Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
5652
Views
0
Helpful
0
Comments

AnyConnect on IOS with Zone-Based Firewall (ZBFW)

mulatif
Cisco Employee
Cisco Employee

on ‎07-24-2010 05:02 PM

Objective:

Configure AnyConnect VPN on IOS Router while using Zone-Based Firewall to apply security policies.

Requirements:

Below requirements have been made more specific to highlight the use of Zone-Based Firewall and might not be practical to use in Production environment.

  1. Allow HTTPS\AnyConnect, Telnet, ICMP access to the Router.
  2. Allow ICMP, Telnet, DNS and HTTP from AnyConnect Users to Internal LAN.
  3. Allow ICMP from Internal LAN to AnyConnect Users.
  4. Allow Internet Access (TCP, UDP, ICMP) from Internal LAN to Outside.
  5. Allow Internet Access (HTTP, ICMP) for AnyConnect Users (U-Turn) through the Router.

Prerequisites:

1. Enroll the Router with SSL Certificate by either using Self-Signed Certificate Or from a 3rd party CA. Additional information on this can be found at

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a00801405ac.shtml

2. Routing and management access to the Router has already been configured.

Configuration:

** Only Relevant Configuration is shown **

! Define AAA Server

aaa group server radius acs5

server-private X.128.78.20 auth-port 1645 acct-port 1646 key cisco123

!

aaa authentication login sslvpn group acs5

ip access-list extended natacl

permit ip 10.0.0.0 0.255.255.255 any

ip nat inside source list natacl interface FastEthernet4 overload

ip local pool vpnpool 10.101.0.1 10.101.0.10

! SSL Config

webvpn gateway sslvpn

ip address X.129.77.134 port 443

ssl trustpoint <Name of TrustPoint as configured>

inservice

!

webvpn context context1

  !

policy group policy1

   functions svc-enabled

   svc address-pool "vpnpool"

   svc dns-server primary 10.102.1.10

!

virtual-template 10

default-group-policy policy1

aaa authentication list sslvpn

gateway sslvpn

inservice

interface Virtual-Template10

description For SSL VPN

ip unnumbered FastEthernet4

ip nat inside

ip virtual-reassembly

zone-member security sslvpn

interface Vlan1

description Internal LAN

ip address 10.102.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security inside

interface FastEthernet4

description WAN Link

ip address X.129.77.134 255.255.255.224

ip nat outside

ip virtual-reassembly

zone-member security outside

ip access-list extended allow-inbound1

permit tcp any any eq telnet

permit tcp any any eq 443

permit icmp any any

ip access-list extended allowed-from-sslvpn

permit icmp any any

permit tcp any any eq telnet

permit udp any any eq 53

permit tcp any any eq 80

ip access-list extended allowed-to-sslvpn

permit icmp any any

ip access-list extended match-all

permit ip any any

class-map type inspect match-any allowed-sslvpn-outside

match protocol icmp

match protocol http

class-map type inspect match-any allow-inbound1

match access-group name allow-inbound1

class-map type inspect match-any matchall

match access-group name match-all

class-map type inspect match-any allowed-to-sslvpn

match access-group name allowed-to-sslvpn

class-map type inspect match-any allowed-from-sslvpn

match access-group name allowed-from-sslvpn

class-map type inspect match-any allowed-inside-internet

match protocol icmp

match protocol tcp

match protocol udp

!

!

policy-map type inspect sslvpn-to-inside

class type inspect allowed-from-sslvpn

  inspect

class class-default

  drop

policy-map type inspect inside-to-sslvpn

class type inspect allowed-to-sslvpn

  inspect

class class-default

  drop

policy-map type inspect out-to-self

class type inspect allow-inbound1

  inspect

class class-default

  drop

policy-map type inspect self-to-out

class type inspect matchall

  inspect

policy-map type inspect sslvpn-to-outside

class type inspect allowed-sslvpn-outside

  inspect

class class-default

  drop

policy-map type inspect inside-to-outside

class type inspect allowed-inside-internet

  inspect

class class-default

  drop

!

zone security outside

zone security inside

zone security sslvpn

zone-pair security out-to-self source outside destination self

service-policy type inspect out-to-self

zone-pair security self-to-out source self destination outside

service-policy type inspect self-to-out

zone-pair security sslvpn-to-inside source sslvpn destination inside

service-policy type inspect sslvpn-to-inside

zone-pair security inside-to-sslvpn source inside destination sslvpn

service-policy type inspect inside-to-sslvpn

zone-pair security inside-to-outside source inside destination outside

service-policy type inspect inside-to-outside

zone-pair security sslvpn-to-outside source sslvpn destination outside

service-policy type inspect sslvpn-to-outside

Well Known Caveat

When using Anyconnect with ZBF beware of bug #CSCsr93965. In later versions of the code where this bug is supposed to be fixed, after connecting to the headend, remove the virtual template from the webvpn context and then re-apply it and it should start working.


Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents