Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2613
Views
10
Helpful
11
Replies

Zone Based Firewall for IPSec - Virtual-Template1 - ASR1000

kasunrajapakse
Level 1
Level 1

‎01-14-2021 09:52 AM

Hi Guys, 

I'm configuring a zone based firewall on my ASR1000.
My requirement is to block all the incoming traffic towards my router except IPSec traffic. Only remote IPsec peers can establish an IPSec with my ASR1000. Rest of the traffic should be blocked. 
Any IPSEC traffic coming from the UNTRUST zone (via the Internet) should reach the ASR and go according to the Zone-Pairs. 

However this doesn't seem to be working. Any help is highly appreciated.  

 

class-map type inspect match-any L4-ipsec-class
match access-group name IPSECtraffic

 

ip access-list extended IPSECtraffic
permit esp any any
permit udp any any eq isakmp
permit ahp any any
permit udp any any eq non500-isakmp

#

class-map type inspect match-any L4-ip-class
match protocol icmp
match protocol tcp
match protocol udp
#

policy-map type inspect ALLOW-ALL
class type inspect L4-ipsec-class
pass
class type inspect L4-ip-class
inspect
class class-default
drop

==

interface Virtual-Template1 type tunnel
vrf forwarding Inside-VRF
ip unnumbered Loopback0
zone-member security IPSEC
no logging event link-status
no snmp trap link-status
tunnel source Loopback0
tunnel mode ipsec ipv4
tunnel vrf FVRF
tunnel protection ipsec profile btopcpe_vti
end

 

interface Loopback0
vrf forwarding FVRF
ip address 300.300.300.300 255.255.255.255
end

 

zone-pair security IPSEC_to_UNTRUST source IPSEC destination UNTRUST
service-policy type inspect ALLOW-ALL

 

zone-pair security UNTRUST_to_IPSEC source UNTRUST destination IPSEC
service-policy type inspect ALLOW-ALL

 

zone-pair security UNTRUST_to_default source UNTRUST destination default
service-policy type inspect ALLOW-ALL

 

zone-pair security default_to_UNTRUST source default destination UNTRUST
service-policy type inspect ALLOW-ALL


==========

interface TenGigabitEthernet0/0/0
description Internet Link
vrf forwarding FVRF
ip address 400.400.400.400 255.255.255.254
ip nat outside
zone-member security UNTRUST
end

Labels:
0 Helpful
11 Replies 11

Rob Ingram
VIP
VIP

‎01-14-2021 12:11 PM

@kasunrajapakse 

For the IPSec terminating on the untrust interface you'd use the "self" zone not default.

 

zone-pair security UNTRUST_to_default source UNTRUST destination self

zone-pair security default_to_UNTRUST source self destination UNTRUST

 

0 Helpful

kasunrajapakse
Level 1
Level 1

‎01-14-2021 01:36 PM - edited ‎01-14-2021 01:45 PM

Hello @Rob Ingram 
Thank you for the feedback. 
But it doesn't allow me to allocate the Virtual-Template1 in "zone-member security self"

ASR(config-if)#interface Virtual-Template1
ASR(config-if)#zone-member security self
% self zone is system defined. Interface attachment/detachment not allowed
ASR(config-if)#


interface Virtual-Template1 type tunnel
vrf forwarding Inside-VRF
ip unnumbered Loopback0
zone-member security IPSEC  <<<<<<<<<<<<<<<<< This is the current Zone for the Virtual-Template1
no logging event link-status
no snmp trap link-status
tunnel source Loopback0
tunnel mode ipsec ipv4
tunnel vrf FVRF
tunnel protection ipsec profile btopcpe_vti
end

Any idea??

0 Helpful

Rob Ingram
VIP
VIP

‎01-14-2021 01:51 PM

That's not what I said. You need to modify the zone-pair as in the example I provided.

 

0 Helpful

kasunrajapakse
Level 1
Level 1

‎01-14-2021 01:57 PM

Hi @Rob Ingram 

Thank you . I have done the following. No joy
Am I missing something here? 

zone-pair security UNTRUST_to_self source UNTRUST destination self
service-policy type inspect ALLOW-ALL

 

zone-pair security self_to_UNTRUST source self destination UNTRUST
service-policy type inspect ALLOW-ALL

0 Helpful

kasunrajapakse
Level 1
Level 1

‎01-14-2021 02:12 PM

I have configured the following zone-pairs - hoping at least one of them would allow the IPSec traffic in. 
Still no luck

zone-pair security IPSEC_to_UNTRUST source IPSEC destination UNTRUST
service-policy type inspect ALLOW-ALL

 

zone-pair security UNTRUST_to_IPSEC source UNTRUST destination IPSEC
service-policy type inspect ALLOW-ALL

 

zone-pair security UNTRUST_to_default source UNTRUST destination default
service-policy type inspect ALLOW-ALL

 

zone-pair security default_to_UNTRUST source default destination UNTRUST
service-policy type inspect ALLOW-ALL

 

zone-pair security UNTRUST_to_self source UNTRUST destination self
service-policy type inspect ALLOW-ALL

 

zone-pair security self_to_UNTRUST source self destination UNTRUST
service-policy type inspect ALLOW-ALL

 

zone-pair security IPSEC_to_self source IPSEC destination self
service-policy type inspect ALLOW-ALL

 

zone-pair security self_to_IPSEC source self destination IPSEC
service-policy type inspect ALLOW-ALL

0 Helpful

Georg Pauwen
VIP
VIP
In response to kasunrajapakse

‎01-14-2021 03:16 PM

Hello,

 

make the change marked in bold to your policy map:

 

policy-map type inspect ALLOW-ALL
class type inspect L4-ipsec-class
pass
class type inspect L4-ip-class
--> inspect
class class-default
drop

0 Helpful

kasunrajapakse
Level 1
Level 1
In response to Georg Pauwen

‎01-15-2021 07:10 AM

Hi @Georg Pauwen @Rob Ingram 
This is what I have configured now. My final config 

My question is - How can traffic from "UNTRUST" come to "self" or inside the network without any policies? 
I can establish the IPSec and traffic flows even without the following zone pairs in place. 

zone-pair security UNTRUST_to_self source UNTRUST destination self
zone-pair security self_to_UNTRUST source self destination UNTRUST

I was under the impression that the above two pairs controls what' comes from the internet.
But IPSec works even without the above zone pairs. I think this is a possibly security risk. 

Can you please help? 

================

class-map type inspect match-any L4-ipsec-class
match access-group name IPSECtraffic

#

ip access-list extended IPSECtraffic
permit esp any any
permit udp any any eq isakmp
permit ahp any any
permit udp any any eq non500-isakmp

#

class-map type inspect match-any L4-ip-class
match protocol icmp
match protocol tcp
match protocol udp
#

policy-map type inspect ALLOW-ALL
class type inspect L4-ipsec-class
pass
class type inspect L4-ip-class
inspect
class class-default
drop

#############

 

ip access-list extended Inbound_IPSec_Traffic
permit esp any any
permit udp any any eq isakmp
permit ahp any any
permit udp any any eq non500-isakmp

 

class-map type inspect match-any Inbound_IPSec_Traffic-class
match access-group name Inbound_IPSec_Traffic

 

class-map type inspect match-any Inbound_IPTraffic-class
match protocol icmp
match protocol tcp
match protocol udp

 

policy-map type inspect Inbound_IPsec_IPTraffic-policy
class type inspect Inbound_IPSec_Traffic-class
pass
class type inspect Inbound_IPTraffic-class
inspect
class class-default
drop



interface Virtual-Template1
vrf forwarding trust
ip unnumbered Loopback0
zone-member security IPSEC
no logging event link-status
no snmp trap link-status
tunnel source Loopback0
tunnel mode ipsec ipv4
tunnel vrf FVRF
tunnel protection ipsec profile btopcpe_vti
end

 

interface Loopback0
vrf forwarding FVRF
ip address <IPSEC IP> 255.255.255.255
zone-member security UNTRUST
end

 

interface TenGigabitEthernet0/0/0
description Uplink To Internet 
vrf forwarding FVRF
ip address <WAN IP> 255.255.255.254
ip nat outside
ip access-group iACL in
zone-member security UNTRUST
end

 

interface Port-channel1.1760
encapsulation dot1Q 1760
vrf forwarding trust
ip address 10.0.22.1 255.255.255.0
zone-member security PO1760
end

 

====================================================================

 

zone-pair security UNTRUST_to_self source UNTRUST destination self >>> IPSec works without this pair
service-policy type inspect Inbound_IPsec_IPTraffic-policy

 

zone-pair security self_to_UNTRUST source self destination UNTRUST >>> IPSec works without this pair
service-policy type inspect Inbound_IPsec_IPTraffic-policy


zone-pair security IPSEC_to_PO1760 source IPSEC destination PO1760
service-policy type inspect ALLOW-ALL

 

zone-pair security PO1760_to_IPSEC source PO1760 destination IPSEC
service-policy type inspect ALLOW-ALL

=========================

 

0 Helpful

Georg Pauwen
VIP
VIP
In response to kasunrajapakse

‎01-15-2021 11:49 AM

Hello,

 

I think the Loopback needs to be in the same security zone as the virtual template. Other than that the config looks good.

 

interface Loopback0
vrf forwarding FVRF
ip address <IPSEC IP> 255.255.255.255
--> zone-member security IPSEC
end

kasunrajapakse
Level 1
Level 1
In response to Georg Pauwen

‎01-15-2021 12:28 PM

Hi @Georg Pauwen 

Thank you for the reply. But in my situation, the Virtual Template and the Loopback are in 2 different VRFs. 
So it doesn't let me use the same security zone in multiple VRFs. 
The reason why my Loopback has "vrf forwarding FVRF" is because it contains a public IP and I don't want my internal routing table to mixed with it. 


Hope this is of help. 

interface Virtual-Template1
vrf forwarding trust
ip unnumbered Loopback0
zone-member security IPSEC
no logging event link-status
no snmp trap link-status
tunnel source Loopback0
tunnel mode ipsec ipv4
tunnel vrf FVRF
tunnel protection ipsec profile btopcpe_vti
end

 

interface Loopback0
vrf forwarding FVRF
ip address <IPSEC IP> 255.255.255.255
zone-member security UNTRUST
end

0 Helpful

Georg Pauwen
VIP
VIP
In response to kasunrajapakse

‎01-15-2021 01:10 PM

Hello,

 

then create a second loopback for use with the virtual template ip unnumbered, and put that in the same zone as the virtual template.

kasunrajapakse
Level 1
Level 1

‎02-03-2021 04:45 AM

Hello, 
Thank you everyone. 
The above config I had works (I had to reboot the ASR) that fixed all my issues. 

0 Helpful
Customers Also Viewed These Support Documents