cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
673
Views
0
Helpful
3
Replies

IPSec and IOS Firewall

berndtonn
Level 1
Level 1

Dear all,

does anybody have experience with configuring for example a Cisco 17xx router to run both an IPSec VPN and IOS Firewall to support secure local browsing ? We are running the VPN routers without problems, but when I try to configure some additional Firewall commands I get lost ...

Unfortunately I can't find configuration examples for IPSec and Firewall. Any hints would be appreciated.

Thank you very much !

3 Replies 3

jasobrown
Level 1
Level 1

Basically you would have your lan to lan VPN set up (working) then just add the CBAC commands / access-list to outside interface.

The access-list on the outside interface needs to allow ESP, ISAKMP, (AH) if used and the PRIVATE TO PRIVATE (VPN) traffic as the router will run the decapsulated traffic thru the access-list.

ip inspect name myfw http timeout 3600

ip inspect name myfw tcp timeout 3600

ip inspect name myfw udp timeout 10

interface (external)

ip inspect myfw out

Regards,

Jason Brown

CCIE #10833

d-garnett
Level 3
Level 3

here's a config and some general tips on CBAC

it is easier to put the inspection rules on the outside interface (in the out direction) if you are defining inspection rules for all subnets (if you have a 17xx with 2 LAN interfaces and 1 WAN-to-Inet)

think of it like this, the basic theory of firewalling is to deny all inbound traffic so place a 'deny any any' on an inbound ACL on the outside interface.

interface ethernet 1

ip access-group 113 in

Now no traffic can enter or return (that's not good). After you place the inspection rules on the interface only sessions that were initiated on the inside are allowed to return through the interface. CBAC opens holes in the ACL for return traffic.

interface ethernet 1

ip inspect INSPECTRULES out

ip access-group 113 in

now if (from inside on the LAN, behind the 17xx) open up a browser and browse to www.cisco.com (whatever the IP of the web server is at port 80 for http), thier webserver is allowed through the firewall at port 80. this is reflected in a 'show access-list 113' command.

Since CBAC takes up processor cycles and memory 600 Bytes per session i think. It would be wise to expand the defined ACL (113) let some traffic override/bypass the CBAC inspection process/rules. ACLs are evaluated before CBAC.

here is a config i use, this is a 806 router doing EazyVPN to a head-end 3000 Concentrator. The E1 is getting it's address from the ISP router via DHCP. Traffic defined in ACL 113 bypasses CBAC rules :

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname abcdefg

!

logging buffered informational

enable secret XXXXXXXXXXXXXXXXXXXXXXXX

!

username insertnamehere privilege 15 password XXXXXXXXXXXXXXXXXXX

ip subnet-zero

ip domain name (Domain name of ISP)

ip dhcp excluded-address 172.16.1.1

!

ip dhcp pool CLIENT

import all

network 172.16.1.0 255.255.255.0

default-router 172.16.1.1

lease 8

!

ip inspect max-incomplete 500 high

ip inspect max-incomplete 350 low

ip inspect name INSPECTRULES tcp

ip inspect name INSPECTRULES udp

ip inspect name INSPECTRULES ftp timeout 3600

ip inspect name INSPECTRULES h323 timeout 3600

ip inspect name INSPECTRULES http timeout 3600

ip inspect name INSPECTRULES netshow timeout 3600

ip inspect name INSPECTRULES rcmd timeout 3600

ip inspect name INSPECTRULES realaudio timeout 3600

ip inspect name INSPECTRULES rtsp timeout 3600

ip inspect name INSPECTRULES smtp timeout 3600

ip inspect name INSPECTRULES sqlnet timeout 3600

ip inspect name INSPECTRULES streamworks timeout 3600

!

ip audit info action alarm

ip audit attack action alarm drop reset

ip audit smtp spam 50

ip audit notify log

ip audit po max-events 100

!

!

!

!

!

crypto ipsec client ezvpn hw-client

connect auto

group groupnamechanged key XXXXXXXXXXXXXXXX

mode client

peer (IP of 3000 Concentrator)

!

!

!

!

!

interface Ethernet0

ip address 172.16.1.1 255.255.255.0

no cdp enable

crypto ipsec client ezvpn hw-client inside

hold-queue 32 in

hold-queue 100 out

no ip directed-broadcast

no ip redirects

!

interface Ethernet1

ip address dhcp client-id Ethernet1

ip access-group 113 in

ip accounting access-violations

ip inspect INPSECTIONRULES out

no cdp enable

no ip directed-broadcast

no ip redirects

crypto ipsec client ezvpn hw-client

!

ip nat inside source list 110 interface Ethernet1 overload

ip classless

no ip http server

!

!

access-list 38 permit 172.16.1.0 0.0.0.255

access-list 110 permit ip 172.16.1.0 0.0.0.255 any

access-list 113 permit udp any eq bootps any log

access-list 113 permit udp host (IP of 3000 Concentrator) eq isakmp any

access-list 113 permit udp (trusted LAN behind 3000) eq isakmp any

access-list 113 permit esp host (IP of 3000 Concentrator) any log

access-list 113 permit esp (trusted LAN behind 3000) any log

no cdp run

banner login _

WARNING!!!!!!!!!!!!!

(I cut this off, no need to bore you)

_

!

line con 0

exec-timeout 120 0

login local

stopbits 1

line vty 0 4

access-class 38 in

exec-timeout 120 0

login local

!

scheduler max-task-time 5000

end

good luck

jelloyd
Cisco Employee
Cisco Employee

The following URL shows an example for setting up a 3640 router with CBAC inspection and remote VPN client access configured simultaneously. I'm not sure whether or not you are setting the 1700 up for remote client VPN access or a LAN-to-LAN tunnel, but the concepts in this document will apply whether or not the crypto map terminates dynamic client connections or static site-to-site VPNs. The important thing to take away from the example is to pay attention to the interfaces where the inspect rule, access-group, and crypto map are applied.

Hope this helps....

http://www.cisco.com/warp/public/793/ios_fw/apnci.html

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: