CBAC (without interfering with L2L VPN)

Unanswered Question
Nov 24th, 2008

Hi all,


Getting no responces from the Security Forum so thought I'd try here. I've got a working L2L vpn between HQ and a remote office. Remote office has a 2821 12.4 FW featureset. There is an Internet bypass set up for general traffic but I need to secure it using CBAC. The following is what I've tried - It works but not how I imagined it would.


Inbound on outside (internet facing) interface (The 10.180.21.1 is statically NATed on the ISP provided DSL router): v


ip access-list extended PROTECT

permit udp host p.e.e.r host 10.180.21.1 eq isakmp log

permit udp host p.e.e.r host 10.180.21.1 eq non500-isakmp

permit tcp host x.x.x.x host 10.180.21.1 eq 22 log

permit tcp host y.y.y.y host 10.180.21.1 eq 22 log

deny tcp any any log

deny udp any any log

deny icmp any any log

The above does not block any vpn traffic - i thought it would after reading some Order of Operation docs! But that's good.


ip inspect name CBAC.1 echo

ip inspect name CBAC.1 http

ip inspect name CBAC.1 https

ip inspect name CBAC.1 icmp

ip inspect name CBAC.1 imap

ip inspect name CBAC.1 imap3

ip inspect name CBAC.1 imaps

ip inspect name CBAC.1 ssh

ip inspect name CBAC.1 tcp audit-trail on

ip inspect name CBAC.1 udp audit-trail on

interface fa0/0/0

descrip INTERNET FACING OUTSIDE

ip address 10.180.21.1 255.255.255.252

ip access-group PROTECT in

ip inspect CBAC.1 out

I tried CBAC.1 "in" at first but this prevented internet access. Auditing reported a lot of normal VPN bound traffic which was allowed but confusing as to why CBAC saw it but the PROTECT acl did not.


With CBAC.1 "out" the internet works and the VPN traffic flows ... all good from that point of view. But I'm still confused and not sure everything is tip-top:


1. When I do a "show access-list" I do not get the dynamic entries CBAC is supposed to have created. Something is up with my config and I'd like to understand what it is.


2. The VPN traffic is still being audited by the CBAC.1 inspect - I'd prefer it wasn't. I don't want unnecessary traffic down the VPN because performance is pretty poor to being with. At this stage I just want to log Internet bound traffic that does not meet the predefined ports so that I can tweak what's necessary over first few weeks of the office in full prod mode.


Any help much appreciated

- Mike

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tstanik Mon, 12/01/2008 - 10:02

Cisco Enhanced Easy VPN is a new method for configuring Easy VPN using Dynamic Virtual Tunnel Interface (DVTI) instead of a crypto map, which is used by traditional Easy VPN. DVTI can be used on both the Easy VPN Server and Easy VPN Remote routers. DVTI relies on the virtual tunnel interface to create a virtual access interface for every new Easy VPN tunnel. The configuration of the virtual access interface is cloned from a virtual template configuration. The cloned configuration includes the IPsec configuration and any Cisco IOS Software feature configured on the virtual template interface, such as QoS, Network Address Translation (NAT), Context-Based Access Control (CBAC) firewall, NetFlow, or access control lists (ACLs).


For the furthere description following URL will help you

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801982ae.shtml


http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml



Actions

This Discussion