Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Configure IOS Zone Based Firewall With Anyconnect VPN For IP Phones


I need some help with a fairly basic situation.  I have a cisco 2911 ISR G2 router that is acting solely as a Communications Manager Express phone system, i.e., there is no data that needs to flow out of the router to the Internet.  

I do have 3 users that will be connecting some cisco phones from home and they use the built-in cisco any connect SSL web vpn client that is on phone loads above 9.0.  I have tested this and it works great.

The issue is that I cannot simply have a port (G0/0 in this case) facing the internet without security applied since there's no firewall in front of this router and I want the router to be the firewall because the ONLY thing coming from the Internet are these VPN connections and that's it.

Does anyone know of a simple zone-based firewall configuration that will block ALL incoming requests and secure the outside interface while still allowing the any connect VPN access to the inside?  I have found a few cisco docs but they all show how to configure "inspect" statements and to be honest, I'm not sure how those truly protect the outside interface from incoming attacks.

Currently I have the internet-facing port shut down and I only open it to test the VPN phones but since there is no firewall currently configured on the router, I shut it back down as I don't want to leave it open.


Everyone's tags (1)

HiThe Zone based firewall


The Zone based firewall uses "inspect" statements, that's just what it does.

A simple zone-based firewall that will inspect all traffic going from the local network to the internet and protecting the outside interface of the router, but allowing anyconnect connections would look something like this:

ip access-list standard INSIDE-NETWORK_ACL

class-map type inspect INSIDE-NETWORK_CMAP
 match access-group name INSIDE-NETWORK_ACL

class-map type inspect HTTPS_CMAP
 match protocol https

policy-map type inspect INSIDE-TO-OUTSIDE_PMAP
 class type inspect INSIDE-NETWORK_CMAP

policy-map type inspect OUTSIDE-TO-SELF
 class type inspect HTTPS_CMAP

zone-pair security INSIDE-TO-OUTSIDE_ZP source INSIDE destination OUTISDE
 service-policy type inspect INSIDE-TO-OUTSIDE_PMAP

zone-pair security OUTSIDE-TO-SELF_ZP source OUTSIDE destination self
 service-policy type inspect OUTSIDE-TO-SELF

I haven't personally configured Zone Based Firewall with anyconnect. So if this doesn't work you can look at this link:

CreatePlease to create content