VPN and ZBF - Issue with country location

lars.arler · ‎08-29-2019

Hej and thanks in advance for helping out with any clues to resolve this issue...

I'm a little confused and puzzeled about how to cover my trails, regarding to the Great China Firewall when using VPN/Zone Based Firewall.

My goal is to be able to connect to Facebook/messenger and home country TV when in China and TV when out of Europe on my mobile devices (mobile phone, Pads, laptops)

Before using VPN without ZBF there was no issue on - Router 1811 - version 15.1 !!

Now on a Router 2921/K9 - Version 15.2(1)T2 ES, with same VPN config !! - but with Zone Based Firewall.

My lokal TV suppler suddenly know my location even though that I'm using VPN.

My own thoughts is that the issue lays in the "class-map type inspect match-any CLASS-L4-IP"

Due to the reason that when I remove it - I can't connect via VPN, so some traffic goes through this Class-map and maybe it is here the TV suppler get there info on my location abroad. ??

Hope you guys have some ideas, pointers or solutions to solve the issue.

ZBF (VPN) - Related config

class-map type inspect match-any CLASS-L4-IP
 match protocol icmp
 match protocol tcp
 match protocol udp

class-map type inspect match-any CLASS_CRYPTO_IPSEC_PASS
 match access-group name IPSEC_TRAFFIC

---------
ip access-list extended IPSEC_TRAFFIC
 permit udp any any eq isakmp
 permit ahp any any
 permit esp any any
 permit udp any any eq non500-isakmp

---------
policy-map type inspect POLICY-(SELF-->INTERNET)
 class type inspect CLASS_CRYPTO_IPSEC_PASS
  pass
 class type inspect CLASS-L4-IP
  inspect 
 class class-default
  drop log

policy-map type inspect POLICY-(INTERNET-->SELF)
 class type inspect CLASS_CRYPTO_IPSEC_PASS
  pass
 class type inspect CLASS-L4-IP
  inspect 
 class class-default
  drop log

---------
zone-pair security SELF-TO-VPN-INTERNET source self destination INTERNET-ZONE
 service-policy type inspect POLICY-(SELF-->INTERNET)

zone-pair security VPN-INTERNET-TO-SELF source INTERNET-ZONE destination self
 service-policy type inspect POLICY-(INTERNET-->SELF)

VPN related config

crypto isakmp policy 150
 encr aes 256
 authentication pre-share
 group 2

crypto isakmp client configuration group TRUSTED-VPN
 key XXXXXX
 dns 208.67.222.222 208.67.220.220
 pool REMOTE-VPN-TRUSTED
 acl 101

crypto isakmp profile TRUSTED-VPN-PROFILE
   match identity group TRUSTED-VPN
   client authentication list userauthen
   isakmp authorization list userauthen
   client configuration address initiate
   client configuration address respond
   virtual-template 2

crypto ipsec transform-set TRUSTED-VPN-1 esp-aes 256 esp-sha-hmac 

crypto ipsec profile TRUSTED-VPN-VTUNNEL-PROFILE
 set security-association lifetime kilobytes disable
 set security-association lifetime seconds 28800
 set transform-set TRUSTED-VPN-1 
 set isakmp-profile TRUSTED-VPN-PROFILE

interface Virtual-Template2 type tunnel
 description Virtuel TRUSTED-VPN
 ip unnumbered GigabitEthernet0/0
 ip nat inside
 ip virtual-reassembly in
 zone-member security DMZ-ZONE
 tunnel source GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile TRUSTED-VPN-VTUNNEL-PROFILE


access-list 101 permit ip xxx.xxx.xxx.96 0.0.0.31 any

Georg Pauwen · ‎08-29-2019

Hello,

post the full configuration of your router. I can only see a SELF and a DMZ zone, where is the outside, and the inside ?

Typically your virtual template and outside interface would be in the same (outside) zone. It looks like your ZBF configuration is missing some essentials...

lars.arler · ‎08-29-2019

Thanks again George Pauwen

Here is the complete config..

version 15.2
hostname R2911
boot-start-marker
boot system flash c2900-universalk9-mz.SPA.154-3.M.bin
boot-end-marker

! card type command needed for slot/vwic-slot 0/2
no logging console
enable secret 5 

aaa new-model
aaa authentication login userauthen local
aaa authorization network userauthen local 
aaa session-id common

memory-size iomem 25
clock timezone CPH 2 0
clock summer-time CPH recurring 4 Sun Mar 2:00 4 Sun Oct 2:00

no ipv6 cef
no ip source-route

ip dhcp excluded-address 192.168.100.1 192.168.100.49
ip dhcp excluded-address 192.168.50.1 192.168.50.49

ip dhcp pool VLAN200
 network 80.xxx.xxx.96 255.255.255.240
 default-router 80.xxx.xxx.97 
 dns-server 208.67.222.222 208.67.220.220 8.8.8.8 4.4.4.4 

ip dhcp pool VLAN100
 network 192.168.100.0 255.255.255.0
 default-router 192.168.100.1 
 dns-server 208.67.222.222 208.67.220.220 8.8.8.8 4.4.4.4 

ip dhcp pool VLAN50
 network 192.168.50.0 255.255.255.0
 default-router 192.168.50.1 
 dns-server 208.67.222.222 208.67.220.220 8.8.8.8 4.4.4.4 

ip dhcp pool REMOTE_VPN
 network 10.10.10.0 255.255.255.0
 default-router 10.10.10.1 
 dns-server 208.67.222.222 208.67.220.220 8.8.8.8 4.4.4.4 

ip domain name xxxxxxxxxx
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip name-server 62.243.0.166
ip name-server 194.192.207.166

ip cef    
ip cef accounting non-recursive
multilink bundle-name authenticated

crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-2506629599
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2506629599
 revocation-check none
 rsakeypair TP-self-signed-2506629599

crypto pki certificate chain TP-self-signed-2506629599
 certificate self-signed 01
  3082022B ---->
  quit

voice-card 0

license feature snasw
license udi pid CISCO2911/K9 sn xxxxxxxxxx
license accept end user agreement
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package uck9
license boot module c2900 technology-package datak9

hw-module pvdm 0/0
hw-module pvdm 0/1

object-group network GROUP-DMZ-FILEMAKER 
 description IP-POOL for FILEMAKER server in DMZ
 host xxx.xxx.xxx.99

object-group network GROUP-DMZ-MAIL 
 description IP-POOL for EMAIL-SERVERS in DMZ
 host xxx.xxx.xxx.100
 host xxx.xxx.xxx.115

object-group network GROUP-DMZ-WEBSERVER 
 description IP-POOL for FILE-WWW-FTP SERVER in DMZ
 host xxx.xxx.xxx.101
 host xxx.xxx.xxx.102
 host xxx.xxx.xxx.103
 host xxx.xxx.xxx.104
 host xxx.xxx.xxx.105

username xxxxxxxxxxxxxxx

redundancy

ip ssh time-out 60
ip ssh version 2

class-map type inspect match-any CLASS-INTERNET-TRAFFIC
 match protocol http
 match protocol https
 match protocol dns
 match protocol icmp

class-map type inspect match-any CLASS-FTP
 match protocol ftp
 match protocol ftps

class-map type inspect match-any CLASS-SSH
 match protocol ssh

class-map type inspect match-any CLASS-L4-IP
 match protocol icmp
 match protocol tcp
 match protocol udp

class-map type inspect match-any CLASS-IMAP-SMTP
 match protocol dns
 match access-group name EIMS-MAILSERVER
 match access-group name EIMS-MAILSERVER-ADMIN

class-map type inspect match-any CLASS_CRYPTO_IPSEC_PASS
 match access-group name IPSEC_TRAFFIC

class-map type inspect match-any CLASS-APPLE-AFP
 match access-group name APPLE-FILE-SHARING

class-map type inspect match-all CLASS-MAIL-SERVER-(IP-RANGE-GROUP)
 match access-group name INTERNET-->DMZ-EMAIL
 match access-group name EIMS-MAILSERVER

class-map type inspect match-all CLASS-FILE-SERVER-(IP-RANGE-GROUP)
 match access-group name INTERNET-->DMZ-WEBSERVER
 match class-map CLASS-INTERNET-TRAFFIC

class-map type inspect match-any CLASS-APPLE-REMOTE-DESKTOP
 match access-group name APPLE-REMOTE-DESKTOP

policy-map type inspect POLICY-(PRIVATE-->DMZ)
 class type inspect CLASS-FTP
  inspect 
 class type inspect CLASS-SSH
  inspect 
 class type inspect CLASS-APPLE-REMOTE-DESKTOP
  inspect 
 class type inspect CLASS-APPLE-AFP
  inspect 
 class type inspect CLASS-INTERNET-TRAFFIC
  inspect 
 class type inspect CLASS-IMAP-SMTP
  inspect 
 class type inspect CLASS-L4-IP
  inspect 
 class class-default
  drop log

policy-map type inspect POLICY-(SELF-->INTERNET)
 class type inspect CLASS_CRYPTO_IPSEC_PASS
  pass
 class type inspect CLASS-L4-IP
  inspect 
 class class-default
  drop log

policy-map type inspect POLICY-(INTERNET-->SELF)
 class type inspect CLASS_CRYPTO_IPSEC_PASS
  pass
 class type inspect CLASS-L4-IP
  inspect 
 class class-default
  drop log

policy-map type inspect POLICY-(PRIVATE-->INTERNET)
 class type inspect CLASS-L4-IP
  inspect 
 class class-default
  drop log

policy-map type inspect POLICY-(INTERNET-->DMZ)
 class type inspect CLASS-FILE-SERVER-(IP-RANGE-GROUP)
  inspect 
 class type inspect CLASS-MAIL-SERVER-(IP-RANGE-GROUP)
  inspect 
 class class-default
  drop log

policy-map type inspect POLICY-(DMZ-->INTERNET)
 class type inspect CLASS-L4-IP
  inspect 
 class class-default
  drop log

zone security PRIVATE-ZONE
zone security INTERNET-ZONE
zone security DMZ-ZONE

zone-pair security PRIVATE-TO-DMZ source PRIVATE-ZONE destination DMZ-ZONE
 service-policy type inspect POLICY-(PRIVATE-->DMZ)

zone-pair security PRIVATE-TO-INTERNET source PRIVATE-ZONE destination INTERNET-ZONE
 service-policy type inspect POLICY-(PRIVATE-->INTERNET)

zone-pair security INTERNET-TO-DMZ source INTERNET-ZONE destination DMZ-ZONE
 service-policy type inspect POLICY-(INTERNET-->DMZ)

zone-pair security DMZ-TO-INTERNET source DMZ-ZONE destination INTERNET-ZONE
 service-policy type inspect POLICY-(DMZ-->INTERNET)

zone-pair security SELF-TO-VPN-INTERNET source self destination INTERNET-ZONE
 service-policy type inspect POLICY-(SELF-->INTERNET)

zone-pair security VPN-INTERNET-TO-SELF source INTERNET-ZONE destination self
 service-policy type inspect POLICY-(INTERNET-->SELF)

crypto isakmp policy 150
 encr aes 256
 authentication pre-share
 group 2

crypto isakmp client configuration group SAS-VPN
 key XXXXXX
 dns 208.67.222.222 208.67.220.220
 pool REMOTE-VPN-UNTRUSTED
 acl 102

crypto isakmp client configuration group TRUSTED-VPN
 key XXXXXX
 dns 208.67.222.222 208.67.220.220
 pool REMOTE-VPN-TRUSTED
 acl 101

crypto isakmp profile SAS-VPN-PROFILE
   match identity group SAS-VPN
   client authentication list userauthen
   isakmp authorization list userauthen
   client configuration address initiate
   client configuration address respond
   virtual-template 1

crypto isakmp profile TRUSTED-VPN-PROFILE
   match identity group TRUSTED-VPN
   client authentication list userauthen
   isakmp authorization list userauthen
   client configuration address initiate
   client configuration address respond
   virtual-template 2

crypto ipsec transform-set SAS-VPN-1 esp-aes 256 esp-sha-hmac 
crypto ipsec transform-set TRUSTED-VPN-1 esp-aes 256 esp-sha-hmac 

crypto ipsec profile SAS-VPN-VTUNNEL-PROFILE
 set security-association lifetime kilobytes disable
 set security-association lifetime seconds 28800
 set transform-set SAS-VPN-1 
 set isakmp-profile SAS-VPN-PROFILE

crypto ipsec profile TRUSTED-VPN-VTUNNEL-PROFILE
 set security-association lifetime kilobytes disable
 set security-association lifetime seconds 28800
 set transform-set TRUSTED-VPN-1 
 set isakmp-profile TRUSTED-VPN-PROFILE


interface Loopback0
 ip address 10.108.1.1 255.255.255.0

interface Embedded-Service-Engine0/0
 no ip address

interface GigabitEthernet0/0
 description ISP WAN (Wide Area Network)
 ip address xxx.xxx.xxx.190 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 zone-member security INTERNET-ZONE
 duplex auto
 speed auto

interface GigabitEthernet0/1
 description LAN (Local Area Network)
 ip address pool VLAN100
 ip nat inside
 ip virtual-reassembly in
 zone-member security PRIVATE-ZONE
 duplex auto
 speed auto

interface GigabitEthernet0/2
 description LAN (Local Area Network)
 ip address pool VLAN50
 ip nat inside
 ip virtual-reassembly in
 zone-member security PRIVATE-ZONE
 duplex auto
 speed auto

interface Serial0/0/0
 no ip address

interface FastEthernet0/1/0
 switchport access vlan 200
 no ip address

interface FastEthernet0/1/1
 switchport access vlan 200
 no ip address

interface FastEthernet0/1/2
 switchport access vlan 200
 no ip address

interface FastEthernet0/1/3
 switchport access vlan 200
 no ip address

interface Virtual-Template1 type tunnel
 description Virtuel VPN Forbindelse
 ip unnumbered GigabitEthernet0/0
 ip nat inside
 ip virtual-reassembly in
 zone-member security INTERNET-ZONE
 tunnel source GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SAS-VPN-VTUNNEL-PROFILE

interface Virtual-Template2 type tunnel
 description Virtuel TRUSTED-VPN Forbindelse
 ip unnumbered GigabitEthernet0/0
 ip nat inside
 ip virtual-reassembly in
 zone-member security DMZ-ZONE
 tunnel source GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile TRUSTED-VPN-VTUNNEL-PROFILE

interface Vlan1
 no ip address

interface Vlan50
 description GUEST NETWORK DHCP POOL
 no ip address
 ip nat inside
 ip virtual-reassembly in

interface Vlan100
 description INTERNAL NETWORK DHCP POOL
 ip address dhcp
 ip nat inside
 ip virtual-reassembly in

interface Vlan200
 description HWIC-4ESW_LAN - SERVER PARK
 ip address xxx.xxx.xxx.97 255.255.255.224
 ip nat inside
 ip virtual-reassembly in
 zone-member security DMZ-ZONE

router eigrp 100
 network 10.0.0.0
 network 80.0.0.0
 network 87.0.0.0
 network 192.168.0.0

router ospf 123
 network 10.0.0.0 0.255.255.255 area 0
 network 80.0.0.0 0.255.255.255 area 0
 network 87.0.0.0 0.255.255.255 area 0
 network 192.0.0.0 0.255.255.255 area 0

ip local pool REMOTE-VPN-UNTRUSTED 10.10.10.50 10.10.10.100
ip local pool REMOTE-VPN-TRUSTED xxx.xxx.xxx.120 xxx.xxx.xxx.126
ip forward-protocol nd

no ip http server
ip http authentication local
ip http secure-server

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 87.63.227.189

ip access-list extended APPLE-FILE-SHARING
 permit tcp any any eq 427
 permit tcp any any eq 548

ip access-list extended APPLE-REMOTE-DESKTOP
 permit tcp any any eq 22
 permit udp any any eq 3283
 permit tcp any any eq 5900
 permit udp any any eq 5900
 permit tcp any any eq 3283

ip access-list extended EIMS-MAILSERVER
 permit tcp any any eq 587
 permit tcp any any eq smtp
 permit tcp any any eq 143

ip access-list extended EIMS-MAILSERVER-ADMIN
 permit tcp any any eq 4199

ip access-list extended INTERNET-->DMZ-EMAIL
 permit ip any object-group GROUP-DMZ-MAIL

ip access-list extended INTERNET-->DMZ-FILEMAKER
 permit ip any object-group GROUP-DMZ-FILEMAKER

ip access-list extended INTERNET-->DMZ-WEBSERVER
 permit ip any object-group GROUP-DMZ-WEBSERVER

ip access-list extended IPSEC_TRAFFIC
 permit udp any any eq isakmp
 permit ahp any any
 permit esp any any
 permit udp any any eq non500-isakmp

ip access-list extended SSH_ACCESS_CONTROL
 permit udp 192.168.100.0 0.0.0.225 any eq 22
 permit tcp 192.168.100.0 0.0.0.225 any eq 22
 permit udp 192.168.50.0 0.0.0.255 any eq 22
 permit tcp 192.168.50.0 0.0.0.255 any eq 22
 permit udp xxx.xxx.xxx.96 0.0.0.31 any eq 22
 permit tcp xxx.xxx.xxx.96 0.0.0.31 any eq 22
 deny   udp any any eq 22
 deny   tcp any any eq 22
 permit ip any any

access-list 1 permit 192.168.100.0 0.0.0.255
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 1 permit 10.10.10.0 0.0.0.225
access-list 101 permit ip 80.165.151.96 0.0.0.31 any
access-list 102 permit ip 10.10.10.0 0.0.0.225 any
access-list 105 remark ## FILEMAKER SERVER ##
access-list 105 permit ip any host xxx.xxx.xxx.99

no cdp run
control-plane
mgcp profile default
gatekeeper
 shutdown

telephony-service
 max-ephones 10
 max-conferences 8 gain -6
 transfer-system full-consult

line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 session-timeout 30 
 transport input ssh
line vty 5 15
 session-timeout 30 
 transport input ssh

scheduler allocate 20000 1000
end
R2911#

Georg Pauwen · ‎08-29-2019

Hello,

I'll test this in a lab first and get back with you...

Georg Pauwen · ‎08-30-2019

Hello,

below is what I have come up with. I have greatly simplified the configuration and allowed access for everything from all zones, you might want to start out with that to see if the ZBF works, and then add relevant restrictions.

class-map type inspect match-any CLASS_ALL
match protocol http
match protocol https
match protocol dns
match protocol icmp
match protocol ftp
match protocol ftps
match protocol tcp
match protocol udp
!
class-map type inspect match-all CLASS_IPSEC
match access-group name ISAKMP_IPSEC
!
zone security INSIDE
zone security OUTSIDE
zone security VPN
!
policy-map type inspect VPN_TO_INSIDE
class type inspect CLASS_ALL
inspect
class class-default
drop
!
policy-map type inspect INSIDE_TO_VPN
class type inspect CLASS_ALL
inspect
class class-default
drop
!
policy-map type inspect OUTSIDE_TO_SELF
class type inspect CLASS_IPSEC
inspect
class class-default
drop
!
policy-map type inspect SELF_TO_OUTSIDE
class type inspect CLASS_ALL
inspect
class class-default
drop
!
policy-map type inspect VPN_TO_OUTSIDE
class type inspect CLASS_ALL
inspect
class class-default
drop
!
policy-map type inspect INSIDE_TO_OUTSIDE
class type inspect CLASS_ALL
inspect
class class-default
drop
!
zone-pair security OUTSIDE_TO_SELF source OUTSIDE destination self
service-policy type inspect OUTSIDE_TO_SELF
zone-pair security SELF_TO_OUTSIDE source self destination OUTSIDE
service-policy type inspect SELF_TO_OUTSIDE
zone-pair security VPN_TO_INSIDE source VPN destination INSIDE
service-policy type inspect VPN_TO_INSIDE
zone-pair security INSIDE_TO_VPN source INSIDE destination VPN
service-policy type inspect INSIDE_TO_VPN
zone-pair security INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE_TO_OUTSIDE
zone-pair security VPN_TO_OUTSIDE source VPN destination OUTSIDE
service-policy type inspect VPN_TO_OUTSIDE
!
interface GigabitEthernet0/0
description ISP WAN (Wide Area Network)
ip address xxx.xxx.xxx.190 255.255.255.252
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LAN (Local Area Network)
ip address pool VLAN100
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
duplex auto
speed auto
!
interface GigabitEthernet0/2
description LAN (Local Area Network)
ip address pool VLAN50
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
description Virtuel VPN Forbindelse
ip unnumbered GigabitEthernet0/0
ip nat inside
ip virtual-reassembly in
zone-member security VPN
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SAS-VPN-VTUNNEL-PROFILE
!
interface Virtual-Template2 type tunnel
description Virtuel TRUSTED-VPN Forbindelse
ip unnumbered GigabitEthernet0/0
ip nat inside
ip virtual-reassembly in
zone-member security VPN
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile TRUSTED-VPN-VTUNNEL-PROFILE
!
ip local pool REMOTE-VPN-UNTRUSTED 10.10.10.50 10.10.10.100
ip local pool REMOTE-VPN-TRUSTED xxx.xxx.xxx.120 xxx.xxx.xxx.126
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
!
ip route 0.0.0.0 0.0.0.0 87.63.227.189
!
access-list 1 permit --> all internal networks as well as both local pools
!
ip access-list extended ISAKMP_IPSEC
permit udp any any eq isakmp
permit ahp any any
permit esp any any
permit udp any any eq non500-isakmp

lars.arler · ‎09-01-2019

Thanks again

I’ll try it out as soon as possible and let you know

Georg Pauwen · ‎09-01-2019

Curious to know if that actually solves the problem you originally had...

lars.arler · ‎09-06-2019

Hey Georg

I’m a little challenged by the fact that the 2921 Router is a live production Router.

But I’ll start to be 100% sure that the ZBF could be the problem by removing all the ZBF statements "zone-member security xxxx” from the interfaces - and see if the issue with VPN is still there.
I might have been taking for granted that the old 1811 Router Config would act likewise on the 2921 Router.

And Second I’ll try to put my 1811 router up live again to see if my old VPN settings still is covering my tracks.

I don’t want to blame ZBF falsely ;-)

I’ll report back soon