Objective:
Configure AnyConnect VPN on IOS Router while using Zone-Based Firewall to apply security policies.
Requirements:
Below requirements have been made more specific to highlight the use of Zone-Based Firewall and might not be practical to use in Production environment.
- Allow HTTPS\AnyConnect, Telnet, ICMP access to the Router.
- Allow ICMP, Telnet, DNS and HTTP from AnyConnect Users to Internal LAN.
- Allow ICMP from Internal LAN to AnyConnect Users.
- Allow Internet Access (TCP, UDP, ICMP) from Internal LAN to Outside.
- Allow Internet Access (HTTP, ICMP) for AnyConnect Users (U-Turn) through the Router.
Prerequisites:
1. Enroll the Router with SSL Certificate by either using Self-Signed Certificate Or from a 3rd party CA. Additional information on this can be found at
http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a00801405ac.shtml
2. Routing and management access to the Router has already been configured.
Configuration:
** Only Relevant Configuration is shown **
! Define AAA Server
aaa group server radius acs5
server-private X.128.78.20 auth-port 1645 acct-port 1646 key cisco123
!
aaa authentication login sslvpn group acs5
ip access-list extended natacl
permit ip 10.0.0.0 0.255.255.255 any
ip nat inside source list natacl interface FastEthernet4 overload
ip local pool vpnpool 10.101.0.1 10.101.0.10
! SSL Config
webvpn gateway sslvpn
ip address X.129.77.134 port 443
ssl trustpoint <Name of TrustPoint as configured>
inservice
!
webvpn context context1
!
policy group policy1
functions svc-enabled
svc address-pool "vpnpool"
svc dns-server primary 10.102.1.10
!
virtual-template 10
default-group-policy policy1
aaa authentication list sslvpn
gateway sslvpn
inservice
interface Virtual-Template10
description For SSL VPN
ip unnumbered FastEthernet4
ip nat inside
ip virtual-reassembly
zone-member security sslvpn
interface Vlan1
description Internal LAN
ip address 10.102.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security inside
interface FastEthernet4
description WAN Link
ip address X.129.77.134 255.255.255.224
ip nat outside
ip virtual-reassembly
zone-member security outside
ip access-list extended allow-inbound1
permit tcp any any eq telnet
permit tcp any any eq 443
permit icmp any any
ip access-list extended allowed-from-sslvpn
permit icmp any any
permit tcp any any eq telnet
permit udp any any eq 53
permit tcp any any eq 80
ip access-list extended allowed-to-sslvpn
permit icmp any any
ip access-list extended match-all
permit ip any any
class-map type inspect match-any allowed-sslvpn-outside
match protocol icmp
match protocol http
class-map type inspect match-any allow-inbound1
match access-group name allow-inbound1
class-map type inspect match-any matchall
match access-group name match-all
class-map type inspect match-any allowed-to-sslvpn
match access-group name allowed-to-sslvpn
class-map type inspect match-any allowed-from-sslvpn
match access-group name allowed-from-sslvpn
class-map type inspect match-any allowed-inside-internet
match protocol icmp
match protocol tcp
match protocol udp
!
!
policy-map type inspect sslvpn-to-inside
class type inspect allowed-from-sslvpn
inspect
class class-default
drop
policy-map type inspect inside-to-sslvpn
class type inspect allowed-to-sslvpn
inspect
class class-default
drop
policy-map type inspect out-to-self
class type inspect allow-inbound1
inspect
class class-default
drop
policy-map type inspect self-to-out
class type inspect matchall
inspect
policy-map type inspect sslvpn-to-outside
class type inspect allowed-sslvpn-outside
inspect
class class-default
drop
policy-map type inspect inside-to-outside
class type inspect allowed-inside-internet
inspect
class class-default
drop
!
zone security outside
zone security inside
zone security sslvpn
zone-pair security out-to-self source outside destination self
service-policy type inspect out-to-self
zone-pair security self-to-out source self destination outside
service-policy type inspect self-to-out
zone-pair security sslvpn-to-inside source sslvpn destination inside
service-policy type inspect sslvpn-to-inside
zone-pair security inside-to-sslvpn source inside destination sslvpn
service-policy type inspect inside-to-sslvpn
zone-pair security inside-to-outside source inside destination outside
service-policy type inspect inside-to-outside
zone-pair security sslvpn-to-outside source sslvpn destination outside
service-policy type inspect sslvpn-to-outside
Well Known Caveat
When using Anyconnect with ZBF beware of bug #CSCsr93965. In later versions of the code where this bug is supposed to be fixed, after connecting to the headend, remove the virtual template from the webvpn context and then re-apply it and it should start working.