09-17-2014 09:00 AM - edited 03-11-2019 09:46 PM
Hello,
I need some help with a fairly basic situation. I have a cisco 2911 ISR G2 router that is acting solely as a Communications Manager Express phone system, i.e., there is no data that needs to flow out of the router to the Internet.
I do have 3 users that will be connecting some cisco phones from home and they use the built-in cisco any connect SSL web vpn client that is on phone loads above 9.0. I have tested this and it works great.
The issue is that I cannot simply have a port (G0/0 in this case) facing the internet without security applied since there's no firewall in front of this router and I want the router to be the firewall because the ONLY thing coming from the Internet are these VPN connections and that's it.
Does anyone know of a simple zone-based firewall configuration that will block ALL incoming requests and secure the outside interface while still allowing the any connect VPN access to the inside? I have found a few cisco docs but they all show how to configure "inspect" statements and to be honest, I'm not sure how those truly protect the outside interface from incoming attacks.
Currently I have the internet-facing port shut down and I only open it to test the VPN phones but since there is no firewall currently configured on the router, I shut it back down as I don't want to leave it open.
09-17-2014 12:39 PM
Hi
The Zone based firewall uses "inspect" statements, that's just what it does.
A simple zone-based firewall that will inspect all traffic going from the local network to the internet and protecting the outside interface of the router, but allowing anyconnect connections would look something like this:
ip access-list standard INSIDE-NETWORK_ACL
permit 192.168.1.0 255.255.255.0
class-map type inspect INSIDE-NETWORK_CMAP
match access-group name INSIDE-NETWORK_ACL
class-map type inspect HTTPS_CMAP
match protocol https
policy-map type inspect INSIDE-TO-OUTSIDE_PMAP
class type inspect INSIDE-NETWORK_CMAP
inspect
policy-map type inspect OUTSIDE-TO-SELF
class type inspect HTTPS_CMAP
pass
zone-pair security INSIDE-TO-OUTSIDE_ZP source INSIDE destination OUTISDE
service-policy type inspect INSIDE-TO-OUTSIDE_PMAP
zone-pair security OUTSIDE-TO-SELF_ZP source OUTSIDE destination self
service-policy type inspect OUTSIDE-TO-SELF
I haven't personally configured Zone Based Firewall with anyconnect. So if this doesn't work you can look at this link: https://supportforums.cisco.com/document/46481/anyconnect-ios-zone-based-firewall-zbfw
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide