Allowing ipsec vpn pass-through ZBFW

mctozzy01 · ‎04-06-2014

I'm trying to get some clarity around what commands would be needed to allow an ipsec vpn client sitting behind a Cisco IOS zone-based firewall to make ipsec connections through to a vpn gateway out on the internet. This is the sort of thing that is enabled by default in most consumer-grade firewalls, albeit with little control or support for multiple clients.

Haven't come across a succinct discussion or example about this.

Assume IOS 15.1

Can this even be done on an inspect basis?

Cheers,

MT

Marius Gunnerud · ‎04-07-2014

I have never tried doing this, but it should be possible. You woud need to open for ports UDP 500 and UDP 4500. so you would basically need to match these ports in a class map and then have them inspected in the policy map both inbound and outbound.

So it should look something like this:

access-list 101 permit udp any any eq 500

access-list 101 permit udp any any eq 4500

class-map type inspect match-all iMAP

match protocol udp

match access-group 101

policy-map type inspect POLICY

class iMAP

inspect

class class-default

drop

zone security INSIDE

zone security OUTSIDE

zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE

service-policy type inspect POLICY

zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE

service-policy type inspect POLICY

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

mctozzy01 · ‎04-07-2014

Thanks Marius I will give that a try, but there's one thing I'm not sure about. I'm not intending that tunnels could be initiated from outside, so don't see the point of the policy allowing inspect from outside to inside.

If indeed the router is doing stateful connections even with UDP (as it arguably should be doing), then reply packets should be allowed back in, provided that the port numbers agree.

But beyond that, I'm not sure how this works without some type of ALG intervention. As I understand it the encapsulated traffic, once the SA's have been set up, uses non standard protocol number 50?

So I have a feeling there is a bit more to this?

Marius Gunnerud · ‎04-07-2014

You can use the following ACL to open for encryption as well.  But I do believe you will need to open in both directions 
ip access-list extended ISAKMP_IPSEC
 permit udp any any eq isakmp
 permit ahp any any
 permit esp any any
 permit udp any any eq non500-isakmp

Have a read through the following articles. One describes to the box VPN...the router being the VPN server. But the concept should be the same for allowing the VPN traffic through the router.

http://www.cisco.com/c/en/us/products/collateral/security/ios-firewall/prod_white_paper0900aecd8062a909.html

http://www.cisco.com/c/en/us/support/docs/routers/3800-series-integrated-services-routers/112051-zbf-vpn-access-config.html

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

mctozzy01 · ‎04-07-2014

OK - accepting on face value that what you say works (subject to me trying it!).

However, it does seem that having these stateless inbound rules with permit "any any" is opening up quite a large hole in the wall. I don't really have a sense of how much of a risk that represents with my router exposed to the Internet.

I'm also not clear in my own mind how NAT comes into play yet, either for the key exchange or for the way the tunnel works.

Marius Gunnerud · ‎04-07-2014

If this is just a site to site VPN and both sites have static IPs then you could be more specific in the ZBF ACLs. Depending on what type of VPN you are setting up, you might need to exempt traffic from being NATed. But if it is a type of remote access VPN, and you are sitting on the client side, then you don't need to do anything with NAT.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts