topic Unable to VPN and SSH with Zone Based Firewall from outside to i in Network Security

Unable to VPN and SSH with Zone Based Firewall from outside to inside

eceflyboy — Mon, 11 Mar 2019 20:47:43 GMT

We had some bad DNS query attacks lately, so I setup the Zone Based Firewall for my Cisco 891W router.

However, immediately after setting it up, I realized the VPN and SSH access from outside is blocked. This is expected since ZBF was supposed to block all traffic and response traffic not initiated from inside the router.

I proceeded to Cisco Configuration Professional and added new Traffic Name: AllowVPN, inside Service, I add every protocol for IPSec/VPN, ipsec-msft, gdoi, isakmp, ssp, I set the Action to "Allow". Screen shot is attached.

I am able to VPN into the router, but after doing that, I cannot ping, ssh, or reach any machines inside the router. When I am inside the network, it's the same thing. I would VPN to the router, I would be unable to reach any machines inside the router, but when I log out of VPN then I am able to reach the internal machines again.

The router configuration is below (VPN configuration was previously working, the only new part of the config is the Zone-Based firewall), any help would be greatly appreciated!

NewCoGate#show run

Building configuration...

Current configuration : 14025 bytes

! Last configuration change at 13:56:21 Pacific Mon Jun 20 2011 by admin

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

service sequence-numbers

hostname NewCoGate

boot-start-marker

boot-end-marker

logging buffered 4096

logging persistent url flash:/syslog/ size 100000000 filesize 12000000

aaa new-model

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

aaa session-id common

clock timezone Pacific -8

service-module wlan-ap 0 bootimage autonomous

crypto pki trustpoint TP-self-signed-1798439109

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1798439109

revocation-check none

rsakeypair TP-self-signed-1798439109

crypto pki certificate chain TP-self-signed-1798439109

certificate self-signed 01

656C662D // Truncated on purpose for internet post

quit

no ip source-route

ip dhcp excluded-address 10.2.2.1 10.2.2.10

ip dhcp pool ccp-pool

network 10.2.2.0 255.255.255.0

default-router 10.2.2.1

dns-server 10.2.2.1

domain-name local

ip dhcp update dns

ip cef

ip domain name example.com

ip host local ns ns.local

ip host trac.local 10.2.2.7

ip host ns.local 10.2.2.1

ip host bw.local 10.2.2.7

ip host trac.example.com 10.2.2.7

ip host internal.example.com 10.2.2.7

ip host-list members.dyndns.org

ip host-list NewCo.dyndns.org

ip name-server 64.17.248.2

ip name-server 69.38.208.20

ip name-server 64.17.248.20

ip name-server 69.38.208.2

ip dhcp-client update dns server both

no ipv6 cef

multilink bundle-name authenticated

license udi pid CISCO891W-AGN-A-K9 sn FTX151301BA

Unable to VPN and SSH with Zone Based Firewall from outside to i

Loren Kolnes — Mon, 20 Jun 2011 22:49:59 GMT

Hi Kuangwei,

It looks like the interface Virtual-Template1 is not in a zone. You could put this interface in the inside zone and all decrypted traffic would then be put into that zone,you also have the option of putting the Virtual-template in another zone and creating a zone pair to control what resources the VPN client has access to.

Here is a document that discusses this:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_white_paper0900aecd8062a909.html

Do you also have an issue using ssh to manage the router when not using VPN?

Thanks,

Loren

Unable to VPN and SSH with Zone Based Firewall from outside to i

eceflyboy — Mon, 20 Jun 2011 22:58:02 GMT

That fixed it! Thanks!

I still do have the issue of not being able to ssh in to manage the router when not using the VPN. If I am just managing the router I prefer not having to need to VPN in, since SSH is pretty secure.

Thanks!

Kuangwei

Unable to VPN and SSH with Zone Based Firewall from outside to i

Loren Kolnes — Mon, 20 Jun 2011 23:16:47 GMT

Hi Kuangwei,

You have a policy map called "ccp-permit" which is matching traffic in the class-map "AllowSSH" with an action of pass.

When using pass we need to pass in both directions. You have the option of changing the pass action to inspect or to add a pass action to the self to out zone-pair policy map. You also have the option of not using a self zone which means that any traffic to or from the router would be allowed by default and access would need to be managed using other means such as configuring the line for ssh.

Option 1:

policy-map type inspect ccp-permit

class type inspect AllowSSH

no pass

inspect

Option 2:

policy-map type inspect ccp-permit-icmpreply

class type inspect AllowSSH

pass

no class type inspect ccp-icmp-access

class type inspect ccp-icmp-access

inspect

Option 3:

Remove the zone pairs referencing the self zone.

Please refer to the following guide for further information.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

Thanks,

Loren

Unable to VPN and SSH with Zone Based Firewall from outside to i

eceflyboy — Tue, 21 Jun 2011 00:03:22 GMT

Hi Loren,

Thanks for the help, but Option 1 doesn't work and gives an error message when I change it to inspect:

%Protocol configured in class-map AllowSSH cannot be configured for the self zone with inspect action. Please remove the protocol and retry

For Option 2, I was able to set the configuration as you mentioned, but I am still unable to SSH from an outside server.

Option 3 requires changing Zone pairs, I think that's too big of a change to make on a production router during business hours. I may be able to try that after hours tonight but I'd rather not touch the existing zone pairs right now.

My latest router configuration is reproduced as below, thanks again for the help!

NewCoGate#show run

Building configuration...

Current configuration : 14025 bytes

! Last configuration change at 13:56:21 Pacific Mon Jun 20 2011 by admin

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

service sequence-numbers

hostname NewCoGate

boot-start-marker

boot-end-marker

logging buffered 4096

logging persistent url flash:/syslog/ size 100000000 filesize 12000000

aaa new-model

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

aaa session-id common

clock timezone Pacific -8

service-module wlan-ap 0 bootimage autonomous

crypto pki trustpoint TP-self-signed-1798439109

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1798439109

revocation-check none

rsakeypair TP-self-signed-1798439109

crypto pki certificate chain TP-self-signed-1798439109

certificate self-signed 01

656C662D // Truncated on purpose for internet post

quit

no ip source-route

ip dhcp excluded-address 10.2.2.1 10.2.2.10

ip dhcp pool ccp-pool

network 10.2.2.0 255.255.255.0

default-router 10.2.2.1

dns-server 10.2.2.1

domain-name local

ip dhcp update dns

ip cef

ip domain name example.com

ip host local ns ns.local

ip host trac.local 10.2.2.7

ip host ns.local 10.2.2.1

ip host bw.local 10.2.2.7

ip host trac.example.com 10.2.2.7

ip host internal.example.com 10.2.2.7

ip host-list members.dyndns.org

ip host-list NewCo.dyndns.org

ip name-server 64.17.248.2

ip name-server 69.38.208.20

ip name-server 64.17.248.20

ip name-server 69.38.208.2

ip dhcp-client update dns server both

no ipv6 cef

multilink bundle-name authenticated

license udi pid CISCO891W-AGN-A-K9 sn FTX151301BA

Unable to VPN and SSH with Zone Based Firewall from outside to i

Loren Kolnes — Tue, 21 Jun 2011 00:11:57 GMT

Hi Kuangwei,

Can you remove access-list 23 from the vty lines below or create an access-list 23 that permits either all ip or your remote public address:

line vty 0 4

no access-class 23 in

transport input ssh

line vty 5 15

no access-class 23 in

Let me know if this helps.

Thanks,

Loren

Unable to VPN and SSH with Zone Based Firewall from outside to i

eceflyboy — Tue, 21 Jun 2011 00:48:48 GMT

Oh that is a really good point, I didn't even think about checking that!

So I took out access-class 23 in as you suggested, but still no luck.

Here is the latest configuration with the updated changes from the above recommendation:

NewCoGate#

NewCoGate#show run

Building configuration...

Current configuration : 14025 bytes

! Last configuration change at 13:56:21 Pacific Mon Jun 20 2011 by admin

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

service sequence-numbers

hostname NewCoGate

boot-start-marker

boot-end-marker

logging buffered 4096

logging persistent url flash:/syslog/ size 100000000 filesize 12000000

aaa new-model

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

aaa session-id common

clock timezone Pacific -8

service-module wlan-ap 0 bootimage autonomous

crypto pki trustpoint TP-self-signed-1798439109

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1798439109

revocation-check none

rsakeypair TP-self-signed-1798439109

crypto pki certificate chain TP-self-signed-1798439109

certificate self-signed 01

656C662D // Truncated on purpose for internet post

quit

no ip source-route

ip dhcp excluded-address 10.2.2.1 10.2.2.10

ip dhcp pool ccp-pool

network 10.2.2.0 255.255.255.0

default-router 10.2.2.1

dns-server 10.2.2.1

domain-name local

ip dhcp update dns

ip cef

ip domain name example.com

ip host local ns ns.local

ip host trac.local 10.2.2.7

ip host ns.local 10.2.2.1

ip host bw.local 10.2.2.7

ip host trac.example.com 10.2.2.7

ip host internal.example.com 10.2.2.7

ip host-list members.dyndns.org

ip host-list NewCo.dyndns.org

ip name-server 64.17.248.2

ip name-server 69.38.208.20

ip name-server 64.17.248.20

ip name-server 69.38.208.2

ip dhcp-client update dns server both

no ipv6 cef

multilink bundle-name authenticated

license udi pid CISCO891W-AGN-A-K9 sn FTX151301BA

Unable to VPN and SSH with Zone Based Firewall from outside to i

Loren Kolnes — Tue, 21 Jun 2011 01:26:31 GMT

Let's try the following:

1. Create a new class of traffic that matches TCP, I do not believe that ssh is a valid match for self zone traffic

class-map type inspect match-any management_class

match protocol tcp

2. Use an access-list to define tcp port 25, you already have the access-list created

class-map type inspect match-all SSH_Access

match class-map management_class

match access-group name SSH

3. Apply the new class maps to the policy-map and remove the old class in the out-to-self policy

policy-map type inspect ccp-permit

class type inspect SSH_Access

pass

no class type inspect AllowSSH

4. Apply the new class maps to the policy-map and remove the old class in the self-to-out policy

policy-map type inspect ccp-permit-icmpreply

no class type inspect AllowSSH

class type inspect SSH_Access

pass

no class type inspect ccp-icmp-access

class type inspect ccp-icmp-access

inspect

5. Remove the old class map

no class-map type inspect match-any AllowSSH

Let me know if this helps.

Thanks,

Loren