01-06-2003 08:37 AM - edited 02-21-2020 12:15 PM
Dear all,
does anybody have experience with configuring for example a Cisco 17xx router to run both an IPSec VPN and IOS Firewall to support secure local browsing ? We are running the VPN routers without problems, but when I try to configure some additional Firewall commands I get lost ...
Unfortunately I can't find configuration examples for IPSec and Firewall. Any hints would be appreciated.
Thank you very much !
01-06-2003 09:04 AM
Basically you would have your lan to lan VPN set up (working) then just add the CBAC commands / access-list to outside interface.
The access-list on the outside interface needs to allow ESP, ISAKMP, (AH) if used and the PRIVATE TO PRIVATE (VPN) traffic as the router will run the decapsulated traffic thru the access-list.
ip inspect name myfw http timeout 3600
ip inspect name myfw tcp timeout 3600
ip inspect name myfw udp timeout 10
interface (external)
ip inspect myfw out
Regards,
Jason Brown
CCIE #10833
01-12-2003 10:42 AM
here's a config and some general tips on CBAC
it is easier to put the inspection rules on the outside interface (in the out direction) if you are defining inspection rules for all subnets (if you have a 17xx with 2 LAN interfaces and 1 WAN-to-Inet)
think of it like this, the basic theory of firewalling is to deny all inbound traffic so place a 'deny any any' on an inbound ACL on the outside interface.
interface ethernet 1
ip access-group 113 in
Now no traffic can enter or return (that's not good). After you place the inspection rules on the interface only sessions that were initiated on the inside are allowed to return through the interface. CBAC opens holes in the ACL for return traffic.
interface ethernet 1
ip inspect INSPECTRULES out
ip access-group 113 in
now if (from inside on the LAN, behind the 17xx) open up a browser and browse to www.cisco.com (whatever the IP of the web server is at port 80 for http), thier webserver is allowed through the firewall at port 80. this is reflected in a 'show access-list 113' command.
Since CBAC takes up processor cycles and memory 600 Bytes per session i think. It would be wise to expand the defined ACL (113) let some traffic override/bypass the CBAC inspection process/rules. ACLs are evaluated before CBAC.
here is a config i use, this is a 806 router doing EazyVPN to a head-end 3000 Concentrator. The E1 is getting it's address from the ISP router via DHCP. Traffic defined in ACL 113 bypasses CBAC rules :
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname abcdefg
!
logging buffered informational
enable secret XXXXXXXXXXXXXXXXXXXXXXXX
!
username insertnamehere privilege 15 password XXXXXXXXXXXXXXXXXXX
ip subnet-zero
ip domain name (Domain name of ISP)
ip dhcp excluded-address 172.16.1.1
!
ip dhcp pool CLIENT
import all
network 172.16.1.0 255.255.255.0
default-router 172.16.1.1
lease 8
!
ip inspect max-incomplete 500 high
ip inspect max-incomplete 350 low
ip inspect name INSPECTRULES tcp
ip inspect name INSPECTRULES udp
ip inspect name INSPECTRULES ftp timeout 3600
ip inspect name INSPECTRULES h323 timeout 3600
ip inspect name INSPECTRULES http timeout 3600
ip inspect name INSPECTRULES netshow timeout 3600
ip inspect name INSPECTRULES rcmd timeout 3600
ip inspect name INSPECTRULES realaudio timeout 3600
ip inspect name INSPECTRULES rtsp timeout 3600
ip inspect name INSPECTRULES smtp timeout 3600
ip inspect name INSPECTRULES sqlnet timeout 3600
ip inspect name INSPECTRULES streamworks timeout 3600
!
ip audit info action alarm
ip audit attack action alarm drop reset
ip audit smtp spam 50
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
crypto ipsec client ezvpn hw-client
connect auto
group groupnamechanged key XXXXXXXXXXXXXXXX
mode client
peer (IP of 3000 Concentrator)
!
!
!
!
!
interface Ethernet0
ip address 172.16.1.1 255.255.255.0
no cdp enable
crypto ipsec client ezvpn hw-client inside
hold-queue 32 in
hold-queue 100 out
no ip directed-broadcast
no ip redirects
!
interface Ethernet1
ip address dhcp client-id Ethernet1
ip access-group 113 in
ip accounting access-violations
ip inspect INPSECTIONRULES out
no cdp enable
no ip directed-broadcast
no ip redirects
crypto ipsec client ezvpn hw-client
!
ip nat inside source list 110 interface Ethernet1 overload
ip classless
no ip http server
!
!
access-list 38 permit 172.16.1.0 0.0.0.255
access-list 110 permit ip 172.16.1.0 0.0.0.255 any
access-list 113 permit udp any eq bootps any log
access-list 113 permit udp host (IP of 3000 Concentrator) eq isakmp any
access-list 113 permit udp (trusted LAN behind 3000) eq isakmp any
access-list 113 permit esp host (IP of 3000 Concentrator) any log
access-list 113 permit esp (trusted LAN behind 3000) any log
no cdp run
banner login _
WARNING!!!!!!!!!!!!!
(I cut this off, no need to bore you)
_
!
line con 0
exec-timeout 120 0
login local
stopbits 1
line vty 0 4
access-class 38 in
exec-timeout 120 0
login local
!
scheduler max-task-time 5000
end
good luck
01-12-2003 08:14 PM
The following URL shows an example for setting up a 3640 router with CBAC inspection and remote VPN client access configured simultaneously. I'm not sure whether or not you are setting the 1700 up for remote client VPN access or a LAN-to-LAN tunnel, but the concepts in this document will apply whether or not the crypto map terminates dynamic client connections or static site-to-site VPNs. The important thing to take away from the example is to pay attention to the interfaces where the inspect rule, access-group, and crypto map are applied.
Hope this helps....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide