Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1683
Views
4
Helpful
5
Replies

Zone Based Firewall + Internal CISCO VPN Client

mariov652
Level 1
Level 1

‎06-07-2011 08:02 AM - edited ‎03-11-2019 01:43 PM

Hi,

I've setup a CISCO 871 which receives DHCP IP address on WAN interface Fa4 and DHCP-assigned static IP Address on virtual-ppp1.  The static address is used for site-to-site VPN's, while I've planned the DHCP address for standard web access and CISCO VPN Client dial-out.

Internally, I've created 2 VLAN's, one for standard PC's with access to the remote sites via site-to-site and cisco client, and the other for a 'secured' area with only HTTP/S allowed out.

I've created 4 zones:

VPN (on interface virtual-pp1)

OUTSIDE (on WAN interface Fa4)

PCLAN (interface vlan1)

WEB (interface vlan2)

Overall, traffic is working as expected i.e.

- web traffic only is allowed from WEB zone to OUTSIDE zone

- access over site-to-site is available from PCLAN zone to VPN zone etc.

I'm stuck on one issue though....

Clients in the PCLAN should also be allowed to dial-out using CISCO VPN client to remote sites via the OUTSIDE interface.  This is partially working because the client does log into a remote site, however I cannot ping or rdp remote stations once connected.

"ip inspect log drop-packets" does not reveal dropped packets when trying to ping or rdp, so I'm a little stuck as to what the problem is.

The relevant config for the PCLAN-OUTSIDE connection is below..

class-map type inspect match-any pclan-outside-traffic

match protocol icmp

match access-group 114

policy-map type inspect pclan-outside-policy

class type inspect pclan-outside-traffic

  inspect

class class-default

  drop

zone security outside

zone security web

zone security pclan

zone security vpn

zone-pair security pclan-outside-pair source pclan destination outside

service-policy type inspect pclan-outside-policy

interface FastEthernet0

description PC-LAN

duplex full

speed 100

interface FastEthernet4

description $ETH-WAN$

ip address dhcp

ip nat outside

ip virtual-reassembly

zone-member security outside

speed 100

full-duplex

access-list 114 remark ACL_PCLAN_to_OUTSIDE

access-list 114 permit udp <pclan network> 0.0.0.255 any eq isakmp

access-list 114 permit esp <pclan network> 0.0.0.255 any

access-list 114 permit udp <pclan network> 0.0.0.255 any eq non500-isakmp

access-list 114 permit ahp <pclan network> 0.0.0.255 any

I'm hoping someone can point out why the CISCO VPN client isn't returning traffic.

Thanks,

Mario

Labels:
0 Helpful
5 Replies 5

Maykol Rojas
Cisco Employee
Cisco Employee

‎06-07-2011 01:08 PM

Hello,

ESP is an IP protocol and cannot be inspected in layer 3/4 format. This traffic, since it comes encrypted, the router is not able to inspect its information at layer 4. Hence, is not going to pass.

What you need to do is the following:

Take out the following ACE

access-list 114 permit esp 0.0.0.255 any

Create a separate ACL

access-list 115 permit esp 0.0.0.255 any

And do the following:

class-map type inspect ESP-TRAFFIC

match access-group 115

Then, add it to the policy map and put PASS instead of the inspect

policy-map type inspect pclan-outside-policy

class ESP-TRAFFIC

   pass

This class map needs to be on outside to inside as well with PASS action too. This is because since it is not being inspected by the stateful table, the router has no way to track the pakcets.

Hope this info is useful.

Mike

Mike

mariov652
Level 1
Level 1
In response to Maykol Rojas

‎06-08-2011 04:15 AM

Hi Mike,

Thanks for your detailed explanation, it's helped me understand this better.

I've applied the config below, but there is still something missing though.

I've tried enhancing the logging with regards to esp traffic, but nothing additional is logged.  I've also temporarily allowed "esp any any" to avoid incorrect address allocation.

- Can you (or anyone else) see why this traffic is not been logged?

- Are my zone pairs and policies correct?  I've commented the sections I've added...

parameter-map type inspect LOG #Enable logging to firewall (ip inspect log drop-packets already enabled)

  audit-trail on

class-map type inspect match-any pclan-outside-traffic
match protocol http
match protocol https
match protocol dns
match protocol icmp
match protocol ntp
match access-group 114

class-map type inspect match-any ESP-TRAFFIC
match access-group 115

!

policy-map type inspect pclan-outside-policy # Allow this traffic out
class type inspect pclan-outside-traffic
  inspect
class type inspect ESP-TRAFFIC
  pass log
class class-default
  drop
policy-map type inspect outside-pclan-policy #Allow this traffic back
class type inspect ESP-TRAFFIC
  pass log
class class-default
  drop


zone security outside
zone security dmz
zone security pclan
zone security vpn


zone-pair security pclan-outside-pair source pclan destination outside
service-policy type inspect pclan-outside-policy
zone-pair security outside-pclan-pair source outside destination pclan #To allow esp traffic back
service-policy type inspect outside-pclan-policy
!


access-list 114 remark ACL_PCLAN_to_OUTSIDE
access-list 114 permit udp 0.0.0.255 any eq isakmp
access-list 114 permit udp 0.0.0.255 any eq non500-isakmp

access-list 115 remark ACL_ESP_VPN #Allow esp from/to all
access-list 115 permit esp any any

Mario

0 Helpful

mariov652
Level 1
Level 1
In response to mariov652

‎06-08-2011 05:11 AM

Some additional info...  It looks like the Access list 115 is not used as there are no hits on that rule-set

# sh access-lists

Extended IP access list 114

    10 permit udp 172.16.11.0 0.0.0.255 any eq isakmp (4 matches)

    20 permit udp 172.16.11.0 0.0.0.255 any eq non500-isakmp (4 matches)

Extended IP access list 115

    10 permit esp any any

Any ideas?

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to mariov652

‎06-08-2011 03:27 PM

Hello,

Are you using NAT traversal on the endpoint?

Mike.

Mike
0 Helpful

mariov652
Level 1
Level 1
In response to Maykol Rojas

‎06-09-2011 01:50 AM

SOLVED...

I had a second device with a simple two-zone configuration which was working fine.  After applying this configuration to my test device, I still had the same issue from my test system.

This made no sense because this config was working on another part of the network!  Anyway, re-installing the CISCO VPN client and rebooting on my test PC fixed this issue for me.

- How do I mark this post as answered as it seems I can only mark 'answered' for other people's posts?

Below is the working config in case it assists someone else in the future.  If you see any security improvements that could be made, please let me know.

CISCO 871, advancedsecurity IOS.

4 security zones:

web - internal clients allowed HTTP/HTTPS access only.

pclan - internal clients allowed access to site-to-site clients and rdp to stations within the web zone.

outside - int fa4, DHCP from ISP dedicated for web access.

vpn - int virtual-ppp1 from ISP via L2TP for static IP,  dedicated to site-to-site connection only.

----------------------------------------------------------------------------------------------------


no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname xyz
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 4096
enable secret xxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!        
!
aaa session-id common
clock timezone GMT+1 1
clock summer-time GMT+1 recurring last Sun Mar 2:00 last Sun Oct 2:00
!
!
no dot11 syslog
no ip source-route
!
!
!
!
ip cef
no ip domain lookup
ip domain name xxxxxx
no ipv6 cef
multilink bundle-name authenticated
!
!
!
username xxxxx privilege 15 secret xxxxxxx
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxx address x.x.x.x
crypto isakmp nat keepalive 10
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel tox.x.x.x
set peer x.x.x.x
set transform-set ESP-3DES-SHA
match address 100
!
archive
log config
  hidekeys
!
!        
!
class-map type inspect match-any outside-self-traffic
match access-group 110
class-map type inspect match-any vpn-self-traffic
match access-group 109
class-map type inspect match-any pclan-outside-traffic
match protocol icmp
match protocol ntp
match access-group 114
class-map type inspect match-any web-outside-traffic
match protocol http
match protocol https
match protocol dns
match protocol icmp
match protocol ntp
class-map type inspect match-any pclan-web-traffic
match protocol icmp
match access-group 112
class-map type inspect match-any pclan-vpn-traffic
match protocol icmp
match access-group 113
!
!
policy-map type inspect pclan-web-policy
class type inspect pclan-web-traffic
  inspect
class class-default
  drop
policy-map type inspect pclan-outside-policy
class type inspect pclan-outside-traffic
  inspect
class class-default
  drop
policy-map type inspect web-outside-policy
class type inspect web-outside-traffic
  inspect
class class-default
  drop
policy-map type inspect pclan-vpn-policy
class type inspect pclan-vpn-traffic
  inspect
class class-default
  drop
policy-map type inspect outside-self-policy
class type inspect outside-self-traffic
  pass
class class-default
  drop
policy-map type inspect vpn-self-policy
class type inspect vpn-self-traffic
  inspect
class class-default
  drop
!
pseudowire-class ISP
encapsulation l2tpv2
ip local interface FastEthernet4
!
zone security outside
zone security web
zone security pclan
zone security vpn
zone-pair security vpn-self-pair source vpn destination self
service-policy type inspect vpn-self-policy
zone-pair security outside-self-pair source outside destination self
service-policy type inspect outside-self-policy
zone-pair security web-outside-pair source web destination outside
service-policy type inspect web-outside-policy
zone-pair security pclan-web-pair source pclan destination web
service-policy type inspect pclan-web-policy
zone-pair security pclan-vpn-pair source pclan destination vpn
service-policy type inspect pclan-vpn-policy
zone-pair security pclan-outside-pair source pclan destination outside
service-policy type inspect pclan-outside-policy
!
!
!
interface FastEthernet0
description PC-LAN
duplex full
speed 100
!
interface FastEthernet1
description web-LAN
duplex full
speed 100
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface FastEthernet4
description $ETH-WAN$
ip address dhcp
ip nat outside
ip virtual-reassembly
zone-member security outside
speed 100
full-duplex
!
interface Virtual-PPP1
description L2TP dialer to ISP
ip address negotiated
zone-member security vpn
no cdp enable
ppp lcp predictive
ppp chap hostname xyz
ppp chap password xxxxxxxx
ppp ipcp predictive
pseudowire x.x.x.x 1 pw-class ISP
crypto map SDM_CMAP_1
!
interface Vlan1
ip address x.x.x.x 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security pclan
!
interface Vlan2
ip address x.x.x.x 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security web
!
no ip forward-protocol nd
ip route 255.255.255.0 Virtual-PPP1 permanent
no ip http server
ip http access-class 1
ip http authentication local
no ip http secure-server
!
!
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
access-list 1 remark HTTP Device Access
access-list 1 permit x.x.x.x 0.0.0.255
access-list 12 remark snmp
access-list 12 permit
access-list 100 remark IPSec Rule
access-list 100 permit ip 0.0.0.255 0.0.0.255
access-list 101 remark NAT-RULES
access-list 101 deny   ip 0.0.0.255 0.0.0.255
access-list 101 permit ip 0.0.0.255 any
access-list 101 permit ip 0.0.0.255 any
access-list 106 remark Device-VTY-Access
access-list 106 permit ip x.x.x.x 0.0.0.255 any
access-list 109 remark ACL_VPN_to_Self
access-list 109 permit udp host x.x.x.x any eq isakmp
access-list 110 remark ACL_Outside_to_Self
access-list 110 permit udp host x.x.x.x any eq ntp
access-list 110 permit udp host x.x.x.x any eq ntp
access-list 110 permit udp x.x.x.x 0.0.0.255 any eq 1701
access-list 110 permit udp x.x.x.x 0.0.0.255 any eq bootpc
access-list 110 permit udp x.x.x.x 0.0.0.255 any eq bootpc
access-list 112 remark ACL_PCLAN_to_web
access-list 112 permit tcp 0.0.0.255 0.0.0.255 eq 3389
access-list 113 remark ACL_PCLAN_to_VPN
access-list 113 permit tcp 0.0.0.255 0.0.0.255 eq 3389
access-list 114 remark ACL_PCLAN_to_OUTSIDE
access-list 114 permit udp 0.0.0.255 any eq isakmp
access-list 114 permit udp 0.0.0.255 any eq non500-isakmp

no cdp run
         
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
snmp-server community xyz RO 12
!
control-plane
!
!
line con 0
exec-timeout 5 0
password xxxxxx
no modem enable
transport output telnet
line aux 0
exec-timeout 0 1
password xxxxxxx
no exec
line vty 0 4
access-class 106 in
authorization exec local_author
transport input telnet ssh
!
scheduler max-task-time 5000
ntp server x.x.x.x source Vlan1
ntp server x.x.x.x source Vlan1
end

-----------------------------------------------------------------------

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card