 880 and try to establish an IPsec VPN dialin in combination with zone based firewalling.

The IPsec dialin works fine without any issues which was crosschecked before activating the ZFW.

ZFW config looks like this:

class-map type inspect match-all IPsecVPN
match access-group name ISAKMP_IPSEC

!
class-map type inspect match-any GuestAllowed
match protocol http
match protocol https
match protocol dns
match protocol ntp
class-map type inspect match-any RouterProtocols
match class-map IPsecVPN
match protocol udp
match protocol icmp
class-map type inspect match-any HomeAllowed
match protocol http
match protocol https
match protocol pop3s
match protocol imaps
match protocol smtp extended
match protocol icmp
match protocol dns
match protocol tcp
match protocol udp
class-map type inspect match-any CPallowed
match protocol http
match protocol https
!
policy-map type inspect GuestToInternet
class type inspect GuestAllowed
inspect
class class-default
drop

!
policy-map type inspect InternetToRouter
description Permitted traffic internet to router
class type inspect IPsecVPN
inspect
class class-default
drop

!
policy-map type inspect HomeToCP
class type inspect CPallowed
inspect
class class-default
drop

!
policy-map type inspect HomeToInternet
class type inspect HomeAllowed
inspect
class class-default
drop
policy-map type inspect RouterToInternet
class type inspect RouterProtocols
inspect
class class-default
drop
!
zone security Home
zone security Guest
zone security Internet

!
zone-pair security GuestToInternet source Guest destination Internet
service-policy type inspect GuestToInternet
zone-pair security RouterToInternet source self destination Internet
service-policy type inspect RouterToInternet
zone-pair security HomeToInternet source Home destination Internet
service-policy type inspect HomeToInternet
zone-pair security Home-CP source Home destination Guest
service-policy type inspect HomeToCP
zone-pair security InternetToRouter source Internet destination self
service-policy type inspect InternetToRouter
!
ip access-list extended ISAKMP_IPSEC
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit esp any any
!

interface Virtual-Template2 type tunnel

description IPsec VPN Dialin

ip unnumbered Vlan1

zone-member security Home

tunnel mode ipsec ipv4

tunnel protection ipsec profile vpn-vti2

The WAN Interface is a VDSL PPPoE dialer interface with zone "Internet" and the guest segment is another separate ip interface with zone "Guest".

Local LAN is in zone "Home" as well as the virtual Template Interface for the VPN.

IOS version 15.6.3M2.

What happens here is that i can get IPsec connection so VPN is established but i cannot pass traffic from the VPN client to local LAN and vice versa.

This works fine without the ZFW enabled.

Interesting here: I have a lab setup running on another 880 with the same config but IOS version 15.4.3M3.

Here with a slightly other class map for router generated traffic:

class-map type inspect match-any RouterProtocols
match class-map IPsecVPN
match protocol isakmp
match protocol dns
match protocol ntp
match protocol sip
match protocol icmp

This is running without any issues.

15.6.3M2 do NOT let me configure isakmp, dns, ntp and sip. CLI parser claims not supported for self zone inspection.

So as a workaround i only can enable UDP generally here so that this covers dns, ntp and isakmp.

15.4.3M3 lets me configure all this.

To make a long story short: Whats wrong here with the ZFW configuration ?

Is that maybe an issue between 15.4.3 and 15.6.3 version and a case for the TAC or have i overseen here something ?

Any feedback apprechiated.

topic Zone based firewall and IPsec dialin in Network Security

Zone based firewall and IPsec dialin