Configure IOS Zone Based Firewall With Anyconnect VPN For IP Phones
I need some help with a fairly basic situation. I have a cisco 2911 ISR G2 router that is acting solely as a Communications Manager Express phone system, i.e., there is no data that needs to flow out of the router to the Internet.
I do have 3 users that will be connecting some cisco phones from home and they use the built-in cisco any connect SSL web vpn client that is on phone loads above 9.0. I have tested this and it works great.
The issue is that I cannot simply have a port (G0/0 in this case) facing the internet without security applied since there's no firewall in front of this router and I want the router to be the firewall because the ONLY thing coming from the Internet are these VPN connections and that's it.
Does anyone know of a simple zone-based firewall configuration that will block ALL incoming requests and secure the outside interface while still allowing the any connect VPN access to the inside? I have found a few cisco docs but they all show how to configure "inspect" statements and to be honest, I'm not sure how those truly protect the outside interface from incoming attacks.
Currently I have the internet-facing port shut down and I only open it to test the VPN phones but since there is no firewall currently configured on the router, I shut it back down as I don't want to leave it open.
The Zone based firewall uses "inspect" statements, that's just what it does.
A simple zone-based firewall that will inspect all traffic going from the local network to the internet and protecting the outside interface of the router, but allowing anyconnect connections would look something like this:
ip access-list standard INSIDE-NETWORK_ACL permit 192.168.1.0 255.255.255.0
class-map type inspect INSIDE-NETWORK_CMAP match access-group name INSIDE-NETWORK_ACL
class-map type inspect HTTPS_CMAP match protocol https
policy-map type inspect INSIDE-TO-OUTSIDE_PMAP class type inspect INSIDE-NETWORK_CMAP inspect
policy-map type inspect OUTSIDE-TO-SELF class type inspect HTTPS_CMAP pass
I haven't personally configured Zone Based Firewall with anyconnect. So if this doesn't work you can look at this link: https://supportforums.cisco.com/document/46481/anyconnect-ios-zone-based-firewall-zbfw
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...