Search This Blog

Saturday, January 15, 2011

Remote VPN Client with Zone-based Firewall Configuration

Lately I have tried to configure my router to work with VPN remote client, a task that should be very simple to configure,

But on my router there's also a zone-based firewall which made things a little bit more complicated…

VPN Configuration:

crypto isakmp policy 10

encr aes 256

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group <group-name>

key <Pre-shared key>

dns <DNS server #1> <DNS server #2>

wins <WINS server #1>

domain <Domain name>

pool <IP address pool>

acl <ACL number>

!

crypto ipsec transform-set <transform set name> esp-aes 256 esp-md5-hmac

!

crypto dynamic-map dynmap 10

set security-association lifetime seconds 86400

set transform-set <transform set name>

reverse-route

!

crypto map <map name> client authentication list userauth

crypto map <map name> isakmp authorization list groupauth

crypto map <map name> client configuration address respond

crypto map <map name> 65535 ipsec-isakmp dynamic dynmap

!

Interface dialer 1

crypto map <map name>

I have also configured an access policy from zone Untrust (Outside/internet interface) to Self (which is the router) for allowing ISAKMP/ESP access:

class-map type inspect match-any VPN-ACCESS-CLASS

match access-group 123

policy-map type inspect UNTRUST-TO-SELF-POLICY

class type inspect SELF-ACCESS-CLASS

inspect session-ctrl

class type inspect VPN-ACCESS-CLASS

inspect

class class-default

drop log

zone-pair security UNTRUST-TO-SELF source untrust destination self

service-policy type inspect UNTRUST-TO-SELF-POLICY

access-list 123 permit esp any any

access-list 123 permit udp any any eq non500-isakmp

access-list 123 permit ahp any any

access-list 123 permit udp any any eq isakmp

and also let's not forget to differ NAT behavior for remote network access:

ip nat inside source list 111 interface Dialer1 overload

access-list 111 remark LAN NAT IP ACL

access-list 111 deny ip 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255

access-list 111 permit ip 192.168.10.0 0.0.0.255 any

(Were 192.168.10.0/24 is my internal LAN and 192.168.12.0/24 is the remote network)

So up until here everything seems fine and when I have tried to connect with Cisco VPN client I succeeded to connect but….

No traffic passing to neither side!

Although I have tried every combination of access policies I didn't manage to allow remote users to access local resources and didn't understand how I should configure the firewall policy due to the fact that the VPN doesn't have an interface which associated with any zone.

So after a little research in the net I found out how to configure VPN with virtual access interface, and when you have interface, you can configure zone-based policies. Furthermore using a VPN with an interface gives us the ability to run multicast and dynamic routing protocol over the VPN connection.

So adding the following line to our configuration:

crypto isakmp profile ISAKMP-PROFILE

match identity group <group-name>

client authentication list local

isakmp authorization list local

client configuration address respond

virtual-template 1

!

crypto ipsec profile IPSEC_PROFILE

set transform-set <transform set name>

set isakmp-profile ISAKMP-PROFILE

!

interface Virtual-Template1 type tunnel

ip unnumbered Vlan1

zone-member security VPN

tunnel source Dialer1

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSEC-PROFILE

Take note that I already associated the virtual-template interface into zone VPN, so all I have to do is configure class-map->policy-map->zone-pair policies for access between VPN and Trust zones.

And here are the results:

Virtual-Template1 is up, line protocol is down

Hardware is Virtual Template interface

Interface is unnumbered. Using address of Vlan1 (192.168.10.1)

MTU 17940 bytes, BW 100 Kbit/sec, DLY 50000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive not set

Tunnel source <WAN IP address> (Dialer1)

Tunnel Subblocks:

src-track:

Virtual-Template1 source tracking subblock associated with Dialer1

Set of tunnels with source Dialer1, 2 members (includes iterators), on interface <OK>

Tunnel protocol/transport IPSEC/IP

Tunnel TTL 255

Path MTU Discovery, ager 10 mins, min MTU 92

Tunnel transport MTU 1500 bytes

Tunnel transmit bandwidth 8000 (kbps)

Tunnel receive bandwidth 8000 (kbps)

Tunnel protection via IPSec (profile "IPSEC-PROFILE")

Last input never, output never, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

<Output omitted>