04-06-2014 11:23 PM - edited 03-11-2019 09:02 PM
I'm trying to get some clarity around what commands would be needed to allow an ipsec vpn client sitting behind a Cisco IOS zone-based firewall to make ipsec connections through to a vpn gateway out on the internet. This is the sort of thing that is enabled by default in most consumer-grade firewalls, albeit with little control or support for multiple clients.
Haven't come across a succinct discussion or example about this.
Assume IOS 15.1
Can this even be done on an inspect basis?
Cheers,
MT
04-07-2014 12:24 AM
I have never tried doing this, but it should be possible. You woud need to open for ports UDP 500 and UDP 4500. so you would basically need to match these ports in a class map and then have them inspected in the policy map both inbound and outbound.
So it should look something like this:
access-list 101 permit udp any any eq 500
access-list 101 permit udp any any eq 4500
class-map type inspect match-all iMAP
match protocol udp
match access-group 101
policy-map type inspect POLICY
class iMAP
inspect
class class-default
drop
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect POLICY
--
Please remember to rate and select a correct answer
04-07-2014 12:42 AM
Thanks Marius I will give that a try, but there's one thing I'm not sure about. I'm not intending that tunnels could be initiated from outside, so don't see the point of the policy allowing inspect from outside to inside.
If indeed the router is doing stateful connections even with UDP (as it arguably should be doing), then reply packets should be allowed back in, provided that the port numbers agree.
But beyond that, I'm not sure how this works without some type of ALG intervention. As I understand it the encapsulated traffic, once the SA's have been set up, uses non standard protocol number 50?
So I have a feeling there is a bit more to this?
04-07-2014 12:58 AM
You can use the following ACL to open for encryption as well. But I do believe you will need to open in both directions ip access-list extended ISAKMP_IPSEC permit udp any any eq isakmp permit ahp any any permit esp any any permit udp any any eq non500-isakmp
Have a read through the following articles. One describes to the box VPN...the router being the VPN server. But the concept should be the same for allowing the VPN traffic through the router.
http://www.cisco.com/c/en/us/products/collateral/security/ios-firewall/prod_white_paper0900aecd8062a909.html
http://www.cisco.com/c/en/us/support/docs/routers/3800-series-integrated-services-routers/112051-zbf-vpn-access-config.html
--
Please remember to rate and select a correct answer
04-07-2014 01:13 AM
OK - accepting on face value that what you say works (subject to me trying it!).
However, it does seem that having these stateless inbound rules with permit "any any" is opening up quite a large hole in the wall. I don't really have a sense of how much of a risk that represents with my router exposed to the Internet.
I'm also not clear in my own mind how NAT comes into play yet, either for the key exchange or for the way the tunnel works.
04-07-2014 01:19 AM
If this is just a site to site VPN and both sites have static IPs then you could be more specific in the ZBF ACLs. Depending on what type of VPN you are setting up, you might need to exempt traffic from being NATed. But if it is a type of remote access VPN, and you are sitting on the client side, then you don't need to do anything with NAT.
--
Please remember to rate and select a correct answer
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: