Cisco IOS ZBFW with IPSec remote access

This post I’m going to show how to configure VPN remote access on Cisco IOS which configured with ZBFW (Zone-Based Firewall).

This is the network topology:

The following configuration is related to setup VPN remote access policy using ZBFW and I assume you already have basic ZBFW configuration configured already with inside (LAN) and outside (WAN) zones.

1.       First configure AAA for user authentication and group authorization:

Aaa new-model aaa authentication login VPN_CLIENT_AUTH local aaa authorization network VPN_GROUP_AUTH local

2.       Configure IP pool which will provide IP addresses to remote users:

ip local pool VPN_POOL 172.16.0.1 172.16.0.254

3.       Configure ISAKMP Phase 1 policy:

crypto isakmp enable ! crypto isakmp policy 10  authentication pre-share  encryption aes 256  hash sha  group 2  lifetime 3600 exit

In this policy I have used AES 256bit as encryption algorithm.

4.       Configure ISAKMP client group configuration:

crypto isakmp client configuration group VPN_GRP  key <SECRET_KEY>  dns 8.8.8.8  wins 192.168.10.1  domain network.local  pool VPN_POOL  max-users 5  acl 108 exit

Note that Cisco uses another layer of security where configuring the VPN client software you will have to provide group password (key <SECRET_KEY>) once, beside the account username and password which you will have to enter each time you connect.

5.       Configure the ACL which define local and remote ident:

Ip access-list extended 100  permit ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.0.255  permit ip 172.16.0.0 0.0.0.255 192.168.10.0 0.0.0.255

6.       Define the crypto transform-set:

crypto ipsec transform-set TRANS-SET esp-aes 256 esp-sha-hmac

7.       Configure ISAKMP profile:

crypto isakmp profile ISAKMP_PROFILE  match identity group VPN_GRP  isakmp authorization list VPN_GROUP_AUTH  client configuration address respond  virtual-template 1 exit

Note we are bonding three items here: the VPN group (configured in step 4), client authentication and group authorization (configured in step 1).

8.       Configure IPSEC profile:

crypto ipsec profile IPSEC_PROFILE  set transform-set TRANS-SET  set isakmp-profile ISAKMP_PROFILE exit

9.       Configure virtual-template interface:

interface Virtual-Template1 type tunnel  ip unnumbered vlan1  zone-member security vpn  tunnel source Dialer1  tunnel mode ipsec ipv4  tunnel protection ipsec profile IPSEC_PROFILE

Note that the VTI is in vpn security zone.

Now let’s move to the ZBFW configuration, there are three zones which we need to configure: inside, outside and vpn

1.       First configure an ACL which allow IPSEC traffic to pass:

ip access-list extended ACL_ISAKMP-IPSEC1  permit ahp any any  permit esp any any  permit udp any any eq non500-isakmp

2.       Configure another ACL which allow IPSEC traffic to be inspected:

ip access-list extended ACL_ISAKMP-IPSEC2  permit udp any any eq isakmp

3.       Configure class-map for IPSEC traffic to pass:

Class-map type inspect CM_ISAKMP-IPSEC1  match access-group name ACL_ISAKMP-IPSEC1

4.       Configure class-map for IPSEC traffic to inspect:

Class-map type inspect CM_ISAKMP-IPSEC2  match access-group name ACL_ISAKMP-IPSEC2

5.       Now configure policy-map from zone outside to self:

Policy-map type inspect PM_OUTSIDE-TO-SELF  class type inspect CM_ISAKMP-IPSEC1   pass  class type inspect CM_ISAKMP-IPSEC2   inspect  class class-default   drop log

6.       Configure the same from zone self to zone outside:

Policy-map type inspect PM_SELF-TO-OUTSIDE  class type inspect CM_ISAKMP-IPSEC1   pass  class type inspect CM_ISAKMP-IPSEC2   inspect  class class-default   drop log

7.       Configure ACL, class-map and policy-map for VPN remote access to LAN:

ip access-list standard ACL_VPN_REMOTE  permit ip 172.16.0.0 0.0.0.255 ! Class-map type inspect CM_VPN_REMOTE_ACCESS  match access-group name ACL_VPN_REMOTE ! Policy-map type inspect PM_VPN-TO-INSIDE  Class type inspect CM_VPN_REMOTE_ACCESS   Inspect  class class-default   drop log

8.       Configure zone-pair between outside and self-zone:

Zone-pair security outside-to-self source outside destination self  Service-policy type inspect PM_OUTSIDE-TO-SELF Exit

9.       Configure zone-pair between self and outside zone:

Zone-pair security self-to-outside source self destination outside  Service-policy type inspect PM_SELF-TO-OUTSIDE Exit

10.   And configure zone-pair between vpn and inside zone:

Zone-pair security vpn-to-inside source vpn destination inside  Service-policy type inspect PM_VPN-TO-INSIDE Exit

Assuming that you LAN interface is in inside zone and WAN interface is in outside zone this configuration should be work fine.

Configuring the Cisco VPN client software is pretty much easy, after installing the client software follow these steps:

1.       Click New for new connection

2.       Enter the connection name

3.       Enter the router outside IP address

4.       Enter the VPN group name (configured on step 4)

5.       Enter group password

Click save and connect.