• Basic Internet Firewall for Routers without IOS image Firewall feature
• Configure DMZ on routers
• Sample IOS Firewall (CBAC) router configuration
• Sample Configuration of ACL-CBAC-IDS/IPS-IPSec VPN on router
• Zone-Based Firewall Sample Configuration
• Internet access restriction without a proxy server/websense solution?
• Restrict Traffic Flow including P2P (Peer to Peer) using NBAR: An Overview
• Various Site-to-Site IPSec VPN: Cisco, Juniper, Checkpoint, Sonicwall, Zywall
• How do I configure a Zywall/PIX IPSec VPN
• Private Routing over VPN: NAT/PAT, GRE, IPSec Sample Configurations
• Configure router and ASA/PIX Firewall to support various VPN technologies
• Configure router as both Internet router and VPN Concentrator
• Configure PIX/ASA as both Internet Firewall and VPN Concentrator
• Configuring Juniper SRX as Internet Firewall and IPSec VPN Concentrator

You probably have a router running basic IOS image without Firewall (FW) feature. You understand that you need a good firewall to protect your network from Internet intruders. Therefore there must be some kind of protection in place to at least try to block unwelcomed incoming traffic from the Internet or from Untrusted network coming in.

Nature Protection PAT Provides

When you have dynamic PAT in place for several internal machines to access the Internet, then by PAT nature it is already an advantage. PAT is designed to provide single Outside IP address for multiple Inside machines which connection is initiated from those Inside machines going out. When hackers on the Internet send unwelcomed traffic into Inside network, these traffic are unable to reach the intended Inside machines since there are multiple IP addresses represented by PAT and NAT session does not match such traffic, hence PAT dropped the traffic. For more info on NAT/PAT process, check out the following FAQ.
»Cisco Forum FAQ »NAT, PAT, Port Forward, Internet and Server Access: Introduction and Practices

Different Protection Approaches

Further more, the following should be in place to protect your network in addition to nature PAT protection.

1. Setup a hardware firewall (i.e. PIX Firewall) in front of the router
2. Upgrade the router to run IOS image with FW feature
3. Apply basic Firewall ACL to Internet-facing router interface

Option 1

Check out the following FAQ for sample configuration on setting a PIX Firewall in front of a router.
»Cisco Forum FAQ »Internet - PIX/ASA - Router - LAN

This setup should be the best approach to tackle the problem. However there are some constraints that might prevent you to choose this option, such as:

* Financial burden
* The router has integrated modem (i.e. DSL, cable modem, T1, ISDN) or the router Internet-facing (WAN) interface is not Ethernet interface
* You do BGP peering with another AS, hence requires a router or layer-3 switch to be the public edge equipment

When the WAN interface router is not Ethernet or your router is BGP peering, then you then have a choice to setup a hardware firewall behind the router, while the router run basic firewall ACL.

Check out the following FAQ for sample configuration on setting a PIX Firewall behind a router.
»Cisco Forum FAQ »Internet - Router - PIX/ASA - LAN

When you have financial burden, then the only choice is to have the router run basic firewall ACL.

Option 2

Upgrading the router is also a good approach. There are followings that might prevent you to do so.

* You currently don't have proper Smartnet contract and getting/renewing the contract might be a hassle
* The router might run too hot on memory and CPU when the router already run heavy routing
* Activating any additional features on router (including FW feature) will take the router resources (memory and CPU) that might degrade the router robustness or performance
* You don't have management control over the router, since there is another party doing so (i.e. your ISP or vendor)
* You need to meet government agency regulations and using the router as a firewall might not meet such regulations

When you have at least one of those situations, then your best option should be putting a hardware firewall in front of or behind the router.

Option 3

This option is the most economical and might be a quick way to tackle the problem. Keep in mind that

* This basic Firewall ACL only works on certain situations and certain protocol usages
* Should you choose to implement this basic Firewall ACL on the router, it is suggested to have additional hardware firewall sitting behind the router for long-term and complete solution

Assumptions on the sample configuration:

* There is Ethernet 0 interface as your LAN interface and Ethernet 1 interface as your WAN interface
* You have a single static Public IP address within your network (the 1.1.1.2/30)
* The Internet default gateway is 1.1.1.1/30
* Your LAN only has 10.0.0.0/24 as internal network and nothing else
* You run public Web and Mail servers (the www and smtp) using the 1.1.1.2 as the public IP address
* The internal Mail server IP address is 10.0.0.2 and the internal Web server IP address is 10.0.0.3
* You also use 1.1.1.2 for Internet browsing traffic from your LAN
* You use your ISP DNS servers to browse the Internet (the TCP and UDP port 53)
* Your LAN user typical daily usage is only browsing the Internet (that only use protocol TCP) and no other protocols used
* You keep logs on potential illegitimate traffic attempts

Following is the sample configuration

interface Ethernet0
description LAN interface
ip address 10.0.0.1 255.255.255.0
ip nat inside
!
interface Ethernet1
description WAN interface
ip address 1.1.1.2 255.255.255.252
ip access-group 100 in
ip access-group 101 out
ip nat outside
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.0.0.0 255.0.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0
!
ip nat inside source static tcp 10.0.0.2 25 1.1.1.2 25
ip nat inside source static tcp 10.0.0.3 80 1.1.1.2 80
!
ip nat inside source list 110 interface Ethernet1 overload
!
access-list 100 remark Basic Firewall to protect from Internet intruders
access-list 100 permit tcp any host 1.1.1.2 eq 25
access-list 100 permit tcp any host 1.1.1.2 eq 80
access-list 100 permit udp any eq 53 host 1.1.1.2
access-list 100 permit tcp any host 1.1.1.2 established
access-list 100 deny ip any any log-input
!
access-list 101 remark Deny Illegitimate Traffic go outbound
access-list 101 deny tcp any any eq 135 log-input
access-list 101 deny tcp any eq 135 any log-input
access-list 101 deny udp any any eq 135 log-input
access-list 101 deny udp any eq 135 any log-input
access-list 101 deny tcp any any range 137 139 log-input
access-list 101 deny tcp any range 137 139 any log-input
access-list 101 deny udp any any range 137 139 log-input
access-list 101 deny udp any range 137 139 any log-input
access-list 101 deny tcp any any eq 445 log-input
access-list 101 deny tcp any eq 445 any log-input
access-list 101 deny udp any any eq 445 log-input
access-list 101 deny udp any eq 445 any log-input
access-list 101 deny tcp any any eq 593 log-input
access-list 101 deny tcp any eq 593 any log-input
access-list 101 deny tcp any any eq 707 log-input
access-list 101 deny tcp any eq 707 any log-input
access-list 101 deny tcp any any eq 4444 log-input
access-list 101 deny tcp any eq 4444 any log-input
access-list 101 deny ip host 0.0.0.0 any log-input
access-list 101 deny ip host 255.255.255.255 any log-input
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log-input
access-list 101 deny ip any 10.0.0.0 0.255.255.255 log-input
access-list 101 deny ip any 172.16.0.0 0.15.255.255 log-input
access-list 101 deny ip any 192.168.0.0 0.0.255.255 log-input
access-list 101 permit ip 1.1.1.0 0.0.0.3 any
access-list 101 deny ip any any log-input
!
access-list 110 remark Deny NAT/PAT for Illegitimate Traffic
access-list 110 deny ip 1.1.1.0 0.0.0.3 any log-input
access-list 110 deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.255.255.255 log-input
access-list 110 deny ip 10.0.0.0 0.0.0.255 172.16.0.0 0.15.255.255 log-input
access-list 110 deny ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.255.255 log-input
access-list 110 permit ip 10.0.0.0 0.0.0.255 any
access-list 110 deny ip any any log-input
 

Notes:

1. The sample configuration is not intended as full router configuration. It only shows related commands.

2. ACL 100: Inbound Traffic Firewall
* The key of the Firewall ACL (ACL 100) is the "established" keyword
* Internet browsing mean outbound connections initiated from your LAN out to the Internet
* Most common Internet browsing (i.e. open up websites, FTP sites, some Internet video or audio live streaming) only requires protocol TCP
* With Internet browsing, only established TCP packets that are necessary to enter your network as reply packets
* These established TCP packets are TCP ACK (acknowledge) during the three-way handshake or on ESTABLISHED mode (the actual data transfer); and RST (reset to close the connection)
* With "established" keyword, only TCP packet ACK and RST will be permitted to enter your network
* Note that there is no need to specify "access-list 100 permit tcp any eq 53 host 1.1.1.2" since the "access-list 100 permit tcp any host 1.1.1.2 established" would take care reply TCP port 53 (DNS) packets
* This ACL assumes that you have static IP address assignment from ISP (the real static IP; not static by DHCP - read this FAQ for more info »Cisco Forum FAQ »Between DHCP, PPP, Dynamic, and Static IP Address ). If your router must receive ISP IP address from ISP DHCP server, then you need to permit incoming bootps traffic as well. Here is the ACL 100 looks like which incorporates ISP DHCP incoming bootps packets.

access-list 100 remark Basic Firewall to protect from Internet intruders
access-list 100 permit udp any eq bootps any eq bootpc
access-list 100 permit tcp any any eq 25
access-list 100 permit tcp any any eq 80
access-list 100 permit udp any eq 53 any
access-list 100 permit tcp any any established
access-list 100 deny ip any any log-input
 

* Sometimes you need permit some basic ICMP traffic to pass through the router which are Echo Reply (ICMP Type 0), Unreachable (ICMP Type 3), and Time Exceeded (ICMP Type 11). When this is the case, then the ACL 100 should look something like this

access-list 100 remark Basic Firewall to protect from Internet intruders
access-list 100 permit icmp any host 1.1.1.2 0
access-list 100 permit icmp any host 1.1.1.2 3
access-list 100 permit icmp any host 1.1.1.2 11
access-list 100 permit tcp any host 1.1.1.2 eq 25
access-list 100 permit tcp any host 1.1.1.2 eq 80
access-list 100 permit udp any eq 53 host 1.1.1.2
access-list 100 permit tcp any host 1.1.1.2 established
access-list 100 deny ip any any log-input
 

3. ACL 101: Outbound Traffic Firewall
* Those TCP and UDP ports are known used by virus/worm, therefore outbound connection to the Internet on such ports should be blocked
* The host IP addresses are "invalid IP addresses" in Internet browsing perspective
* Since only the 1.1.1.0/30 subnet is used as the Public IP subnet, any other IP addresses from different subnet try to go out to the Internet using the router should be illegitimate traffic; hence should be blocked

4. ACL 110: NAT/PAT Traffic Firewall
* NAT/PAT sourcing from any IP address within your Public IP subnet or any IP address other than your internal subnet should be illegitimate traffic and known used by DOS (Denial of Service) attack; hence should be blocked
* No private subnet on the Internet, hence NAT/PAT to those subnets should be blocked as well

5. Blackholing illegitimate traffic
Since there are no other private subnets within your network than 10.0.0.0/24, traffic to other private subnets should go to Null interface (black hole).

In addition, there should be blackhole routes in place for unassigned or reserved IANA IP addresses since a lot of time, hackers use these IP addresses. For more info on these unassigned or reserved IANA IP addresses, check out the following IANA site.

Abuse Issues and IP Addresses

As illustration, you can verify (after the link research) that 23.0.0.0/8 IP subnet is IANA reserved IP addresses. Therefore there should be no traffic to and from 23.0.0.0/8. The black hole route for this then should be the following

ip route 23.0.0.0 255.0.0.0 Null0
 

More Sample Configuration using ACL as Basic Firewall
»Cisco Forum FAQ »Configure DMZ on routers

Considerations

With the above description, following is the list of typical network security perimeter to protect your network which each choice has its own merit depending on your network requirements

* Internet router with Basic Internet Firewall ACL and firewall behind the router
* Internet router with Basic Internet Firewall ACL that does NAT/PAT and firewall behind the router
* Internet router with Basic Internet Firewall ACL and firewall behind the router that does NAT/PAT
* Internet router, firewall behind router, and IDS/IPS to either monitor or zap unwanted traffic

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by aryoba
last modified: 2010-12-12 09:44:51

Suggested prerequisite reading:
»Cisco Forum FAQ »Basic Internet Firewall for Routers without IOS image Firewall feature

On these sample configurations, it is assumed the following occur

* There are at least three network segments; outside (i.e. WAN or The Internet), inside (LAN), DMZ
* These segments are within their own subnet (Layer-3 separation)
* Inside subnet is 10.0.0.0/24 and DMZ subnet is 10.0.1.0/24

Sample #1: Total Separation between Inside and DMZ

This sample assumes the following
* Internet-only access for DMZ
* DMZ cannot access inside
* Inside cannot access DMZ

ACL Approach

1. Using One Router

interface Ethernet0
description LAN interface
ip address 10.0.0.1 255.255.255.0
ip access-group 100 in
ip nat inside
!
interface Ethernet1
description WAN interface
ip address 1.1.1.2 255.255.255.252
ip nat outside
!
interface Ethernet2
description DMZ interface
ip address 10.0.1.1 255.255.255.0
ip access-group 101 in
ip nat inside
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
ip nat inside source list 10 interface Ethernet1 overload
!
access-list 10 remark Permited Subnets to go out to the Internet
access-list 10 permit 10.0.0.0 0.0.1.255
access-list 100 remark Restricted Inside network Access
access-list 100 deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 101 remark Restricted DMZ network Access
access-list 101 deny ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip 10.0.1.0 0.0.0.255 any
 

2. Using Two Routers, which one is the Internet Router and another is internal router

Internet Router

interface Ethernet0
description To Internal Router (DMZ)
ip address 10.0.1.1 255.255.255.0
ip access-group 100 in
ip nat inside
!
interface Ethernet1
description WAN interface (To Internet)
ip address dhcp
ip nat outside
!
ip route 10.0.0.0 255.255.255.0 10.0.1.2
! Note that the DHCP process with the ISP results in both 
! getting the Internet Router WAN interface to receive 
! (Public) IP address and also default gateway to reach 
! the Internet.
! You can always issue "show ip route" to confirm the 
! router's routing table
!
ip nat inside source list 10 interface Ethernet1 overload
!
access-list 10 remark Permited Subnets to go out to the Internet
access-list 10 permit 10.0.0.0 0.0.1.255
access-list 100 remark Restricted Inside network Access
access-list 100 deny ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.1.255 any
 

Internal Router

interface Ethernet0
description LAN interface
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet1
description To Internet Router (DMZ)
ip address 10.0.1.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.0.1.1
 

VRF Routing Approach

ip cef
!
ip vrf LAN
!
ip vrf DMZ
!
interface Ethernet0
description LAN interface
ip vrf forwarding LAN
ip address 10.0.0.1 255.255.255.0
ip nat inside
!
interface Ethernet1
description WAN interface
ip address 1.1.1.2 255.255.255.252
ip nat outside
!
interface Ethernet2
description DMZ interface
ip vrf forwarding DMZ
ip address 10.0.1.1 255.255.255.0
ip nat inside
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route vrf LAN 0.0.0.0 0.0.0.0 1.1.1.1 global
ip route vrf DMZ 0.0.0.0 0.0.0.0 1.1.1.1 global
!
ip nat pool GlobalIP 1.1.1.2 1.1.1.2 netmask 255.255.255.252 add-route
ip nat inside source list 10 pool GlobalIP vrf LAN overload
ip nat inside source list 10 pool GlobalIP vrf DMZ overload
!
access-list 10 remark Permited Subnets to go out to the Internet
access-list 10 permit 10.0.0.0 0.0.1.255
 

Sample #2: Restricted Access on DMZ specific services from Inside

This sample assumes the following
* Internet-only access for DMZ
* DMZ cannot access inside
* Inside can access DMZ only for web (TCP port 80) and email (TCP port 25)

interface Ethernet0
description LAN interface
ip address 10.0.0.1 255.255.255.0
ip access-group 100 in
ip nat inside
!
interface Ethernet1
description WAN interface
ip address 1.1.1.2 255.255.255.252
ip nat outside
!
interface Ethernet2
description DMZ interface
ip address 10.0.1.1 255.255.255.0
ip access-group 101 in
ip nat inside
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
ip nat inside source list 10 interface Ethernet1 overload
!
access-list 10 remark Permited Subnets to go out to the Internet
access-list 10 permit 10.0.0.0 0.0.1.255
access-list 100 remark Restricted Inside network Access
access-list 100 permit tcp 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 eq 25
access-list 100 permit tcp 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 eq 80
access-list 100 deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 101 remark Restricted DMZ network Access
access-list 101 permit tcp 10.0.1.0 0.0.0.255 eq 25 10.0.0.0 0.0.0.255
access-list 101 permit tcp 10.0.1.0 0.0.0.255 eq 80 10.0.0.0 0.0.0.255
access-list 101 deny ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip 10.0.1.0 0.0.0.255 any
 

Sample #3: Restricted Access on DMZ most applications from Inside

This sample assumes the following
* Internet-only access for DMZ
* DMZ cannot access inside
* Inside can access DMZ on any TCP-based application and DNS (TCP and UDP port 53)
* Note that most applications are TCP-based. Therefore this sample applies to most network

interface Ethernet0
description LAN interface
ip address 10.0.0.1 255.255.255.0
ip access-group 100 in
ip nat inside
!
interface Ethernet1
description WAN interface
ip address 1.1.1.2 255.255.255.252
ip nat outside
!
interface Ethernet2
description DMZ interface
ip address 10.0.1.1 255.255.255.0
ip access-group 101 in
ip nat inside
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
ip nat inside source list 10 interface Ethernet1 overload
!
access-list 10 remark Permited Subnets to go out to the Internet
access-list 10 permit 10.0.0.0 0.0.1.255
access-list 100 remark Restricted Inside network Access
access-list 100 permit tcp 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 100 permit udp 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 eq 53
access-list 100 deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 101 remark Restricted DMZ network Access
access-list 101 permit tcp 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255 established
access-list 101 permit udp 10.0.1.0 0.0.0.255 eq 53 10.0.0.0 0.0.0.255
access-list 101 deny ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip 10.0.1.0 0.0.0.255 any
 

Some Discussions

»[Config] SMTP Between 2 routers

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by aryoba
last modified: 2012-02-27 19:38:50

When your router is running IOS image with FW feature, you can implement CBAC as a Stateful Firewall IOS-based. With such inspection, the router can inspect inbound traffic from outside such as The Internet to inside the network. The router can also inspect outbound traffic from inside the network to outside. Note that the sample configurations implement outbound inspection on the WAN (Internet) interface that regulate outbound traffic from inside to the Internet.

Typically no inspection is necessary or even needed to regulate traffic between inside or non-Internet interfaces. When there are no public servers hanging off the router and there are only outbound traffic such as Internet browsing (in addition of no inspection between inside interfaces), there should be no reason to implement inspection on inside interface. Therefore it is common practice to implement inspection on the WAN (Internet) interface to regulate outbound traffic when there are multiple non-Internet interfaces on the router and/or there are no inbound traffic.

Inspecting Generic Traffic

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$uOpf$emfDhaV0/UALCYwjF.iHf/
!
no aaa new-model
ip subnet-zero
no ip source-route
!
ip inspect name OUTBOUND cuseeme
ip inspect name OUTBOUND ftp
ip inspect name OUTBOUND h323
ip inspect name OUTBOUND netshow
ip inspect name OUTBOUND rcmd
ip inspect name OUTBOUND realaudio
ip inspect name OUTBOUND rtsp
ip inspect name OUTBOUND sqlnet
ip inspect name OUTBOUND tcp
ip inspect name OUTBOUND udp
ip inspect name OUTBOUND vdolive
ip inspect name OUTBOUND icmp
ip ssh break-string
isdn switch-type basic-net3
!
!
!
!
!
!
interface Ethernet0
description LAN
ip address 192.168.0.16 255.255.255.0
no ip proxy-arp
ip nat inside
!
interface BRI0
no ip address
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-net3
ppp authentication chap pap callin
!
interface Dialer1
description ISP
ip address negotiated
ip access-group 121 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect OUTBOUND out
encapsulation ppp
no ip split-horizon
dialer pool 1
dialer remote-name Cisco1
dialer idle-timeout 360
dialer string 08089916001 class DialClass
dialer hold-queue 10
dialer load-threshold 20 either
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname host-username
ppp chap password 7 ****
ppp pap sent-username username-here password 7 ****
!
ip nat inside source list 23 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
!
map-class dialer DialClass
access-list 23 permit 192.168.0.0 0.0.0.255
access-list 121 remark **** Permitted inbound packets ****
access-list 121 deny udp any range 137 139 any
access-list 121 deny tcp any range 137 139 any
access-list 121 deny icmp any any echo
access-list 121 permit icmp any any echo-reply
access-list 121 permit icmp any any time-exceeded
access-list 121 permit icmp any any unreachable
access-list 121 deny icmp any any
access-list 121 permit ip any any time-range TIME
access-list 121 deny ip any any log-input
dialer-list 1 protocol ip permit
!
!
line con 0
exec-timeout 0 0
transport preferred all
transport output all
stopbits 1
line vty 0 4
access-class 23 in
exec-timeout 0 0
login local
transport preferred all
transport input all
transport output all
!
no rcapi server
!
!
time-range TIME
periodic daily 0:00 to 23:59
!
!
end

Inspecting Instant Messaging Traffic

1. Medium Security Policy on Application Traffic

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 ???????????????????????
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
!
!
ip cef
ip inspect log drop-pkt
ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM https
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM esmtp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM tcp
ip inspect name SDM_MEDIUM udp
ip inspect name SDM_MEDIUM vdolive
ip inspect name SDM_MEDIUM sip
ip inspect name SDM_MEDIUM sip-tls
ip tcp synwait-time 10
no ip bootp server
ip domain name wtbhome.net
ip name-server 71.242.0.12
ip ssh time-out 60
ip ssh authentication-retries 2
!
appfw policy-name SDM_MEDIUM
application im aol
service default action allow alarm
service text-chat action allow alarm
server permit name login.oscar.aol.com
server permit name toc.oscar.aol.com
server permit name oam-d09a.blue.aol.com
application im msn
service default action allow alarm
service text-chat action allow alarm
server permit name messenger.hotmail.com
server permit name gateway.messenger.hotmail.com
server permit name webmessenger.msn.com
application http
strict-http action allow alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action allow alarm
application im yahoo
service default action allow alarm
service text-chat action allow alarm
server permit name scs.msg.yahoo.com
server permit name scsa.msg.yahoo.com
server permit name scsb.msg.yahoo.com
server permit name scsc.msg.yahoo.com
server permit name scsd.msg.yahoo.com
server permit name cs16.msg.dcn.yahoo.com
server permit name cs19.msg.dcn.yahoo.com
server permit name cs42.msg.dcn.yahoo.com
server permit name cs53.msg.dcn.yahoo.com
server permit name cs54.msg.dcn.yahoo.com
server permit name ads1.vip.scd.yahoo.com
server permit name radio1.launch.vip.dal.yahoo.com
server permit name in1.msg.vip.re2.yahoo.com
server permit name data1.my.vip.sc5.yahoo.com
server permit name address1.pim.vip.mud.yahoo.com
server permit name edit.messenger.yahoo.com
server permit name messenger.yahoo.com
server permit name http.pager.yahoo.com
server permit name privacy.yahoo.com
server permit name csa.yahoo.com
server permit name csb.yahoo.com
server permit name csc.yahoo.com
!
username tborland privilege 15 secret 5 ??????????????
!
!
!
bridge irb
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect SDM_MEDIUM out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
!
interface Dot11Radio0
no ip address
!
encryption mode ciphers tkip
!
encryption vlan 1 mode ciphers tkip
!
ssid wtbhome
vlan 1
authentication open
authentication key-management wpa
wpa-psk ascii 7 ******
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
no dot11 extension aironet
no cdp enable
bridge-group 1
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no snmp trap link-status
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
description Bridge to Internal Network
ip address 192.168.0.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1412
!
ip classless
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip any any
access-list 103 remark VTY Access-class list
access-list 103 remark SDM_ACL Category=1
access-list 103 permit ip 192.168.0.0 0.0.0.255 any
access-list 103 deny ip any any
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 103 in
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

2. High Security Policy on Application Traffic

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 ???????????????????????
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
clock timezone PST -8
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.10
!
ip dhcp pool sdm-pool
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 208.67.222.222 208.67.220.220
!
!
no ip domain lookup
ip domain name yourdomain.com
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip inspect log drop-pkt
ip inspect name SDM_HIGH appfw SDM_HIGH
ip inspect name SDM_HIGH icmp
ip inspect name SDM_HIGH dns
ip inspect name SDM_HIGH esmtp
ip inspect name SDM_HIGH https
ip inspect name SDM_HIGH imap reset
ip inspect name SDM_HIGH pop3 reset
ip inspect name SDM_HIGH tcp
ip inspect name SDM_HIGH udp
!
appfw policy-name SDM_HIGH
application im aol
service default action reset alarm
service text-chat action reset alarm
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action reset alarm
service text-chat action reset alarm
server deny name messenger.hotmail.com
server deny name gateway.messenger.hotmail.com
server deny name webmessenger.msn.com
audit-trail on
application http
strict-http action reset alarm
port-misuse im action
port-misuse p2p action reset alarm
port-misuse tunneling action reset alarm
application im yahoo
service default action reset alarm
service text-chat action reset alarm
server deny name scs.msg.yahoo.com
server deny name scsa.msg.yahoo.com
server deny name scsb.msg.yahoo.com
server deny name scsc.msg.yahoo.com
server deny name scsd.msg.yahoo.com
server deny name cs16.msg.dcn.yahoo.com
server deny name cs19.msg.dcn.yahoo.com
server deny name cs42.msg.dcn.yahoo.com
server deny name cs53.msg.dcn.yahoo.com
server deny name cs54.msg.dcn.yahoo.com
server deny name ads1.vip.scd.yahoo.com
server deny name radio1.launch.vip.dal.yahoo.com
server deny name in1.msg.vip.re2.yahoo.com
server deny name data1.my.vip.sc5.yahoo.com
server deny name address1.pim.vip.mud.yahoo.com
server deny name edit.messenger.yahoo.com
server deny name messenger.yahoo.com
server deny name http.pager.yahoo.com
server deny name privacy.yahoo.com
server deny na
server deny name csb.yahoo.com
server deny name csc.yahoo.com
audit-trail on
!
!
crypto pki trustpoint TP-self-signed-2642721116
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2642721116
revocation-check none
rsakeypair TP-self-signed-2642721116
!
!
crypto pki certificate chain TP-self-signed-2642721116
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32363432 37323131 3136301E 170D3038 30313136 30353033
34325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 36343237
32313131 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CB9E 16476447 E416F6C1 A994AB08 1525CF8E FA38C653 49ED2B44 34A66AC9
4D9C2677 71756644 0D54DBB1 11C224E5 4D17EC67 2148384A FE15B177 3C8D3710
4338044F 6672B697 9FEBC408 EA552F2A 6B2C7035 2E38B6F8 55E09757 0AC5A2
163FFA91 C26D8443 3EFBDFD1 CE078C9C 350AE5E5 EE866021 491C4362 8476AD3D
0E930203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
551D1104 19301782 15526F75 7465722E 796F7572 646F6D61 696E2E63 6F6D301F
0603551D 23041830 16801444 9A67C06B 63BCAF40 5D467966 AA658D22 F6353430
1D060355 1D0E0416 0414449A 67C06B63 BCAF405D 467966AA 658D22F6 3534300D
06092A86 4886F70D 01010405 00038181 005D6986 D31370A4 A327EB4B FF7ED748
25C11602 76C2A0B7 A0A1D670 7DF73001 BFAEEFF9 E6C4BE6F EB9BF6DC 1FD7D8
9B571B6E C4A4307C B1A03F91 92EF08BF B249D567 1A46D51D 3405862C A88BFCC7
AD9B755A B2BB1298 271B6952 7A08CD61 F89A31B6 A2DB9C6F 62B00F6D 7089A7FB
44D7D866 D527960F 7A138B26 92252C4B D4
quit
username tborland privilege 15 secret 5 ??????????????
!
!
!
bridge irb
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ETH-WAN$
no ip address
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
ip mtu 1492
ip inspect SDM_HIGH out
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname [my dsl account]
ppp chap password 0 [password]
ppp pap sent-username [my_dsl_account] password 0 [password]
ppp ipcp dns request
ppp ipcp route default
ppp ipcp address accept
!
interface BVI1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.0
ip access-group 100 in
ip tcp adjust-mss 1452
!
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
!
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip any any log
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 1 in
transport input ssh
!
scheduler max-task-time 5000
end

Note:
There is a known bug in older IOS images that cause CBAC ip inspect command to "zap out" out-of-order TCP packets which can cause slow connection in opening up web sites. When this is applicable to you, you may need to upgrade the IOS image to 12.4 train or later.

Check out the following thread for details.
»[Info] Inspect engine burned me again

Some discussions

»801 ISDN access list woes
»Cisco 831 hardened config example?

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by aryoba
last modified: 2010-08-31 12:38:13

Extracted from following thread:
»[HELP] IOS IPS -- Is the performance hit worth it?

Note:
To run this configuration, your router needs to run IOS image that has IPSec/IDS feature and have the signature file on its flash memory. Check out the following FAQ for more info.

»Cisco Forum FAQ »Protect my network! How do I do that using Cisco IOS?

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096 debugging
logging console critical
enable secret 5 <removed>
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default group radius
aaa authorization exec default local 
aaa authorization network default group radius 
aaa authorization network sdm_vpn_group_ml_1 group radius 
aaa accounting exec default start-stop group radius
aaa accounting connection default start-stop group radius
aaa accounting resource default start-stop-failure group radius
!
aaa session-id common
!
resource policy
!
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
ip icmp rate-limit unreachable 100
ip icmp rate-limit unreachable DF 1
ip cef
!
!
!
!
ip tcp ecn
ip tcp selective-ack
ip tcp window-size 65537
ip tcp synwait-time 10
no ip bootp server
ip domain name Company.local
ip name-server 192.168.<x>.<server>
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect tcp reassembly queue length 64
ip inspect name DEFAULT100 appfw DEFAULT100
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 ntp
ip inspect name DEFAULT100 http
ip inspect name DEFAULT100 https
ip inspect name DEFAULT100 fragment maximum 250 timeout 1
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 isakmp
ip inspect name DEFAULT100 ipsec-msft
ip inspect name DEFAULT100 l2tp
ip inspect name DEFAULT100 pptp
ip ips sdf location flash://sdmips.sdf
ip ips sdf location flash://128MB.sdf autosave
ip ips notify SDEE
ip ips name sdm_ips_rule
ip dhcp-server 192.168.x.server
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication
 l2tp tunnel receive-window 256
!
!
appfw policy-name DEFAULT100
  application http
    strict-http action allow alarm
    port-misuse tunneling action allow alarm
!
password encryption aes
!
crypto pki trustpoint TP-self-signed-3534083426
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3534083426
 revocation-check none
 rsakeypair TP-self-signed-3534083426
!
crypto pki trustpoint titan
 enrollment mode ra
 enrollment url http://192.168.x.server:80/certsrv/mscep/mscep.dll
 usage ike
 password <removed>
 subject-name CN=Me,O=Company
 revocation-check crl none
!
!
crypto pki certificate chain TP-self-signed-3534083426
 certificate self-signed 01
  <removed>
  quit
crypto pki certificate chain titan
 certificate <removed>
  quit
 certificate ca <removed>
  quit
no crypto engine onboard 0
!
crypto key pubkey-chain rsa
 named-key realm-cisco.pub signature
  key-string
   30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 
   00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16 
   17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128 
   B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E 
   5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35 
   FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85 
   50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36 
   006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE 
   2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3 
   F3020301 0001
  quit
username xxx privilege 15 secret 5 <removed>
!
! 
!
crypto isakmp policy 1
 encr 3des
 group 2
 lifetime 900
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
 lifetime 900
crypto isakmp key <removed> address 0.0.0.0 0.0.0.0 no-xauth
!
crypto ipsec security-association idle-time 900
!
crypto ipsec transform-set ESP-3DES-SHA-transport esp-3des esp-sha-hmac 
 mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto dynamic-map SDM_DYNMAP_1 1
 description L2TP/IPSec
 set transform-set ESP-3DES-SHA-transport 
 reverse-route
!
!
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 
!
bridge irb
!
!
!
interface Null0
 no ip unreachables
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting access-violations
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0.1 point-to-point
 description Internet$ES_WAN$$FW_OUTSIDE$
 bandwidth 18147
 ip address <my ip address> 255.255.248.0
 ip access-group 101 in
 ip verify unicast reverse-path 103
 no ip redirects
 no ip proxy-arp
 ip accounting access-violations
 ip mtu 1500
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect DEFAULT100 out
 ip ips sdm_ips_rule in
 ip ips sdm_ips_rule out
 ip virtual-reassembly
 no snmp trap link-status
 atm route-bridged ip
 atm route-bridged ipv6
 pvc BeUnlimited 0/101 
  oam-pvc manage
  encapsulation aal5snap
 !
 ipv6 enable
 ipv6 nd ra suppress
 crypto map SDM_CMAP_1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 
 description L2TP
 ip unnumbered BVI1
 no ip redirects
 no ip proxy-arp
 ip accounting access-violations
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1360
 peer default ip address dhcp
 ppp mtu adaptive
 ppp authentication eap ms-chap-v2
 ppp ipcp header-compression ack
 ppp ipcp username unique
 ppp timeout idle 600 either
!
interface Dot11Radio0
 description Wireless interface
 no ip address
 no ip redirects
 no ip unreachables
 ip accounting access-violations
 countermeasure tkip hold-time 5
 !
 encryption mode ciphers tkip 
 !
 ssid Wireless
    authentication open 
    authentication key-management wpa
    guest-mode
    wpa-psk ascii <removed>
 !
 world-mode dot11d country GB indoor
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 no cdp enable
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 no ip address
 no ip redirects
 no ip unreachables
 ip accounting access-violations
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface BVI1
 description LAN$ES_LAN$$FW_INSIDE$
 ip address 192.168.<x>.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip proxy-arp
 ip accounting access-violations
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1412
!
ip route 0.0.0.0 0.0.0.0 <gateway>
!
ip flow-top-talkers
 top 25
 sort-by bytes
 cache-timeout 36000
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface ATM0.1 overload
ip nat inside source static udp 192.168.<x>.<server> 5005 interface ATM0.1 5005
ip nat inside source static udp 192.168.<x>.<server> 1755 interface ATM0.1 1755
ip nat inside source static tcp 192.168.<x>.<server> 1755 interface ATM0.1 1755
ip nat inside source static tcp 192.168.<x>.<server> 554 interface ATM0.1 554
ip nat inside source static tcp 192.168.<x>.<server> 3389 interface ATM0.1 3389
ip nat inside source static tcp 192.168.<x>.<server> 1723 interface ATM0.1 1723
ip nat inside source static tcp 192.168.<x>.<server> 4125 interface ATM0.1 4125
ip nat inside source static tcp 192.168.<x>.<server> 444 interface ATM0.1 444
ip nat inside source static tcp 192.168.<x>.<server> 443 interface ATM0.1 443
ip nat inside source static tcp 192.168.<x>.<server> 25 interface ATM0.1 25
ip nat inside source static tcp 192.168.<x>.<server> 80 interface ATM0.1 80
!
logging trap debugging
logging 192.168.<x>.<server>
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.<x>.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit udp host 192.168.<x>.<server> eq 1645 host 192.168.<x>.1
access-list 100 permit udp host 192.168.<x>.<server> eq 1646 host 192.168.<x>.1
access-list 100 deny   ip 87.194.32.0 0.0.7.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit gre any any log
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny   ip host 0.0.0.0 any log
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny   ip host 255.255.255.255 any log
access-list 101 deny   ip 169.254.0.0 0.0.255.255 any log
access-list 101 deny   ip 0.0.0.0 0.255.255.255 any log
access-list 101 permit tcp any host <my ip address> eq www
access-list 101 permit esp any host <my ip address>
access-list 101 permit udp any host <my ip address> eq isakmp
access-list 101 permit udp any host <my ip address> eq non500-isakmp
access-list 101 permit udp any host <my ip address> eq 5005
access-list 101 permit udp any host <my ip address> eq 1755
access-list 101 permit tcp any host <my ip address> eq 1755
access-list 101 permit tcp any host <my ip address> eq 554
access-list 101 permit tcp any host <my ip address> eq 3389
access-list 101 permit tcp any host <my ip address> eq 1723
access-list 101 permit gre any host <my ip address> log
access-list 101 permit tcp any host <my ip address> eq 4125
access-list 101 permit tcp any host <my ip address> range 443 444
access-list 101 permit tcp any host <my ip address> eq smtp
access-list 101 permit icmp any host <my ip address> echo-reply
access-list 101 permit icmp any host <my ip address> time-exceeded
access-list 101 permit icmp any host <my ip address> unreachable
access-list 101 remark Auto generated by SDM for NTP (123) 0.uk.pool.ntp.org
access-list 101 permit udp host 213.2.4.80 eq ntp host <my ip address> eq ntp
access-list 101 remark Auto generated by SDM for NTP (123) 193.190.230.66
access-list 101 permit udp host 193.190.230.66 eq ntp host <my ip address> eq ntp
access-list 101 deny   icmp any any redirect log
access-list 101 deny   ip any any log
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 192.168.<x>.0 0.0.0.255 any
access-list 102 deny   ip any any
access-list 103 remark Log any unicast reverse path packets
access-list 103 remark SDM_ACL Category=1
access-list 103 remark Deny any packets that fail unicast reverse path
access-list 103 deny   ip any any log
snmp-server community <removed> RW
snmp-server community <removed> RO
no cdp run
!
!
!
radius-server host 192.168.<x>.<server> auth-port 1645 acct-port 1646 key 7 <removed>
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Router and Security Device Manager (SDM) is installed on this device and 
it provides the default username "cisco" for  one-time use. If you have already 
used the username "cisco" to login to the router and your IOS image supports the 
"one-time" user option, then this username has already expired. You will not be 
able to login to the router with this username after you exit this session.
 
It is strongly suggested that you create a new username with a privilege level 
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you want to 
use.
 
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 no modem enable
 transport output telnet
 speed 115200
line aux 0
 transport output telnet
line vty 0 4
 access-class 102 in
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp logging
ntp clock-period 17175097
ntp source BVI1
ntp server 193.190.230.66 source ATM0.1
ntp server 213.2.4.80 source ATM0.1
!
webvpn install svc flash:/webvpn/svc.pkg
end
 

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by aryoba
last modified: 2007-07-11 11:09:37

Note:

* Router needs to run 12.4 IOS image with Firewall support

!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 <removed>
!
aaa new-model
!
!
aaa group server radius sdm-vpn-server-group-1
 server <lan server ip> auth-port 1645 acct-port 1646
!
aaa authentication login local_authen local
aaa authentication ppp default group radius
aaa authorization exec local_author local
aaa authorization network default group radius
aaa authorization network sdm_vpn_group_ml_1 group sdm-vpn-server-group-1
aaa accounting exec default start-stop group radius
aaa accounting connection default start-stop group radius
aaa accounting resource default start-stop-failure group radius
!
!
aaa session-id common
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
dot11 phone
dot11 arp-cache
no ip source-route
ip icmp rate-limit unreachable 100
ip icmp rate-limit unreachable DF 1
ip cef
!
ip nbar pdlm flash:/rtp-124.pdlm
!
!
!
ip tcp ecn
ip tcp selective-ack
ip tcp window-size 169360
ip tcp synwait-time 10
no ip bootp server
ip domain name johnpavel.local
ip name-server <lan server ip>
ip port-map user-terminal port tcp 3389 description Terminal Services
ip port-map user-mmsu port udp 1755 description MMSU
ip port-map user-sharepoint port tcp 444 description Windows Sharepoint Services
ip port-map user-rtspu port udp 5005 description RTSPU
ip port-map user-remote-web port tcp 4125 description Remote Web Workplace
ip port-map user-nat-stun port udp 3478 description Simple Traversal of UDP through NAT
ip ssh time-out 60
ip dhcp-server <lan server ip>
login block-for 15 attempts 2 within 30
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication
 l2tp tunnel password 7
 l2tp tunnel receive-window 256
!
 
parameter-map type inspect pmap-audit
  audit-trail on
password encryption aes
!
crypto pki trustpoint TP-self-signed-...
!
crypto pki trustpoint <server>
 enrollment mode ra
 enrollment url http://<server>:80/certsrv/mscep/mscep.dll
 usage ike
 password 7 08781A1C2F495C4E422F545573087C7B10
 revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-...
  quit
crypto pki certificate chain ...
  quit
no crypto engine onboard 0
!
!
username <user> privilege 15 secret 5 <removed>
!
!
class-map type inspect match-all sdm-cls-http-1
 match access-group name InternalServer
 match protocol http
class-map type inspect match-any AllowedOut
 description Permitted Traffic to internet
 match protocol https
 match protocol dns
 match protocol imap
 match protocol icmp
 match protocol ftp
 match protocol smtp extended
 match protocol sip
 match protocol user-nat-stun
 match protocol ntp
 match protocol pop3
 match protocol pptp
 match protocol rtsp
 match protocol realmedia
 match protocol netshow
 match protocol appleqtc
 match protocol streamworks
 match protocol vdolive
 match protocol telnet
class-map type inspect match-all sdm-cls-http
 match protocol http
class-map type inspect match-any SDM_GRE
 match access-group name SDM_GRE
class-map type inspect match-any ExternallyVisibleProtocols
 description Externally-visible protocols
 match protocol http
 match protocol https
 match protocol smtp extended
 match protocol user-sharepoint
 match protocol user-remote-web
 match protocol pptp
 match class-map SDM_GRE
 match protocol user-terminal
 match protocol rtsp
 match protocol netshow
 match protocol user-mmsu
 match protocol user-rtspu
class-map type inspect match-any returningGRE
 description Returning GRE for PPTP
 match class-map SDM_GRE
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-all ICMPReply
 description Only certain pings permitted to router
 match access-group name ICMPReply
class-map type inspect match-any RouterToOutside
 description Permit router-generated traffic out
 match protocol tcp
 match protocol udp
 match protocol icmp
class-map type inspect match-all ExternallyVisibleServices
 description Externally-visible protocols headed to server
 match access-group name InternalServer
 match class-map ExternallyVisibleProtocols
class-map type inspect match-any IPSec
 description For L2TP/IPSec
 match class-map SDM_ESP
 match protocol isakmp
 match protocol ipsec-msft
class-map type inspect http match-any sdm-http-blockparam
 match  request port-misuse any
class-map type inspect match-any InvalidSource
 description Invalid source addresses for internally-generated outgoing traffic
 match access-group name InvalidSource
class-map type inspect http match-any sdm-app-httpmethods
 match  request method bcopy
 match  request method bdelete
 match  request method bmove
 match  request method bpropfind
 match  request method bproppatch
 match  request method connect
 match  request method copy
 match  request method delete
 match  request method edit
 match  request method getattribute
 match  request method getattributenames
 match  request method getproperties
 match  request method index
 match  request method lock
 match  request method mkcol
 match  request method mkdir
 match  request method move
 match  request method notify
 match  request method options
 match  request method poll
 match  request method propfind
 match  request method proppatch
 match  request method put
 match  request method revadd
 match  request method revlabel
 match  request method revlog
 match  request method revnum
 match  request method save
 match  request method search
 match  request method setattribute
 match  request method startrev
 match  request method stoprev
 match  request method subscribe
 match  request method trace
 match  request method unedit
 match  request method unlock
 match  request method unsubscribe
class-map type inspect http match-any sdm-http-allowparam
 match  req-resp protocol-violation
!
!
policy-map type inspect RouterToInside
 description Router to LAN
 class class-default
  inspect
policy-map type inspect InsideToRouter
 description LAN to router
 class class-default
  inspect
policy-map type inspect http sdm-action-app-http
 class type inspect http sdm-http-blockparam
  log
  reset
 class type inspect http sdm-app-httpmethods
  log
  reset
 class type inspect http sdm-http-allowparam
  log
  allow
 class class-default
policy-map type inspect InsideToOutside
 description LAN to Internet
 class type inspect returningGRE
  inspect pmap-audit
 class type inspect InvalidSource
  drop log
 class type inspect sdm-cls-http
  inspect
  service-policy http sdm-action-app-http
 class type inspect AllowedOut
  inspect
 class class-default
  drop log
policy-map type inspect OutsideToInside
 description Internet to LAN (server)
 class type inspect ExternallyVisibleServices
  inspect pmap-audit
 class class-default
  drop log
policy-map type inspect OutSideToRouter
 description Permitted traffic from internet to router
 class type inspect ICMPReply
  pass
 class type inspect IPSec
  pass
 class class-default
  drop log
policy-map type inspect RouterToOutSide
 description Router to internet
 class type inspect RouterToOutside
  inspect pmap-audit
 class class-default
  pass
!
zone security Inside
zone security Outside
zone-pair security InsideToOutside source Inside destination Outside
 service-policy type inspect InsideToOutside
zone-pair security RouterToInside source self destination Inside
 service-policy type inspect RouterToInside
zone-pair security InsideToRouter source Inside destination self
 service-policy type inspect InsideToRouter
zone-pair security OutsideToRouter source Outside destination self
 service-policy type inspect OutSideToRouter
zone-pair security RouterToOutside source self destination Outside
 service-policy type inspect RouterToOutSide
zone-pair security OutsideToInside source Outside destination Inside
 service-policy type inspect OutsideToInside
!
!
crypto isakmp policy 10
 encr aes 256
 group 2
!
crypto isakmp policy 20
 encr aes 192
 group 2
!
crypto isakmp policy 30
 encr aes
 group 2
!
crypto isakmp policy 40
 encr 3des
 group 2
!
crypto isakmp policy 50
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp policy 60
 encr aes 192
 authentication pre-share
 group 2
!
crypto isakmp policy 70
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp policy 80
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key 6 <removed> address 0.0.0.0 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
 mode transport
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
 mode transport
crypto ipsec transform-set ESP-AES192-SHA esp-aes 192 esp-sha-hmac
 mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
 mode transport
!
crypto dynamic-map Dynamic-CryptoMap 1
 description IPSec
 set transform-set ESP-AES128-SHA ESP-3DES-SHA
 reverse-route
!
!
crypto map IPSec-Policy 65535 ipsec-isakmp dynamic Dynamic-CryptoMap
!
bridge irb
!
!
!
interface Null0
 no ip unreachables
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting access-violations
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 description Be* Unlimited$ES_WAN$$FW_OUTSIDE$
 bandwidth receive 17800
 ip address <my external ip address> <my external mask>
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip accounting access-violations
 ip mtu 1500
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 zone-member security Outside
 ip tcp adjust-mss 1460
 no snmp trap link-status
 atm route-bridged ip
 pvc BeUnlimited 0/101
  oam-pvc manage
  encapsulation aal5snap
 !
 crypto map IPSec-Policy
!
interface FastEthernet0
 description Switch
!
interface FastEthernet1
 description titan
!
interface FastEthernet2
 description Yellow
!
interface FastEthernet3
 description phone
!
interface Virtual-Template1
 description L2TP$FW_OUTSIDE$
 ip unnumbered BVI1
 ip verify unicast reverse-path
 no ip redirects
 ip accounting access-violations
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 zone-member security Inside
 ip route-cache flow
 ip tcp adjust-mss 1360
 peer default ip address dhcp
 no keepalive
 ppp mtu adaptive
 ppp authentication eap ms-chap-v2
 ppp ipcp header-compression ack
 ppp ipcp username unique
!
interface Dot11Radio0
 description Wireless
 no ip address
 ip accounting access-violations
 !
 encryption mode ciphers tkip
 !
 ssid Wireless
    authentication open
    authentication key-management wpa
    accounting radius
    guest-mode
    wpa-psk ascii 7 <removed>
 !
 world-mode dot11d country GB indoor
 speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
 station-role root
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface Vlan1
 description LAN$FW_INSIDE$$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 no ip address
 ip accounting access-violations
 ip tcp adjust-mss 1460
 bridge-group 1
!
interface BVI1
 description LAN Wireless bridge$ES_LAN$$FW_INSIDE$
 ip address <router ip address> 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip accounting access-violations
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 zone-member security Inside
 ip route-cache flow
!
router bgp <removed>
 no synchronization
 bgp log-neighbor-changes
 neighbor 195.66.241.98 remote-as <removed>
 neighbor 195.66.241.98 description cymru
 neighbor 195.66.241.98 password 7 <removed>
 neighbor 195.66.241.98 ebgp-multihop 255
 neighbor 195.66.241.98 prefix-list cymru-out out
 neighbor 195.66.241.98 route-map CYMRUBOGONS in
 neighbor 195.66.241.98 maximum-prefix 100 90
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 <remote gateway ip address>
ip route 192.0.2.1 255.255.255.255 Null0
ip route <cymru ip address> 255.255.255.255 <remote gateway ip address>
!
ip bgp-community new-format
ip community-list 10 permit <removed>
ip flow-cache timeout active 1
ip flow-export version 9
ip flow-export destination <netflow monitor ip> 9996
ip flow-top-talkers
 top 50
 sort-by bytes
 cache-timeout 3600000
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp <lan server ip> 80 interface ATM0.1 80
ip nat inside source static tcp <lan server ip> 25 interface ATM0.1 25
ip nat inside source static tcp <lan server ip> 443 interface ATM0.1 443
ip nat inside source static tcp <lan server ip> 444 interface ATM0.1 444
ip nat inside source static tcp <lan server ip> 4125 interface ATM0.1 4125
ip nat inside source static tcp <lan server ip> 1723 interface ATM0.1 1723
ip nat inside source static tcp <lan server ip> 3389 interface ATM0.1 3389
ip nat inside source static tcp <lan server ip> 554 interface ATM0.1 554
ip nat inside source static tcp <lan server ip> 1755 interface ATM0.1 1755
ip nat inside source static udp <lan server ip> 1755 interface ATM0.1 1755
ip nat inside source static udp <lan server ip> 5005 interface ATM0.1 5005
ip nat inside source list 1 interface ATM0.1 overload
!
ip access-list extended ICMPReply
 permit icmp any any host-unreachable
 permit icmp any any port-unreachable
 permit icmp any any ttl-exceeded
 permit icmp any any packet-too-big
ip access-list extended InternalServer
 remark Traffic to server
 remark SDM_ACL Category=128
 permit ip any host <lan server ip>
ip access-list extended InvalidSource
 remark Invalid Source Address on LAN
 remark SDM_ACL Category=128
 permit ip host 255.255.255.255 any
 permit ip <gateway network> <inverse gateway mask> any
 permit ip 127.0.0.0 0.255.255.255 any
ip access-list extended SDM_ESP
 remark SDM_ACL Category=0
 permit esp any any
ip access-list extended SDM_GRE
 remark SDM_ACL Category=0
 permit gre any any
!
!
ip prefix-list cymru-out seq 5 deny 0.0.0.0/0 le 32
ip radius source-interface BVI1
logging trap debugging
logging <lan server ip>
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit <lan network> <lan network mask>
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit <lan network> <lan network mask>
access-list 2 deny   any
access-list 112 remark VTY Access-class list
access-list 112 remark SDM_ACL Category=1
access-list 112 permit ip <lan network> <lan network mask> any
access-list 112 deny   ip any any
snmp-server community <removed> RW
snmp-server community <removed> RO
snmp-server ifindex persist
no cdp run
!
!
!
route-map CYMRUBOGONS permit 10
 description Filter bogons learned from cymru.com bogon route-servers
 match community 10
 set ip next-hop 192.0.2.1
!
radius-server host <lan server ip> auth-port 1645 acct-port 1646 key 7 <removed>
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!
^C
alias exec ru sh run
alias exec ri sh run | i
alias exec rb sh run | b
!
line con 0
 login authentication local_authen
 no modem enable
 transport output telnet
 speed 115200
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 112 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17175104
ntp server 193.190.230.66 source ATM0.1
ntp server 213.2.4.80 source ATM0.1
end
 

Discussions

»ASA vs ZBFW
»How would you do this?
»[HELP] Multi-Interface Firewall Config Help
»[HELP] ZBF and shared folder (windows)
»[Config] Zone-based firewall and out-or-order dropped packets
»[Config] ACL and Zone base firewall config

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by aryoba
last modified: 2012-11-13 13:33:46

This FAQ was inspired by the following post:
»How to Configure Internet Access restrictions ?

In some organizations or companies, there might be policy to restrict Internet access. The idea behind this is that to either block or restrict access to Internet site or to unknown/unapproved Internet application unrelated to business requirement or even disruptive to business objectives.

Typical approach of controlling and restricting such access is to deploy proxy server between internal network and the Internet gateway. This proxy server could be some Windows or Unix server, or vendor-specific proxy appliance such as BlueCoat ProxySG.

In smaller networks, organizations, or companies; the proxy appliance deployment could be either financial or technical burden. In this case, this kind of network management might consider other alternatives such as using either router or firewall to do the restriction. Following is the discussion.

Router Approach

A solution which uses the router to filter Internet access (web traffic), allowing what is defined to go through and deny all others.

Option 1: Using CBAC feature

This "work around" is the use of Cisco's Web Filtering functionality which goes hand in hand with the Websense products. This FAQ will utilise the current functionality of the Websense solution without a server by deviating from the original design of this suite of technologies by Cisco.

Note that this is only supported in IOS that have the CBAC functionality.

First off, create an ACL which will be used in the Java filter statement that allows everything through to avoid triggering the Java applet scanner which can be CPU intensive and degrading router performance.

access-list 10 permit any
 

Define the IP INSPECT statements as below and then add what URLs are allowed to be accessed such as www.google.com and www.froogle.com in the example below:

ip inspect name inspect-out http urlfilter audit-trail off
ip inspect name inspect-out http java-list 10
ip urlfilter exclusive-domain permit www.google.com
ip urlfilter exclusive-domain permit www.froogle.com
 

The statement "ip urlfilter exclusive-domain www.xxxx.com" adds a domain name to or from the exclusive domain list so that the firewall does not have to send look-up requests to the Websense server. So, regardless of the Websense server being available or not, which in this case does not exist, the router will allow all HTTP requests to the above domains through.

There is a setting which is defined by the statement "ip urlfilter allow-mode on/off" where if the router can't talk to the Websense server, it will allow web traffic through or deny it depending on this setting. There is no Websense server defined at all but what we will do is turn off the allow-mode so all traffic will be denied bar the ones defined in the exclusive-domain statement.

ip urlfilter allow-mode off
 

Now the configuration has been setup, it then has to be applied to the interface like a normal ip inspect statement, for example:

interface Dialer1
 description PPPoX dialer to ISP
 ip inspect inspect-out out
 

or

interface FastEthernet4
 description Interface to Cable modem
 ip inspect inspect-out out
 

Option 2: Using QoS CBWFQ feature

Using the same previous situation, the permitted web sites are only www.google.com and www.froogle.com; while traffic to other sites are blocked. This time the filtering technique is utilising CBWFQ which is also applied to the WAN interface.

access-list 100 remark DNS traffic
access-list 100 permit tcp any any eq 53
access-list 100 permit udp any any eq 53
!
class-map match-any Internet_Sites
 match protocol http host "*www.google.com*"
 match protocol http host "*www.froogle.com*"
 match access-group 100
!
policy-map Restricted_Internet_Access
 class Internet_Sites
   bandwidth percent 20
 class class-default
   police cir 8000
     conform-action drop
     exceed-action drop
!
interface Ethernet0
 description Facing LAN
 service-policy input Restricted_Internet_Access
 

CBWFQ (Class Based Weighted Fair Queue) is Cisco QoS (Quality of Service) feature that can be used to shape or to drop certain traffic. In this sample configuration, outbound traffic to www.google.com, to www.froogle.com, and to ISP DNS servers are set to guarantee 20% bandwidth during congestion. Other traffic will be dropped even when there is no congestion.

Let's review another illustration. Some organizations prevent their employee to access public social sites such as www.myspace.com and adult (porn) sites such as www.playboy.com; while still permit access to other Internet sites. Using the CBWFQ, following is blocked-access sample configuration.

class-map match-any Internet_Sites
 match protocol http host "*.myspace.com*"
 match protocol http host "*.playboy.com*"
!
policy-map Restricted_Internet_Access
 class Internet_Sites
   drop
!
interface Ethernet0
 description Facing LAN
 service-policy input Restricted_Internet_Access
 

More illustration on CBWFQ technique to restrict/maintain website access
»[Config] QoS with CBWFQ to prioritize a website

Notes:

* Using similar approach, you can also implement NBAR (Network Based Application Recognition) to restrict or even to drop/block Internet access, especially P2P (Peer-to-Peer) traffic. Check out the following FAQ for more info.

»Cisco Forum FAQ »Restrict Traffic Flow including P2P (Peer to Peer) using NBAR: An Overview

* The router may need to run IOS image of either IP Services, Advanced IP Services, Enterprise, or Advanced Enterprise to support QoS. If the router does not run such IOS image, check out the next option as alternative.

Option 3: Using ACL IP Address-Based

The downside of the two previous sample configurations is that your router may not support such feature. A good side is that most routers support access block by IP addresses or subnets. Following is illustration on how to block access by the site's IP addresses, which the filter is applied to the LAN interface.

Let's revisit the www.myspace.com access block. Using DNS A record and WHOIS checks, it is revealed that currently myspace.com subnet is 216.178.32.0/20 (from 216.178.32.0 to 216.178.47.255). Following is the sample configuration of block access to myspace.com based on its IP addresses.

access-list 100 remark Restricted Internet Access
access-list 100 deny ip any 216.178.32.0 0.0.15.255
access-list 100 permit ip any any
!
interface FastEthernet1
 description Interface to LAN
 ip access-group 100 in
 

Side Note:
You can use one of following sites for public DNS A record and WHOIS checking

http://www.whatismyip.com/ip-tools/
http://network-tools.com/

Keep in mind that this block access method only works when myspace.com still occupies the 216.178.32.0/20 subnet. It was known that originally myspace.com did not occupy this subnet. When the blocked site IP addresses are moved to different subnet, then there will be a need to adjust the blocked IP subnet to the new one. This adjustment is not needed when one of the two previous options is deployed.

ASA/PIX Firewall Approach

Cisco documentations on sample configurations

Cut-through Proxy for Network Access using TACACS+ and RADIUS Server
Allow/Block FTP Sites Using Regular Expressions with MPF
Block Certain Websites (URLs) Using Regular Expressions with MPF
Block the Peer-to-Peer (P2P) and Instant Messaging (IM) Traffic Using MPF

Non-Cisco approach

As mentioned at the first paragraph, in typical network setup there are either Unix-based or Windows-based proxy server, or vendor-specific appliance such as Bluecoat ProxySG appliance to do the Internet access restriction. The advantage of using vendor-specific appliance such as Bluecoat ProxySG appliance is that you don't have to manually update website link database in order to keep up with changes in the website links or with new websites, not to mention free hardware replacement possibility. In addition the Internet access restriction can be based by the internal user Windows or RADIUS credential so that you can pick and choose which users will and will not be affected. The disadvantage is that this vendor-specific appliance requires certain costs that may be financial prohibitive to certain organizations, small businesses, or home users.

For those who are savvy enough in networking world or would like to experiment, there are alternative (free) solutions from OpenDNS and Untangle. While OpenDNS uses DNS IP address assignment as part of its solution, Untangle uses any generic PC to be a dedicated server running (free) Untangle software on either routing or transparent (bridging) mode. The solution from OpenDNS and Untangle could be free or low cost depending on your network environment or need. The advantage to use either one of these solution is that there is free or low cost solution with similar offering that vendor-specific appliances use. Check out the following links for more info.

OpenDNS
Overview
OpenDNS - A Technical Overview

Untangle
Overview
Why Untangle?

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by Covenant edited by aryoba
last modified: 2013-02-12 15:57:39

Introduction

NBAR (Network-Based Application Recognition) is a very indepth topic hence this FAQ will try to illustrate one of its many functionalities and how to action packets that match the protocol criteria required.

NBAR has its niche within the QoS (Quality of Service) crowd where specific applications are given precedence or not as the case maybe depending on the network requirements at the time of the implementation. NBAR allows recognition of a wide variety of applications where QoS may be implemented on them, i.e. from the bandwidth intensive Citrix to the port changing Kazaa P2P (Peer-to-Peer) application.

NBAR allows the classification of protocols from layer 4 to 7 hence allowing the router in some respects to disregard its layer 3 position and to look at the high layer protocols. NBAR can recognise:

• Statically assigned TCP and UDP port numbers

• Non-UDP and non-TCP IP protocols

• Dynamically assigned TCP and UDP port numbers. Classification of such applications requires stateful inspection; that is, the ability to discover the data connections to be classified by parsing the connections where the port assignments are made.

• Sub-port classification or classification based on deep packet inspection; that is, classification by looking deeper into the packet.

NBAR can classify static port protocols. Although access control lists (ACLs) can also be used for this purpose, NBAR is easier to configure and can provide classification statistics that are not available when using ACLs.

NBAR includes a Protocol Discovery feature that provides an easy way to discover application protocols that are transversing an interface. The Protocol Discovery feature discovers any protocol traffic supported by NBAR. Protocol Discovery maintains the following per-protocol statistics for enabled interfaces: total number of input and output packets and bytes, and input and output bit rates. The Protocol Discovery feature captures key statistics associated with each protocol in a network that can be used to define traffic classes and QoS policies for each traffic class.

The router (depending on model and IOS version) has built-in NBAR functionality which may be seen when configuring NBAR:

london-colo-east(config-cmap)#match protocol ?

Or when scrutinising a port-map:

london-colo-east-01-e-01#sh ip nbar port-map

which will demonstrate the ports and IP protocol of the various protoocols present.

An external Packet Description Language Module (PDLM) can be loaded at any time to extend the NBAR list of recognized protocols. PDLMs can also be used to enhance an existing protocol recognition capability. PDLMs allow NBAR to recognize new protocols without requiring a new Cisco IOS image or a router reload, hence PDLMs allow the router to gain the functionality of recognising applications at the application layer for the protoocols which when the router was shipped, was either not available or have changed in its function so much that an update is required.

To view a list of currently available PDLMs or to download a PDLM:

NBAR Packet Description Language Module Download

There are a number of examples, such as Citrix, gnuttella, skinny, etc. This type of traffic would have been hard to classify using standard QoS tecniques, either to minimise the impact of such programs on bandwidth, to drop them or to allocate the most amount of bandwidth to. PDLMs give the router this added ability to recognise the traffic specified by it as well as some other types of traffic pre-defined in the IOS.

---

Procedure (* optional if application NBAR required on is already present:

CEF should be enabled.

1.)* Copy the pdlm into the router's flash:

london-colo-east-01-e-01#copy tftp flash
Address or name of remote host []? 192.168.1.254
Source filename []? bittorrent.pdlm
Destination filename [bittorrent.pdlm]?
Accessing tftp://192.168.1.254/bittorrent.pdlm...
Erase flash: before copying? [confirm]n
Loading bittorrent.pdlm from 192.168.1.254 (via FastEthernet0.1): !
[OK - 4125 bytes]

Verifying checksum... OK (0xA1BF)
4125 bytes copied in 0.192 secs (21484 bytes/sec)
london-colo-east-01-e-01#sh flash:

System flash directory:
File Length Name/status
1 9773168 c1700-k9o3sy7-mz.123-10.bin
2 4125 bittorrent.pdlm
[9777424 bytes used, 6737644 available, 16515068 total]
16384K bytes of processor board System flash (Read/Write)

2.) Enable CEF

london-colo-east-01-e-01#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
london-colo-east-01-e(config)#ip cef
 

3.)* Reference the pdlm in the config:

london-colo-east-01-e-01#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
london-colo-east-01-e(config)#ip nbar pdlm bittorrent.pdlm 
london-colo-east-01-e(config)#
 

The result

ip cef
ip nbar pdlm bittorrent.pdlm
!
 

4.) Create a class-map and policy map and apply it to the interface concerned:

class-map match-all bittorrent
  match protocol bittorrent
!
policy-map bittorrent-policy
  class bittorrent
   drop
!
interface FastEthernet0
 description Facing LAN
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 service-policy input bittorrent-policy
 speed 100
 full-duplex
!
 

Basically, within the policy-map bittorrent-policy, the action for any packets matching that protocol arriving on the fa0 interface was to DROP them. Packet manipulation is possible using QoS such as setting the precedence bits or setting maximum/limited bandwidth for further processing down the line but in this instance, the packets are set to be dropped as soon as they arrive on the fa0 interface.

QoS (Quality of Service) and NBAR

QoS should be the suggested reading for any more indepth look at policy-maps. As illustration, following is sample configuration using NBAR and QoS CBWFQ (Class-Based Weighted Fair Queue) for most common P2P protocols.

Unlike the previous sample configuration where P2P traffic is dropped or blocked, this sample configuration objective is to permit with restriction. The restriction is that all P2P traffic will be limited to only 8 kbps bandwidth. Any attempt from P2P traffic to use more than 8 kbps bandwidth will be dropped or blocked.

class-map match-any p2p
 match protocol bittorrent
 match protocol edonkey
 match protocol fasttrack
 match protocol gnutella
 match protocol kazaa2
!
policy-map QoS-inbound-policy
 class p2p
   police cir 8000
     conform-action drop
     exceed-action drop
!
interface FastEthernet0
 description Facing LAN
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 service-policy input QoS-inbound-policy
 speed 100
 full-duplex
!
 

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by Covenant edited by aryoba
last modified: 2010-01-07 08:40:57

Suggested prerequisite reading
»Cisco Forum FAQ »Setting Up Private Site-To-Site Connections

Introduction

Setting up site-to-site IPSec VPN connection in general involves two phases. Phase 1 is called IKE or ISAKMP SA (Security Association) establishment and Phase 2 is called IPSec SA establishment.

Phase 1

In general, Phase 1 deals with confirmation among sites that are about to establish secure connection across unsecure network. This process is to verify that each site is authorized to establish such connection. Following is further description.

Phase 1 is to establish the ISAKMP key matching with remote site. One popular technique of this ISAKMP key matching is to use pre-shared key. This key is basically a string (combination of alphabets, numbers, and characters) that both sites agree to use. The key is then stored (and encrypted) within each VPN device configuration.

Phase 1 in IPSec VPN connection establishment is also involving the remote VPN device IP address (peer). A popular technique is to specifically set the remote peer IP address (for security purposes); known as static configuration. With this specific static configuration, both pre-shared key and remote IP address are statically configured into the VPN device.

During the Phase 1 VPN tunnel establishment using the static configuration of both pre-shared key and remote IP address, the two VPN peer IP addresses (the local and the remote) must match. If the two VPN peer IP addresses match, then the next step is to match the pre-shared key between the two VPN devices.

This pre-shared key matching process is done within an encapsulated secure (encrypted) tunnel. The encapsulation type and method used is the encryption specified for the Phase 1. If there is a change needed of either IP address, pre-shared key, or the encryption; then manual adjustment is needed.

To sum up, Phase 1 VPN tunnel establishment in this case involves matching process of three factors where all the three are statically configured into both VPN devices. The three factors are VPN peer IP addresses (both ends), pre-shared key, and encryption type and method. Such static configuration shows those three factors as the key of how Phase 1 process take place to verify security association establishment between sites that are about to setup secure connection over untrusted network.

Phase 2

Once Phase 1 is passed successfully, then the setup process moves to the Phase 2. In general, Phase 2 deals with traffic management of the actual data communication between sites. There will be mechanism to determine which data goes where, encrypted or not.

In Cisco security device, one mechanism factor is to use access list. An access list is used to specify or regulate which data (source and destination IP addresses or subnets) need to be encrypted or decrypted (going through the VPN tunnel).

Similar to the Phase 1, there is also specific remote VPN peer IP addresses and IPSec VPN tunnel type and method only for the Phase 2. All the access list, remote VPN peer IP addresses, and the Phase 2 IPSec VPN tunnel type and method are statically configured into both VPN devices. The actual data passing (that are encrypted before leaving local VPN device to go to the remote VPN device; and are decrypted when arriving at local VPN device from the remote VPN device) are encapsulated within the Phase 2 IPSec VPN tunnel.

In other word, the access list, VPN peer IP addresses, and IPSec VPN tunnel type and method are the key to establish the Phase 2. Once Phase 2 is established, the actual data between sites will be passing.

Between Phase 1 and Phase 2

Note that only the Phase 2 involves the IPSec protocol, either ESP (Protocol 50) or AH (Protocol 51). Both Phase 1 (ISAKMP) and Phase 2 (IPSec) use specific encryption type (i.e. AES, 3DES, DES) and hash (MD5 or SHA). Specifically for Phase 1, there is the Diffie-Hellman group type (Group 1, 2, or 5) and the ISAKMP SA (Security Association) timeout or lifetime.

Cisco Configuration Guide
An Introduction to IP Security (IPSec) Encryption
Virtual Private Networks with the Cisco PIX Firewall - Introduction and Implementation

Illustration

Let's review the following PIX IPSec VPN tunnel configuration

PIX Version 6.1(2)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix_1
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
names
!
!--- These are the access list that regulate the actual data passing within Phase 2 IPSec VPN tunnel
!
!--- The IPSec VPN tunnel between PIX 1 and PIX 2:
!--- The 10.1.1.0/24 is local subnet to this PIX 1 VPN device as the source subnet
!--- The 10.2.2.0/24 is remote subnet reside at the PIX 2 remote VPN device as the destination subnet
access-list 120 permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0 
!
!--- The IPSec VPN tunnel between PIX 1 and PIX 3:
!--- The 10.1.1.0/24 is local subnet to this PIX 1 VPN device as the source subnet
!--- The 10.3.3.0/24 is remote subnet reside at the PIX 3 remote VPN device as the destination subnet
access-list 130 permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0 
!
!--- No NAT in place for traffic to other PIX Firewall private networks
!--- This access list associates with the nat 0 (inside) command
access-list 100 permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0 
access-list 100 permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0 
!
pager lines 24
logging on
logging facility 20
logging queue 512
mtu outside 1500
mtu inside 1500
!
!--- The outside interface IP address will be used as the local VPN peer IP address
ip address outside 172.18.124.153 255.255.255.0
!
ip address inside 10.1.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
arp timeout 14400
!
!--- Do not perform NAT for traffic to other PIX Firewalls
!--- This assumes that there is no overlapping subnet within your network
nat (inside) 0 access-list 100
!
!--- Note that the following static route also cover IP reachability to the remote subnets
route outside 0.0.0.0 0.0.0.0 172.18.124.1 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
   0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
!
!--- This is to permit data passing (regulated by the Phase 2 access list) between sites
!--- without applying specific inbound access list into the local IPSec VPN tunnel interface
sysopt connection permit-ipsec
!
no sysopt route dnat
!
!--- The Phase 2 IPSec VPN type and method used
!--- In this illustration, Protocol 50 (ESP) with DES encryption and MD5 hash is used
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
!--- The "crypto map" command specify the access list that regulate data passing between
!--- local and remote VPN devices;
!--- specify the remote VPN peer IP address;
!--- and specify the Phase 2 IPSec VPN tunnel type and method used
! 
!--- IPsec configuration for the Phase 2 IPSec VPN tunnel to PIX 2:
!
crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address 120
crypto map newmap 20 set peer 172.18.124.154 
crypto map newmap 20 set transform-set myset
!
!--- IPsec configuration for the Phase 2 IPSec VPN tunnel to PIX 3:
!
crypto map newmap 30 ipsec-isakmp
crypto map newmap 30 match address 130
crypto map newmap 30 set peer 172.18.124.157 
crypto map newmap 30 set transform-set myset
!
!--- This is to specify that outside interface is to be used as the local VPN peer interface
crypto map newmap interface outside
!
!--- This is to enable ISAKMP key exchanging on the outside interface as the local VPN peer interface
isakmp enable outside
!
!--- The "isakmp key" command specifies the preshared key and remote VPN peer IP addresses
!--- of each Phase 1 VPN tunnel
isakmp key ******** address 172.18.124.154 netmask 255.255.255.255 no-xauth no-config-mode 
isakmp key ******** address 172.18.124.157 netmask 255.255.255.255 no-xauth no-config-mode
!
!--- This is to use the local VPN peer IP address for Phase 1 VPN peer IP address matching process 
isakmp identity address
!
!--- The Phase 1 VPN tunnel type and method used
!
!--- The lowest number of ISAKMP policy will be used to see if it is working.
!--- If the policy number does not work, then 
!--- proceed to the next bigger policy number to see if that works
!
!--- You may notice similar encryption and hashing method between Phase 1 and 2
!--- In this sample configuration, the first ISAKMP policy uses 3DES encryption level and MD5 hash
!--- The second ISAKMP policy uses DES encryption level and also MD5 hash
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
!
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 1000
!
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:436c96500052d0276324b9ef33221b2d
: end
 

To understand the complete picture, please review the PIX-to-PIX IPSec Fully Meshed Sample Configuration.

Side Note:
Further understanding regarding each PIX command and technology behind it, check out the following Cisco link:
Cisco PIX Firewall Command Reference Version 6.3

Note that from VPN connection perspective, the actual data can only be passing between two sites when followings are met (in addition of other basic interconnectivity requirement)

* Phase 1 is established: matching VPN peer IP address, preshared key, Phase 1 encryption type and method
* Phase 2 is established: matching VPN peer IP address, access list, Phase 2 IPSec type and method
* Proper IP Routing is in place: either by static routes or by dynamic routing protocol

In other words, configuration between two VPN devices must match.

Sample Configurations

Following is sample configuration of site-to-site IPSec VPN tunnel between two sites. As to full mesh (or partially mesh) site-to-site VPN involving three or more sites, it is basically similar setup as the single site-to-site VPN between two sites. You just need to setup the tunnel one by one; between 1st and 2nd sites, between 1st and 3rd sites, between 2nd and 3rd sites, and so on.

Specifically in setting up IPSec tunnel on Cisco router, PIX, or ASA in hub and spoke, partially mesh, or fully mesh setup that involve three or more sites; you need to use different sequence number of "crypto map" command for each remote VPN IP address and specific access list that regulate the encrypted traffic. The PIX-to-PIX sample configuration illustrates that.

PIX to PIX
Configuring PIX to PIX to PIX IPSec Fully Meshed

ASA running OS 8.4 to ASA/PIX Firewall running OS 7.0
»[HELP] ASA site-to-site VPN

Router to Router

1. Basic Configuration
Configuring Router-to-Router IPSec Using AES Encryption
Configuring IPSec Between Three Routers Using Split Tunneling
Configuring IPSec Router-to-Router Hub and Spoke
Configuring IPSec Router-to-Router Hub and Spoke with Communication Between the Spokes
Configuring IPSec Router-to-Router Fully Meshed

2. Extended Configuration
Configuring an IPSec Tunnel through a Firewall with NAT
Configuring a Router IPsec Tunnel Private-to-Private Network with NAT and a Static
Configuring an IPSec Tunnel Between Routers with Duplicate LAN Subnets
Configuring IPSec Router-to-Router, Pre-shared, NAT Overload Between a Private and a Public Network
Configuring a Router-to-Router LAN-to-LAN Tunnel with a Router Initiating IKE Aggressive Mode
Configuring an IPsec Router Dynamic LAN-to-LAN Peer and VPN Clients

Router to VPN 3000 Concentrator
Configuring the Cisco VPN 3000 Concentrator to a Cisco Router
EZ VPN

PIX to Router
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml

PIX to VPN 3000 Concentrator
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml

PIX to Checkpoint 4.1 Firewall
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008009420f.shtml

PIX to Checkpoint NG Firewall
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800ef796.shtml

PIX to Juniper Netscreen Firewall
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801c4445.shtml

PIX to Sonicwall
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml

PIX to Zywall
»Cisco Forum FAQ »How do I configure a Zywall/PIX IPSec VPN

Various Cisco Devices to Microsoft Windows server
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b12b5.shtml

Network Design and Implementation

Note that IPSec VPN tunnel uses Protocols 50 (ESP) or 51 (AH), UDP 500 (ISAKMP), and UDP 4500 (IPsec NAT-Traversal or well known as IPSec over UDP) in order to establish a connection, as described in industry-standard RFC 3947 and RFC 4301. Therefore it is essential that these protocols and UDP ports are permitted to pass through your ISP or your Internet connection.

In addition, having static Public IP address as the VPN termination on all VPN devices is highly suggested in order to maintain stable connectivity. Many broadband ISP such as DSL and Cable Internet are providing such services under Business Class with affordable price, though a "real" business-grade Internet connection such as Ethernet, fiber, or at least DS-3 is preferable. Following is a list of sample configurations of implementing static Public IP address as VPN termination on various appliances as illustration.

»Cisco Forum FAQ »Configure PIX/ASA as both Internet Firewall and VPN Concentrator
»Cisco Forum FAQ »Configure router as both Internet router and VPN Concentrator
»Cisco Forum FAQ »Configuring Juniper SRX as Internet Firewall and IPSec VPN Concentrator

To further describe, following are typical site-to-site IPSec VPN tunnel setup, which the IPSec VPN Concentrator can be a router, ASA/PIX Firewall, or any VPN Concentrator appliance.

1. IPSec VPN Concentrator faces the Internet directly
2. IPSec VPN Concentrator is behind a firewall
3. IPSec VPN Concentrator is behind a firewall that also does NAT/PAT

Scenario 1: IPSec VPN Concentrator faces the Internet directly

Network Diagram

LAN 1 --- VPN Concentrator 1 
                  |                    *
                  |                    *
                ISP 1                  *
                  |                    *
                  |                    *
              Internet          IPSec VPN Tunnel
                  |                    *
                  |                    *
                ISP 2                  *
                  |                    *
                  |                    *
          VPN Concentrator 2 --- LAN 2

When the VPN Concentrator faces the Internet directly, the assumption is that the VPN Concentrator uses Public Internet-routable IP address that is assigned by your ISP. Typical physical setup is as follows

* VPN Concentrator connects to ISP modem
* VPN Concentrator connects to a switch where an ISP router or Internet router connects to

In most cases, establishing IPSec VPN tunnel with this kind of scenario is straight forward since the VPN Concentrator is seen as directly connected to the Internet. Should there a connection problem, you can start by making sure that the necessary protocols (the ESP and AH protocols) and ports (the UDP ports 500 and 4500) are permitted to pass through by either your ISP or the Internet router.

Scenario 2: IPSec VPN Concentrator is behind a firewall

Network Diagram

LAN 1 --- VPN Concentrator 1 
                  |                    *
                  |                    *
              Firewall 1               *
                  |                    *
                  |                    *
                ISP 1                  *
                  |                    *
                  |                    *
              Internet          IPSec VPN Tunnel
                  |                    *
                  |                    *
                ISP 2                  *
                  |                    *
                  |                    *
              Firewall 2               *
                  |                    *
                  |                    *
          VPN Concentrator 2 --- LAN 2
 

When the VPN Concentrator is behind a firewall, the assumption is that the VPN Concentrator is behind a firewall and uses Public Internet-routable IP address that is assigned by your ISP. Typical physical setup is as follows

* VPN Concentrator connects to Internet firewall
* VPN Concentrator connects to a switch where an Internet router or Internet firewall connects to

Since there is a firewall in front of the VPN Concentrator, make sure that the necessary protocols (the ESP and AH protocols) and ports (the UDP ports 500 and 4500) are permitted to pass through by the firewall.

Scenario 3: IPSec VPN Concentrator is behind a firewall that also does NAT/PAT

Network Diagram

LAN 1 --- VPN Concentrator 1 
                  |                    *
                  |                    *
          Firewall 1 (does NAT/PAT)    *
                  |                    *
                  |                    *
                ISP 1                  *
                  |                    *
                  |                    *
              Internet          IPSec VPN Tunnel
                  |                    *
                  |                    *
                ISP 2                  *
                  |                    *
                  |                    *
          Firewall 2 (does NAT/PAT)    *
                  |                    *
                  |                    *
          VPN Concentrator 2 --- LAN 2
 

When the VPN Concentrator is behind a firewall that also does NAT/PAT, the assumption is that the VPN Concentrator is behind a firewall and uses Private non-Internet-routable IP address. The firewall, by using the NAT, translates the VPN Concentrator Private IP address into Public Internet-routable IP address that is assigned by your ISP.

Similar to Scenario 2, make sure that the necessary IPSec VPN protocols and ports are permitted to pass through by the firewall. In addition, there must be a dedicated Public IP address that will be used by the VPN Concentrator in the NAT process. This dedicated Public IP address cannot be used for any other mean other than for IPSec VPN tunnel establishment. Should there be a need to go out to the Internet in form of browsing or accessing the Internet, then there must be a separate Public IP address for this mean.

In other words, you cannot use single Public IP address for both Internet access and IPSec VPN tunnel establishment. The reason is that the IPSec VPN Protocols 50 and 51 (ESP and AH) have no concept of port number unlike TCP or UDP protocols. If you force to use single Public IP address for both Internet access and IPSec VPN tunnel establishment, then there might be a connection issue in place.

Some discussions

»[Config] Configuring More Than 1 VPN Tunnel (871w)
»[HELP] IPSec VPN Tunnel
»crypto % Invalid input detected at '^' marker

Basic Troubleshooting

1. Phase 2 (IPSec - the actual data passing)

* Make sure the data source and destination IP addresses or subnets match the regulating access list
* Check the data passing process between the two sites. In Cisco equipment, you can issue the show crypto ipsec sa command or feature which will show the SA (Security Association) between encrypted traffic (outgoing data) and decrypted traffic (incoming data)

2. Phase 1 (ISAKMP - the key)

* Assuming you use preshared key, make sure the remote VPN peer IP address and key match between two VPN device configuration
* Check the Phase 1 VPN tunnel up/down status between two sites. In Cisco equipment, you can issue the show crypto isakmp sa command or feature which will show the up/down tunnel status between local VPN peer IP address and remote VPN peer IP address.
* Issue simple connection test to the remote site (the remote VPN peer IP address) such as ICMP ping and traceroute (whenever possible)
* Reboot one or both VPN devices sometime might solve VPN connectivity issue

As a general rule, configuration of each VPN device in site-to-site IPSec VPN tunnel scenario must match as mentioned previously. ACL, NAT, encryption type used, and routing table are just some of the key points to check in addition to the Phases 1 and 2 verification.

Running Advanced Routing on IPSec VPN Tunnels

In general, advanced routing such as running OSPF or Novell IPX over IPSec VPN tunnels alone is not supported as discussed in this FAQ.
»Cisco Forum FAQ »Between GRE/IPSEC and IPSEC VPN tunnels

To run such advanced routing over IPSec VPN tunnels, you need to implement some form of GRE over IPSec. Check out the following FAQ for more info.

VPN Tunnel To Support Non-IP traffic and/or Dynamic Routing Protocols: GRE over IPSec
»Cisco Forum FAQ »Private Routing over VPN: NAT/PAT, GRE, IPSec Sample Configurations

Easy VPN

Between two Cisco VPN devices (either router, ASA, or PIX Firewall), you can implement Cisco solution of Easy VPN. This Easy VPN is basically similar to traditional site-to-site IPSec VPN as described above with the exception of no need to know remote VPN client IP address to establish IPSec VPN tunnel. Further the Easy VPN solution works on typical home user or small office setup where there is only one dynamic Public IP address for everything (Internet access and IPSec VPN tunnel among other things) and the Cisco VPN device sits behind ISP-managed modem/router

The Easy VPN concept introduces two main VPN devices which are VPN server and VPN client. VPN server is typically Cisco VPN device that sits in main office or headquarters while VPN client is Cisco VPN device that sits in remote office, mobile office, or home office. Similar to traditional site-to-site IPSec VPN, there is point-to-point or point-to-multipoint network (hub and spoke) between single VPN server and one or more VPN clients.

As a requirement, VPN server has to use static Public IP address. The VPN clients (remote VPN devices) are not required to use static Public IP address though it is suggested to maintain stable connection. Since VPN clients can use ever-changing dynamic Public IP address, the VPN server does not need to know the VPN client IP address to establish the VPN tunnel. However both VPN devices (server and client) need to have the same pre-shared key (or certificate), same IPSec protocols, same encryption, and same everything else; similar to traditional site-to-site IPSec VPN.

Check out the following Cisco link for illustration
Easy VPN Sample Configurations

Establishing Site-to-Site IPSec VPN that requires NAT

So far we have been reviewing configurations that requires no NAT for LAN subnets, which means that LAN machines of each VPN site end sees the actual machine IP addresses. In some cases when you need to establish Site-to-Site IPSec VPN, you require to NAT the LAN subnets so that the other end only see the NAT-ed IP address. Such NAT requirement may take place where you need to establish VPN with business partners or external networks.

With any NAT/PAT design, following is a guideline regardless of IPSec VPN association, simple Internet access, or any applications.
* PAT is doable if your LAN machines only act as clients and never act as servers
* NAT is doable if your LAN machines only act as clients and never act as servers
* NAT is required if your LAN machines act as clients and servers

When you do have to PAT/NAT, it is suggested that you use non-RFC-1918 IP addresses (i.e. some Public IP addresses) in order to avoid overlap networks on both end that use the same Private IP schemes. The best solution in regards of PAT/NAT in IPSec VPN tunnel connectivity is to have dedicated non-RFC-1918 IP addresses for Internet access (non-encrypted traffic) and another set of dedicated non-RFC-1918 IP addresses for encrypted traffic (IPSec VPN).

Some organizations however may only have one non-RFC-1918 IP address that is currently being used as Public IP address for Internet access. Should these organizations need to establish Site-to-Site IPSec VPN tunnel with business partners which requires NAT/PAT, fortunately these organizations can use the same Public IP address for Internet access, IPSec VPN tunnel termination, and the NAT/PAT IP address of the encrypted traffic when the organizations' LAN machines only act as clients and never act as servers. Following is illustration.

Your network needs to establish Site-to-Site IPSec VPN with business partner. The business partner has requirement that your network has to be NAT/PAT-ed into Public IP address and to match their IPSec VPN setup as follows.

Business Partner's Network
LAN Subnets: 2.2.2.0/24
IPSec VPN termination IP address: 2.2.1.1
IKE Phase 1 (ISAKMP):
Preferred - AES 256 encryption, MD5 hash, pre-shared keys authentication, Group 2 DH (Diffie-Hellman) Exchange, 86400 seconds Lifetime
Optional - 3DES encryption, MD5 hash, pre-shared keys authentication, Group 2 DH Exchange, 86400 seconds Lifetime
IKE Phase 2 (IPSec):
Preferred - ESP-MD5-HMAC and ESP-AES 256
Optional - ESP-MD5-HMAC and ESP-3DES

For the sake of discussion, let assume the following in your network.
LAN Subnets: 10.0.1.0/24, 172.16.1.0/24
Public IP address: 1.1.1.1

Following is your network topology

                                        IPSec VPN tunnel
                                         ==============
LAN Subnet 1 -- Layer-3 Switch -- Router -- Internet -- Business Partner's Network
172.16.1.0/24                        |                        2.2.2.0/24
                               LAN Subnet 2
                                10.0.1.0/24

To match the business partner's IPSec VPN setup, following is the router configuration addition to make the router as Internet router, IPSec VPN tunnel termination, and NAT/PAT device for both Internet traffic (non-encrypted) and private traffic to business partner's network (encrypted network).

access-list 100 remark Permitted Subnets to go through IPSec VPN tunnel
access-list 100 permit ip host 1.1.1.1 2.2.2.0 0.0.0.255
!
crypto isakmp policy 10
encryption aes 256
hash md5
authentication pre-share
group 2
lifetime 86400
!
crypto isakmp policy 20
encryption 3des
hash md5
authentication pre-share
group 2
lifetime 86400
!
crypto isakmp key [ENTER THE PRE-SHARED KEY HERE] address 2.2.1.1
!
crypto ipsec transform-set Business_Partner-10 esp-aes 256 esp-md5-hmac
crypto ipsec transform-set Business_Partner-20 esp-3des esp-md5-hmac
!
crypto map Business_Partner 10 ipsec-isakmp
 set peer 2.2.1.1
 set transform-set Business_Partner-10
 set pfs group2
 match address 100
!
crypto map Business_Partner 20 ipsec-isakmp
 set peer 2.2.1.1
 set transform-set Business_Partner-20
 set pfs group2
 match address 100
!
int fa4
crypto map Business_Partner
!
 

Following is the router's full configuration.

Router Configuration

no service pad
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
!
hostname diablo-router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 ******
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default line enable
aaa authorization exec default local
aaa authorization commands 15 default local
!
!
!
!
!
aaa session-id common
!
!
!
memory-size iomem 10
clock timezone EST -5
clock summer-time EDT recurring
service-module wlan-ap 0 bootimage autonomous
!
ip source-route
!
!
ip dhcp excluded-address 10.0.1.1 10.0.1.10
!
ip dhcp pool Office_Wireless-Pool
   import all
   network 10.0.1.0 255.255.255.0
   default-router 10.0.1.1
   dns-server 4.2.2.2 8.8.8.8
   domain-name restricted
!
!
ip cef
no ip domain lookup
ip domain name diablo.com
ip multicast-routing
ip inspect name OUTBOUND cuseeme
ip inspect name OUTBOUND ftp
ip inspect name OUTBOUND h323
ip inspect name OUTBOUND netshow
ip inspect name OUTBOUND rcmd
ip inspect name OUTBOUND realaudio
ip inspect name OUTBOUND rtsp
ip inspect name OUTBOUND sqlnet
ip inspect name OUTBOUND tcp
ip inspect name OUTBOUND udp
ip inspect name OUTBOUND vdolive
ip inspect name OUTBOUND icmp
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881W-GN-A-K9 sn *******
!
!
!
spanning-tree portfast bpduguard
username admin secret 5 ******
!
!
ip ssh source-interface Vlan1
ip ssh version 2
!
!
!
crypto isakmp policy 10
 encr aes 256
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 20
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp key ****** address 2.2.1.1
!
!
crypto ipsec transform-set Business_Partner-10 esp-aes 256 esp-md5-hmac
crypto ipsec transform-set Business_Partner-20 esp-3des esp-md5-hmac
!
crypto map Business_Partner 10 ipsec-isakmp
 set peer 2.2.1.1
 set transform-set Business_Partner-10
 set pfs group2
 match address 100
!
crypto map Business_Partner 20 ipsec-isakmp
 set peer 2.2.1.1
 set transform-set Business_Partner-20
 set pfs group2
 match address 100
!
!
!
!
interface Loopback0
 ip address 10.0.0.127 255.255.255.255
 ip virtual-reassembly
 !
!
interface FastEthernet0
 switchport access vlan 4
 spanning-tree portfast
 !
!
interface FastEthernet1
 description Office Switch port 1
 switchport access vlan 100
 spanning-tree portfast
 !
!
interface FastEthernet2
 switchport access vlan 5
 spanning-tree portfast
 !
!
interface FastEthernet3
 switchport access vlan 6
 spanning-tree portfast
 !
!
interface FastEthernet4
 description Office Internet Modem
 ip address dhcp
 ip access-group 121 in
 ip nat outside
 ip inspect OUTBOUND out
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map Business_Partner
 !
!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 ip unnumbered Vlan1
 arp timeout 0
 !
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
 switchport trunk allowed vlan 1-3,1002-1005
 switchport mode trunk
 !
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 10.0.0.129 255.255.255.240
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 !
!
interface Vlan2
 description Wireless office
 ip address 10.0.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 !
!
interface Vlan3
 description Wireless guest
 ip address 10.0.0.153 255.255.255.248
 ip nat inside
 ip virtual-reassembly
 !
!
interface Vlan4
 description IT
 ip address 10.0.0.161 255.255.255.248
 ip nat inside
 ip virtual-reassembly
 !
!
interface Vlan5
 description IT Test
 ip address 10.0.0.9 255.255.255.252
 ip nat inside
 ip virtual-reassembly
 ip ospf cost 10
 !
!
interface Vlan6
 description OOB
 no ip address
 ip nat inside
 ip virtual-reassembly
 !
!
interface Vlan100
 description Office Switch
 ip address 10.0.0.2 255.255.255.252
 ip nat inside
 ip virtual-reassembly
 !
!
router rip
 version 2
 passive-interface FastEthernet4
 passive-interface Vlan1
 passive-interface Vlan2
 passive-interface Vlan3
 passive-interface Vlan4
 passive-interface Vlan5
 network 10.0.0.0
 default-information originate
 distribute-list prefix RIP-To_OfficeSwitch out Vlan100
 no auto-summary
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 110 interface FastEthernet4 overload
!
!
ip prefix-list RIP-To_OfficeSwitch description Permitted Subnets To Announce
ip prefix-list RIP-To_OfficeSwitch seq 10 permit 0.0.0.0/0
ip prefix-list RIP-To_OfficeSwitch seq 20 permit 10.0.0.128/25
ip prefix-list RIP-To_OfficeSwitch seq 30 permit 10.0.0.127/32
!
access-list 10 permit 10.0.1.128 0.0.0.15
access-list 10 permit 172.16.0.0 0.0.1.255
access-list 10 permit 10.0.1.160 0.0.0.7
access-list 10 permit 172.16.2.0 0.0.0.255
!
access-list 100 remark Permitted Subnets to go through IPSec VPN tunnel
access-list 100 permit ip host 1.1.1.1 2.2.2.0 0.0.0.255
!
access-list 110 remark No NAT in place for internal traffic
access-list 110 deny ip 10.0.1.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 110 deny ip 10.0.1.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 110 deny ip 10.0.1.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 110 deny ip 172.16.0.0 0.0.7.255 10.0.0.0 0.255.255.255
access-list 110 deny ip 172.16.0.0 0.0.7.255 172.16.0.0 0.15.255.255
access-list 110 deny ip 172.16.0.0 0.0.7.255 192.168.0.0 0.0.255.255
access-list 110 permit ip 10.0.1.0 0.0.0.255 any
access-list 110 permit ip 172.16.0.0 0.0.7.255 any
!
access-list 120 remark Wireless Guest Restriction
access-list 120 permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps
access-list 120 deny   ip 10.0.0.152 0.0.0.7 10.0.0.0 0.255.255.255
access-list 120 deny   ip 10.0.0.152 0.0.0.7 172.16.0.0 0.15.255.255
access-list 120 deny   ip 10.0.0.152 0.0.0.7 192.168.0.0 0.0.255.255
access-list 120 permit ip 10.0.0.152 0.0.0.7 any
!
access-list 121 remark **** Permitted inbound packets ****
access-list 121 permit udp any eq bootps any eq bootpc
access-list 121 permit udp host 96.47.67.105 eq ntp any
access-list 121 permit udp host 64.90.182.55 eq ntp any
access-list 121 permit ip host 2.2.1.1 any
access-list 121 deny   ip any any
!
no cdp run
!
!
!
!
!
control-plane
 !
!
banner exec ^C
-----------------------------------------------------------------------
This is a proprietary system only for those who are authorized.
-----------------------------------------------------------------------
^C
!
line con 0
 no modem enable
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
line vty 0 4
 access-class 10 in
 transport input ssh
!
scheduler max-task-time 5000
ntp source FastEthernet4
ntp server 64.90.182.55
ntp server 96.47.67.105 prefer
end
 

Notes:

* Using this configuration, the 1.1.1.1 IP address is used as the Internet Public IP address, IPSec VPN tunnel termination, and NAT/PAT-ed IP address for encrypted traffic.

* Since the router acts as NAT/PAT device, any outbound LAN traffic coming from the Layer-3 switch are NAT/PAT-ed into 1.1.1.1 IP address. In other words, the router sees the outbound LAN traffic as 1.1.1.1 and not as 10.x.x.x nor 172.16.1.x anymore. With this in mind, the ACL 100 source IP address has to be the NAT/PAT-ed IP address (the 1.1.1.1) instead of the actual LAN machine IP addresses.

Caveats:

With this kind of network design, there are following caveats

* Any LAN machines that their broadcast domains connect directly to the router (such as SVI VLAN interfaces 1, 2, 3, 4, 5) won't be able to connect to any network. When those LAN machines are set to be DHCP clients using the router as the DHCP server, the LAN machines are getting the router's Public IP address with the assumption that the router's Internet-facing interface (in this case interface FastEthernet4) is set as DHCP client to the ISP. In other words, such configuration only works where all LAN machines sit behind the router (i.e. in the Layer-3 switch). When there are existing machines connect directly to the router, then you need to move them out of the router in order to maintain such machines' network connectivity.

* Traffic intended to the router itself such ssh to the router for management purposes will be seen as NAT-ed traffic. Certainly internal traffic (i.e. ssh from 172.16.1.135 to 10.0.0.2 router IP address) are not supposed to be NAT-ed. Therefore it is necessary to have such ACL 110 to specify which traffic to be NAT-ed and else.

Some Discussions

»Just a contribution to the group on VPN configs
»[HELP] 2 questions for a new net design (VLAN's & IPSEC VPN's)
»Crypto ISAKMP Debugging

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by aryoba
last modified: 2013-01-20 18:31:24

The network layout that this configuration works for is
192.168.0.0 /24 -> Zywall 2x -> Speedstream 5100(PPOE)->internet ->Cisco 1720 -> x.x.x.192 /26 public ip pool -> Pix 501 -> 192.168.1.0 /24
The outside interface of the Pix is x.x.x.194

Pix config

MYCOFW# write t
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname MYCOFW
domain-name MYCOMPANY.com
access-list To-Internet permit ip 192.168.1.0 255.255.255.0 any
access-list To-Internet permit ip 192.168.2.0 255.255.255.0 any
access-list To-Internet permit icmp any any
access-list From-Internet permit tcp any host x.x.x.196 eq smtp
access-list From-Internet permit icmp any x.x.x.192 255.255.255.192 echo
access-list From-Internet permit icmp any x.x.x.192 255.255.255.192 echo-reply
access-list From-Internet permit icmp any x.x.x.192 255.255.255.192 unreachable
access-list From-Internet permit icmp any x.x.x.192 255.255.255.192 time-exceeded
access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list to-internet permit icmp any any
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.194 255.255.255.192
ip address inside 192.168.1.25 255.255.255.0
ip local pool MYCOippool 192.168.2.1-192.168.2.254
global (outside) 1 x.x.x.200-x.x.x.250 netmask 255.255.255.192
global (outside) 1 x.x.x.251
nat (inside) 0 access-list NoNAT
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
access-group From-Internet in interface outside
access-group To-Internet in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.193 1
http 192.168.1.0 255.255.255.0 inside
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set MyCOTransf esp-3des esp-md5-hmac
crypto dynamic-map MYCOdynmap 10 set transform-set MYCOTransf
crypto map MYCOmap 10 ipsec-isakmp dynamic MYCOdynmap
crypto map MYCOmap client configuration address initiate
crypto map MYCOmap client configuration address respond
crypto map MYCOmap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp identity address
isakmp client configuration address-pool local MYCOippool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
vpngroup MYCOvpn address-pool NONATippool
vpngroup MYCOvpn dns-server 205.171.3.65
vpngroup MYCOvpn wins-server 192.168.1.1
vpngroup MYCOvpn default-domain MYCOMPANY.com
vpngroup MYCOvpn idle-time 1800
vpngroup MYCOvpn password ********
vpngroup MYCO address-pool NONATippool
vpngroup MYCO dns-server 192.168.1.1 205.171.3.65
vpngroup MYCO wins-server 192.168.1.1
vpngroup MYCO default-domain MYCO.com
vpngroup MYCO idle-time 1800
vpngroup MYCO password ********
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 client configuration address local NONATippool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username xxxx password xxxx
vpdn username yyyy password yyyyy
vpdn username zzzz password zzzzz
vpdn enable outside

Zywall Config:

Menu 27.1.1 - IPSec Setup

Index #= 1 Name= Work
Active= Yes Keep Alive= Yes Nat Traversal= No
Local ID type= IP Content=
My IP Addr= 0.0.0.0
Peer ID type= IP Content= x.x.x.194
Secure Gateway Address= x.x.x.194
Protocol= 17
Local: Addr Type= SUBNET
IP Addr Start= 192.168.0.0 End/Subnet Mask= 255.255.255.0
Port Start= 0 End= N/A
Remote: Addr Type= SUBNET
IP Addr Start= 192.168.1.0 End/Subnet Mask= 255.255.255.0
Port Start= 0 End= N/A
Enable Replay Detection= Yes
Key Management= IKE

Menu 27.1.1.1 - IKE Setup

Phase 1
Negotiation Mode= Main
PSK= ********
Encryption Algorithm= 3DES
Authentication Algorithm= MD5
SA Life Time (Seconds)= 28800
Key Group= DH2

Phase 2
Active Protocol= ESP
Encryption Algorithm= 3DES
Authentication Algorithm= MD5
SA Life Time (Seconds)= 28800
Encapsulation= Tunnel
Perfect Forward Secrecy (PFS)= None

In addition I had to enable 2 firewall rules on the Zywall Wan/WanZywall interface.
1) Source address (x.x.x.192 255.255.255.192) Destination (Any) forward Any Tcp Any Udp

2) source address (Any) Destination (Any) forward (ike,gre,ah,esp) I also include icmp & auth, though I don't think these are necessary for the vpn, they help with dslr line monitoring & my mail server.




got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by TerryMiller edited by aryoba
last modified: 2008-12-29 16:13:38

Suggested Prerequisite Reading
»Cisco Forum FAQ »Setting Up Private Site-To-Site Connections

Introduction

When a local network needs to communicate with remote network, there are in general two ways of doing it. One way is to utilize Public network (such as the Internet) and another way is to utilize Private network. Traditionally, Private network consists of dedicated or private circuits of T1/E1 (and higher), ISDN, and frame relay. With today's VPN technology, one can utilize Public network to transport Private network with less cost than dedicated Public network, more convenient since it is On-Demand based, and yet still secure just like the traditional Private network.

On implementation side, there must be a way to distinguish which traffic destined to Public network and which traffic destined to Private network. With IPSec VPN, this is where Split Tunnel come into place. With proper implementation, Split Tunnel decides which traffic destined to Public network and which traffic destined to Private network.

Another scenario is when there is physical device separation between Public network gateway and Private network gateway. In VPN implementation, the Private network gateway is the device that terminates the VPN tunnel where the Public network gateway is the device that connects directly to the Public network. When there is a IPSec VPN implementation, then typically the Private network gateway terminates the IPSec tunnel where the Public network gateway passes the IPSec tunnel just like passes any other IP traffic.

In some network, Public network gateway and Private network gateway resides at the same physical device. When this is the case, the same physical device terminates the IPSec tunnel and then passes the IPSec tunnel just like passes traffic destined to Public network.

Typical IPSec VPN tunnel implementation is to not NAT/PAT traffic destined to Private network and to NAT/PAT only those traffic destined to Public network. Therefore there must be some mechanism that regulate which traffic to NAT/PAT and which traffic not to NAT/PAT. In Cisco devices, this mechanism is controlled by ACL that regulate such traffic.

With routing protocol, there might be a need to implement GRE tunnel in addition to the IPSec tunnel. Depending on the implementation, there can be one device terminating the GRE tunnel, one device terminating the IPSec tunnel (that carries the GRE tunnel), and another device passes the GRE/IPSec (GRE over IPSec) tunnel just like passes traffic destined to Public network. Check out the following FAQ for more info on GRE/IPSec tunnel.

»Cisco Forum FAQ »Between GRE/IPSEC and IPSEC VPN tunnels

Following is a list of sample configuration with various design and implementation.

Static Routes over VPN

PIX Firewall passing IPSec tunnel

Configuring an IPSec Tunnel through a PIX Firewall with NAT

IPSec tunnel passthrough on NAT/PAT Device and Utilize Single Public IP Address For Both Internet and IPSec Tunnel (Split Tunneling)

1. Router as the NAT/PAT Device
IOS Router to Pass a LAN-to-LAN IPSec Tunnel via PAT

2. PIX Firewall as the NAT/PAT Device
IPsec Tunnel Pass Through a PIX Firewall With use of Access List and with NAT Configuration Example

3. Static mappings with overloaded NAT and VPN
Configuring Router-to-Router IPsec (Pre-shared Keys) on GRE Tunnel with IOS Firewall and NAT

---

Kindly provided by Manta courtesy of these posts.

Quoted Post #1

Problem:

Two 837 routers connected to ADSL lines. R1 is at Site1 and R2 at Site2. Both have single fixed IP addresses and run an ISAKMP/IPSEC tunnel between them to route the LAN traffic between sites. This works fine but the problem is that when a static NAT entry is put in so that, for example, Remote Desktop is available from the internet to a particular PC at Site1 then it stops access to any Remote Desktop from Site2.

Solution:

Change the IPSEC tunnel so that it only carries traffic from the loopback interface of R1 to the loopback interface of R2. Then run a GRE tunnel over that IPSEC tunnel and route and site to site traffic via Tunnel0.

Site1: 10.0.0.0/24 GW: 10.0.0.254
Site2: 10.1.0.0/24 GW: 10.1.0.1

Sample Configuration:

! Last configuration change at 11:16:23 BST Thu Jun 3 2004 by gareth
! NVRAM config last updated at 11:16:25 BST Thu Jun 3 2004 by gareth
!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
!
hostname Site1
!
logging queue-limit 100
enable secret 5
!
username
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
aaa new-model
!
!
aaa authentication login local-auth local-case
aaa session-id common
ip subnet-zero
no ip source-route
no ip domain lookup
ip domain name
!
!
no ip bootp server
ip cef
ip inspect udp idle-time 15
ip inspect tcp idle-time 1800
ip inspect tcp finwait-time 1
ip inspect tcp synwait-time 15
ip inspect name INTERNET-OUT tcp alert on
ip inspect name INTERNET-OUT udp alert on
ip inspect name INTERNET-OUT http alert on
ip audit notify log
ip audit po max-events 100
ip audit smtp spam 100
ip audit name INTERNET-OUT info action alarm
ip audit name INTERNET-OUT attack action alarm drop reset
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 11
encr 3des
authentication pre-share
group 5
crypto isakmp key address
!
!
crypto ipsec transform-set lan-lan-tunnel esp-3des esp-sha-hmac
!
crypto map vpn-tunnel 10 ipsec-isakmp
description IPSec tunnel to carry GRE
set peer
set transform-set lan-lan-tunnel
set pfs group5
match address site2-gre
!
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.255
!
interface Tunnel0
ip address 192.168.2.1 255.255.255.0
keepalive 3 3
tunnel source Loopback0
tunnel destination 192.168.1.2
!
interface Ethernet0
ip access-group Ethernet_In in
ip address 10.0.0.254 255.255.255.0
ip access-group Ethernet-In in
ip nat inside
hold-queue 100 out
!
interface ATM0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer0
ip address negotiated
ip access-group Internet_In in
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect INTERNET-OUT out
encapsulation ppp
dialer pool 1
dialer-group 1
ppp chap hostname
ppp chap password
crypto map vpn-tunnel
!
ip nat inside source list NAT interface Dialer0 overload
! Collection of static mappings removed but example given
ip nat inside source static tcp interface Dialer0
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.1.0.0 255.255.255.0 Tunnel0
no ip http server
no ip http secure-server
!
!
ip access-list extended Ethernet-In
remark Invalid internet addresses
deny ip any 0.0.0.0 0.255.255.255 log
permit ip 10.0.0.0 0.0.0.255 10.1.0.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 any
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 127.0.0.0 0.255.255.255 log
deny ip any 169.254.0.0 0.0.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.0.2.0 0.0.0.255 log
deny ip any 192.168.0.0 0.0.255.255 log
remark Lock down email to servers
permit tcp host 10.0.0.2 any eq smtp
deny tcp any any eq smtp log
deny tcp any any eq pop3 log
remark other
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit tcp any any
permit udp any any
deny ip any any log
ip access-list extended Internet-In
remark vpn enable
!Unsure if next two lines needed but it's belt and braces
permit esp host any
permit udp host eq isakmp any eq isakmp
permit ip host 192.168.1.2 host 192.168.1.1
remark Invalid internet addresses
deny ip 0.0.0.0 0.255.255.255 any log
permit ip 10.1.0.0 0.0.0.255 10.0.0.0 0.0.0.255
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 169.254.0.0 0.0.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.0.2.0 0.0.0.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
remark Port Mappings
remark SMTP mail mapping
permit tcp any any eq smtp
remark SSH access mappings
permit tcp host any eq 22
remark Other
permit icmp host any echo
permit icmp any any unreachable
permit icmp any any time-exceeded
permit icmp any any echo-reply
remark SNTP time servers
permit udp host 158.43.128.33 eq ntp any
permit udp host 158.43.128.66 eq ntp any
deny ip any any log
ip access-list extended NAT
! Don't know if these NAT Deny's are necessary any more but it's two hot to think about it at the moment.
deny ip 10.0.0.0 0.0.0.255 10.1.0.0 0.0.0.255
deny ip 10.1.0.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 any
ip access-list extended site2-gre
permit ip host 192.168.1.1 host 192.168.1.2
radius-server authorization permit missing Service-Type
banner login $
Access to this device is only permitted by authorised users
All access to this device is logged
$
!
line con 0
logging synchronous
login authentication local-auth
no modem enable
stopbits 1
line aux 0
login authentication local-auth
stopbits 1
line vty 0 4
logging synchronous
login authentication local-auth
transport input ssh
!
scheduler max-task-time 5000
sntp server 158.43.128.33
sntp server 158.43.128.66
!
end

Quoted Post #2

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
!
hostname
!
boot-start-marker
boot-end-marker
!
logging buffered 40960 warnings
enable secret
!
aaa new-model
!
!
aaa group server radius wireless-radius
server 10.1.0.2 auth-port 1645 acct-port 1646
ip radius source-interface Vlan1
!
aaa authentication login local-auth local-case
aaa authentication login wireless-eap group wireless-radius
aaa authentication ppp default local-case
!
!
aaa session-id common
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
dot11 association mac-list 700
dot11 syslog
!
dot11 ssid w-secure
vlan 2
authentication open eap wireless-eap
authentication key-management wpa
!
dot11 ssid w-ps3
vlan 3
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii
!
no ip source-route
ip cef
!
!
!
!
no ip bootp server
no ip domain lookup
ip domain name bullet-systems.com
ip multicast-routing
ip inspect udp idle-time 15
ip inspect tcp idle-time 1800
ip inspect tcp finwait-time 1
ip inspect tcp synwait-time 15
ip inspect name INTERNET-OUT tcp alert on
ip inspect name INTERNET-OUT udp alert on
ip inspect name INTERNET-OUT http java-list 2 alert on
ip inspect name INTERNET-OUT ftp alert on timeout 300
ip inspect name INTERNET-OUT tftp alert on
ip inspect name INTERNET-OUT sip alert on
ip inspect name INTERNET-OUT rtsp alert on
ip ips name INTERNET-OUT
!
multilink bundle-name authenticated
!
!
username secret
!
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 5
crypto isakmp key address
crypto isakmp key address
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set ipsec-tunnel esp-3des esp-sha-hmac
!
crypto map vpn-tunnel 100 ipsec-isakmp
description A to B IPSec tunnel to carry GRE
set peer
set transform-set ipsec-tunnel
set pfs group5
match address adsl-gre
!
crypto map vpn-tunnel 110 ipsec-isakmp
description A to B via SDSL
set peer set transform-set ipsec-tunnel
set pfs group5
match address sdsl-gre
!
archive
log config
hidekeys
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map match-any voip
match ip rtp 9000 20
match access-group name voip
!
!
policy-map voip
class voip
priority 516
class class-default
fair-queue
!
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.255
!
interface Loopback5
ip address 192.168.1.5 255.255.255.255
!
interface Tunnel0
description Tunnel over ADSL
bandwidth 800
ip unnumbered Loopback0
ip load-sharing per-packet
ip multicast boundary multicast-boundary
ip virtual-reassembly
ip tcp adjust-mss 1200
qos pre-classify
keepalive 3 3
tunnel source Loopback0
tunnel destination 192.168.1.2
tunnel key 0
tunnel bandwidth transmit 800
!
interface Tunnel5
description Tunnel SDSL
bandwidth 800
bandwidth receive 1024
ip unnumbered Loopback5
ip load-sharing per-packet
ip multicast boundary multicast-boundary
ip virtual-reassembly
ip tcp adjust-mss 1200
qos pre-classify
keepalive 3 3
tunnel source Loopback5
tunnel destination 192.168.1.6
tunnel key 5
tunnel bandwidth transmit 800
!
!
interface ATM0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
pvc 0/38
ubr 832
encapsulation aal5mux ppp dialer
dialer pool-member 1
service-policy output voip
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
!
encryption vlan 2 mode ciphers aes-ccm
!
encryption vlan 3 mode ciphers aes-ccm
!
ssid w-secure
!
ssid w-ps3
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.2
description Wireless VLAN for laptop and trusted machines
encapsulation dot1Q 2
ip address 10.2.2.1 255.255.255.0
ip helper-address 10.1.0.2
ip nat inside
ip virtual-reassembly
!
interface Dot11Radio0.3
description Wireless VLAN for PS3
encapsulation dot1Q 3
ip address 10.2.3.1 255.255.255.0
ip access-group wireless-lockdown in
ip helper-address 10.1.0.2
ip pim sparse-dense-mode
ip nat inside
ip virtual-reassembly
!
interface Vlan1
description Local Area Network
bandwidth 100000
ip address 10.1.0.1 255.255.255.0
ip access-group ethernet-in in
ip nbar protocol-discovery
ip pim sparse-dense-mode
ip nat inside
ip virtual-reassembly
hold-queue 100 out
!
interface Dialer0
description ADSL line 8192kbps/832kbps
bandwidth 8192
ip address negotiated
ip access-group internet-in in
no ip proxy-arp
ip multicast boundary multicast-boundary
ip nat outside
ip inspect INTERNET-OUT out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp chap hostname
ppp chap password
crypto map vpn-tunnel
!
no ip forward-protocol nd
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.1.1.0 255.255.255.0 Tunnel0
ip route 10.1.1.0 255.255.255.0 Tunnel5
!
!
no ip http server
no ip http secure-server
ip nat translation timeout 1800
ip nat translation tcp-timeout 300
ip nat translation finrst-timeout 15
ip nat translation syn-timeout 45
ip nat translation max-entries host 10.1.0.52 1500
ip nat pool used-ip-block prefix-length 29
ip nat pool unused-ip-block prefix-length 29
ip nat inside source list nat-list pool used-ip-block overload
ip nat inside source static tcp extendable
ip nat inside source static udp extendable
!
ip access-list standard multicast-boundary
deny 239.255.0.0 0.0.255.255
permit any
!
ip access-list extended sdsl-gre
permit ip host 192.168.1.5 host 192.168.1.6
!
ip access-list extended ethernet-in
permit ip any host 192.168.2.2
remark Invalid internet addresses
deny ip any 0.0.0.0 0.255.255.255 log
deny ip any 127.0.0.0 0.255.255.255 log
deny ip any 169.254.0.0 0.0.255.255 log
deny ip any 192.0.2.0 0.0.0.255 log
deny ip any 192.168.0.0 0.0.255.255 log
remark Other
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit tcp any any
permit udp any any
permit igmp 10.1.0.0 0.0.0.255 any
deny ip any any log
!
ip access-list extended internet-in
permit esp host any
permit udp host eq isakmp any eq isakmp
remark Invalid internet addresses
deny ip 0.0.0.0 0.255.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 169.254.0.0 0.0.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.0.2.0 0.0.0.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
permit tcp any any eq domain
permit udp any any eq domain
remark Other
permit icmp any any unreachable
permit icmp any any time-exceeded
permit icmp any any echo-reply
permit udp host 158.43.128.33 any eq ntp
permit udp host 158.43.128.66 any eq ntp
deny ip any any log
!
ip access-list extended adsl-gre
permit ip host 192.168.1.1 host 192.168.1.2
!
ip access-list extended nat-list
deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
permit ip 10.1.0.0 0.0.255.255 any
permit ip 10.2.2.0 0.0.0.255 any
permit ip 10.2.3.0 0.0.0.255 any
!
ip access-list extended voip
permit ip any 217.10.79.0 0.0.0.255
permit udp host 10.1.0.2 range 9000 9020 any
!
ip access-list extended wireless-lockdown
permit tcp 10.2.3.0 0.0.0.255 host 10.1.0.2 eq domain
permit udp 10.2.3.0 0.0.0.255 host 10.1.0.2 eq domain
permit tcp 10.2.3.0 0.0.0.255 host 10.1.1.2 eq domain
permit udp 10.2.3.0 0.0.0.255 host 10.1.1.2 eq domain
permit ip 10.2.3.0 0.0.0.255 host 10.1.0.3
permit udp any eq bootpc any eq bootps
deny ip 10.2.3.0 0.0.0.255 10.0.0.0 0.255.255.255 log
deny ip 10.2.3.0 0.0.0.255 192.168.0.0 0.0.255.255 log
permit igmp 10.2.3.0 0.0.0.255 any
permit ip 10.2.3.0 0.0.0.255 any
!
ip radius source-interface Vlan1
logging history size 100
access-list 1 remark SNMP access
access-list 1 permit 10.1.0.2
access-list 1 deny any log
!
access-list 2 remark JAVA applet firewall exception list
access-list 2 permit 72.5.124.95
access-list 2 permit 85.210.20.0 0.0.0.255
!
!
access-list 700 permit 0123.4567.8901 0000.0000.0000
!
snmp-server community RO 1
snmp-server contact Me
snmp-server chassis-id
snmp-server enable traps tty
!
!
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.1.0.2 auth-port 1645 acct-port 1646 key
radius-server vsa send accounting
!
control-plane
!
banner login ^CC
Access to this device is only permitted by authorised users
All access to this device is logged
^C
!
line con 0
logging synchronous
login authentication local-auth
no modem enable
stopbits 1
line aux 0
login authentication local-auth
stopbits 1
line vty 0 4
exec-timeout 20 0
logging synchronous
login authentication local-auth
transport input ssh
!
scheduler max-task-time 5000
sntp server 158.43.128.33
sntp server 158.43.128.66
!
!
end

---

Private Routing over VPN

GRE/IPSec tunnel to support IP Routing Protocols

Configuring a GRE Tunnel over IPSec with OSPF
GRE over IPSec with EIGRP to Route Through a Hub and Multiple Remote Sites

New OSPF Feature on ASA/PIX Firewall running OS version 7.x or later

With new OS version, it is no longer requirement to encapsulate OSPF into GRE tunnel in order to pass it through IPSec VPN tunnel. By running OS version 7.x or later, ASA or PIX Firewall is now able to pass OSPF through IPSec VPN tunnel just like pass through GRE or any IP traffic.

Furthermore, the ASA/PIX Firewall will also be part of the OSPF domain. In other words, the ASA/PIX Firewall running OS version 7.x or later can terminate IPSec VPN tunnel, has no requirement to have GRE tunnel to support OSPF, and will be part of the OSPF domain. With this new feature, you may notice that the ASA/PIX Firewall is more like a router.

Check out the following link for sample configuration.

PIX/ASA 7.x and later: VPN/IPsec with OSPF Configuration Example

IPX Routing over GRE/IPSec

Configuring GRE and IPSec with IPX Routing
Configuring IPSec with EIGRP and IPX Using GRE Tunneling

DMVPN

When Cisco routers act as the VPN device at all sites, it is simpler and scalable to run DMVPN between routers instead the previous GRE over IPSec approach. With DMVPN, there will be no need to manually setup each tunnel for each connection between two sites. DMVPN will be "dynamically" setting up necessary GRE and IPSec tunnels.

Should you decide to run DMVPN, verify your router IOS image version support it. IOS image version with either Advanced Enterprise or Advanced IP Services features should support DMVPN.

Check out following links for more info on DMVPN.

Dynamic Multipoint IPsec VPNs (Using Multipoint GRE/NHRP to Scale IPsec VPNs)
Configuring DMVPN Spoke Router in Full Mesh IPsec VPN Using SDM
Configuring Dynamic Multipoint VPN Using GRE Over IPsec With OSPF, NAT, and Cisco IOS Firewall

Some discussions

»DMVPN vs individual tunnels
»[Config] DMVPN works, restrictions needed...
»[Config] Need Help with DMVPN
»[Config] DMVPN reundandt WAN (SOLVED - config inside)

More Sample Configurations

»Sample network configuration

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by Covenant edited by aryoba
last modified: 2011-04-25 14:59:39

Configure router and ASA/PIX Firewall to support various VPN technologies

Remote VPN to Office Network Using Various VPN connection technology

1. Office Network behind Cisco Router

Configure VPN on a router to support Microsoft VPN Client
Configuring Cisco Router and VPN Clients Using PPTP and MPPE
»Cisco Forum FAQ »Configure router as both Internet router and VPN Concentrator

2. Office Network behind ASA/PIX Firewall
Configuring the PIX Firewall and VPN Clients Using PPTP, MPPE and IPSec
Configuring L2TP Over IPSec Between PIX Firewall and Windows 2000 PC Using Certificates
L2TP Over IPsec Between Windows 2000/XP PC and PIX/ASA 7.2 Using Pre-shared Key Configuration Example

Note on ASA/PIX Firewall:
To keep the office network of having uninterrupted Internet connection while establishing IPSec tunnel coming in from remote users, you want to keep the "isakmp nat-traversal" command. You may need to increase the value from 20 to 30 secs (or to any value other than default) to make the regular web traffic passing while remote user VPN in.

To keep the Internet access for the remote users while IPSec VPN into the Office Network, you need to use the "vpngroup split-tunnel" command. On this command, you need to associate it with the access list that control the encrypted traffic. In other word, you may use the same access list that is used in the "nat 0 (inside)" command.

Here is the command reference list for details

ISAKMP
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/gl.html#wp1027312

VPNGROUP
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/tz.html#wp1099471

IPSec Remote VPN to Office Network While Maintain Internet Connection

Office Network behind Cisco router
Router Allows VPN Clients to Connect IPsec and Internet Using Split Tunneling Configuration Example
»Cisco Forum FAQ »Configure router as both Internet router and VPN Concentrator

Office Network behind PIX/ASA

1. Running 6.X image version
»Cisco Forum FAQ »Configure PIX/ASA as both Internet Firewall and VPN Concentrator
PIX-to-PIX 6.x: Easy VPN (NEM) Configuration Example

2. Running 7.X image version
»Cisco Forum FAQ »Configure PIX/ASA as both Internet Firewall and VPN Concentrator
ASA/PIX: Allow Split Tunneling for VPN Clients on the ASA Configuration Example

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by aryoba
last modified: 2011-07-24 19:48:01

Configure router as both Internet router and VPN Concentrator

Sample Configuration of IPSec VPN Concentrator

1. Using Local Credential to do AAA (Authentication, Authorization and Accounting)

service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VPN
!
boot-start-marker
boot-end-marker
!
!
!--- Enable Authentication, Authorization and Accounting (AAA) for user authentication and group authorization.
!
aaa new-model
!
!--- In order to enable Xauth for user authentication, enable the aaa authentication commands.
!
aaa authentication login userauthen local
!
!--- In order to enable group authorization, enable the aaa authorization commands.
!
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
!
!--- For local authentication of the IPsec user, create the user with a password
!
username user password 0 cisco
!
!
!
!--- Create an Internet Security Association and Key Management Protocol (ISAKMP) policy for Phase 1 negotiations.
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
!--- Create a group that is used to specify the WINS and DNS server addresses to the VPN Client,
!--- along with the pre-shared key for authentication.
!--- Use ACL 101 used for the Split Tunneling in the VPN Clinet end.
!
crypto isakmp client configuration group vpnclient
key cisco123
dns 10.10.10.10
wins 10.10.10.20
domain cisco.com
pool ippool
acl 101
!
!--- Create the Phase 2 Policy for actual data encryption.
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
!--- Create a dynamic map and apply the transform set that was created earlier.
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!--- Create the actual crypto map, and apply the AAA lists that were created earlier.
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0/0
description LAN interface
ip address 10.10.10.1 255.255.255.0
half-duplex
ip nat inside
!
!--- Apply the crypto map on the outbound interface.
!
interface FastEthernet1/0
description WAN interface
ip address 172.16.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
!
!--- Create a pool of addresses to be assigned to the VPN Clients.
!
ip local pool ippool 192.168.1.1 192.168.1.254
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 172.16.1.2
!
!--- Enables Network Address Translation (NAT) of the inside source address that matches access list 111
!--- and gets PATed with the FastEthernet IP address.
!
ip nat inside source list 111 interface FastEthernet1/0 overload
!
!--- The access list is used to specify which subnets are permitted to access the router
!
access-list 10 remark Permittable Subnet To Access
access-list 10 permit 10.10.10.0 0.0.0.255
access-list 10 permit 192.168.1.0 0.0.0.255
!
!--- The access list is used to specify which traffic is to be translated for the outside Internet.
!
access-list 111 remark NAT for Internet Traffic Only
access-list 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit ip 10.10.10.0 0.0.0.255 any
!
!--- Configure the interesting traffic to be encrypted from the VPN Client to the central site router (access list 101).
!--- Apply this ACL in the ISAKMP configuration.
!
access-list 101 remark No NAT for VPN traffic
access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
!
control-plane
!
line con 0
line aux 0
line vty 0 4
access-class 10 in
transport input ssh
!
end

2. Using external TACACS+ server to do AAA (Authentication, Authorization and Accounting)

service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VPN
!
boot-start-marker
boot-end-marker
!
!
enable secret 0 [ENTER ENABLE MODE PASSWORD HERE]
!
!--- Enable Authentication, Authorization and Accounting (AAA) for user authentication and group authorization.
!
aaa new-model
!
!--- In order to enable Xauth for user authentication, enable the aaa authentication commands.
!
aaa authentication login userauthen group tacacs+ local
aaa authentication enable userauthen group tacacs+ enable
!
!--- In order to enable group authorization, enable the aaa authorization commands.
!
aaa authorization console
aaa authorization exec groupauthor group tacacs+ local
aaa authorization commands 15 groupauthor group tacacs+ local
aaa authorization network groupauthor group tacacs+ local
!
!--- In order to record all commands entered or executed, enable the aaa accounting commands.
!
aaa accounting exec groupauthor start-stop group tacacs+
aaa accounting commands 15 groupauthor start-stop group tacacs+
aaa accounting network groupauthor start-stop group tacacs+
aaa accounting connection groupauthor start-stop group tacacs+
!
aaa session-id common
!
resource policy
!
!
!--- For local authentication of the IPsec user, create the user with a password
!
username user password 0 cisco
!
!
!
!--- Create an Internet Security Association and Key Management Protocol (ISAKMP) policy for Phase 1 negotiations.
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
!--- Create a group that is used to specify the WINS and DNS server addresses to the VPN Client,
!--- along with the pre-shared key for authentication.
!--- Use ACL 101 used for the Split Tunneling in the VPN Clinet end.
!
crypto isakmp client configuration group vpnclient
key cisco123
dns 10.10.10.10
wins 10.10.10.20
domain cisco.com
pool ippool
acl 101
!
!--- Create the Phase 2 Policy for actual data encryption.
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
!--- Create a dynamic map and apply the transform set that was created earlier.
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!--- Create the actual crypto map, and apply the AAA lists that were created earlier.
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0/0
description LAN interface
ip address 10.10.10.1 255.255.255.0
half-duplex
ip nat inside
!
!--- Apply the crypto map on the outbound interface.
!
interface FastEthernet1/0
description WAN interface
ip address 172.16.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
!
!--- Create a pool of addresses to be assigned to the VPN Clients.
!
ip local pool ippool 192.168.1.1 192.168.1.254
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 172.16.1.2
!
tacacs-server host [ENTER TACACS SERVER IP ADDRESS HERE]
tacacs-server key 0 [ENTER THE SECRET KEY HERE]
!
!--- Enables Network Address Translation (NAT) of the inside source address that matches access list 111
!--- and gets PATed with the FastEthernet IP address.
!
ip nat inside source list 111 interface FastEthernet1/0 overload
!
!--- The access list is used to specify which subnets are permitted to access the router
!
access-list 10 remark Permittable Subnet To Access
access-list 10 permit 10.10.10.0 0.0.0.255
access-list 10 permit 192.168.1.0 0.0.0.255
!
!--- The access list is used to specify which traffic is to be translated for the outside Internet.
!
access-list 111 remark NAT for Internet Traffic Only
access-list 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit ip 10.10.10.0 0.0.0.255 any
!
!--- Configure the interesting traffic to be encrypted from the VPN Client to the central site router (access list 101).
!--- Apply this ACL in the ISAKMP configuration.
!
access-list 101 remark No NAT for VPN traffic
access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
!
control-plane
!
line con 0
line aux 0
line vty 0 4
access-class 10 in
transport input ssh
!
end

Note:
* For more info on AAA and TACACS+ server, check out the following
»Cisco Forum FAQ »Securing access to routers with AAA commands

Some discussions
»[HELP] Static NAT on interface address with route-map for VPN

Sample Configuration of PPTP Windows VPN Concentrator

This is a simple configuration for Cisco router with one interface connected to your ISP using DHCP and NAT, and the second interface connected to your private network. With this configuration remote users can access your private network via a Windows VPN connection.

!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname myrouter
!
no logging console
!
aaa new-model
aaa authentication ppp default local
aaa authorization network default if-authenticated
aaa session-id common
!
enable secret 5 XXXXXXXXXXX
enable password 7 XXXXXXXXX
!
username admin privilige 15 password 7 XXXXXXXXXXX
username johndoe password 7 XXXXXXXXXXXXXXXXXX
!
ip routing
ip subnet 0
ip domain-name mydomain.com
ip name-server 192.168.2.1
ip icmp rate-limit unreachable 2000
ip icmp rate-limit unreachable DF 2000
no ip source route
no ip finger
no ip bootp server
no service tcp-small-servers
no service udp-small-servers
no boot network
no service config
!
router rip
version 2
network 192.168.0.0
passive-interface FastEthernet 0/0
no auto-summary
!
!
ip audit notify log
ip audit smtp spam 25
ip audit po max-events 50
ip audit name AUDIT.1 info action alarm
ip audit name AUDIT.1 attack action alarm drop reset
!
vpdn enable
!
vpdn-group 1
accept-dialin
protocol pptp
virtual-template 1
local name my-vpn
!
!
async-bootp dns-server 192.168.2.1
async-bootp nbns-server 192.169.2.1
!
!
interface FastEthernet0/0
description WAN Interface
ip address dhcp
ip nat outside
ip access-group filter_wan_in in
ip audit AUDIT.1 in
no ip unreachables
no ip directed-broadcast
no ip proxy-arp
no ip route-cache
no cdp enable
duplex auto
speed auto
!
interface FastEthernet0/1
description LAN Interface
ip address 192.168.1.1 255.255.0.0
ip nat inside
ip access-group filter_lan_in in
ip access-group filter_lan_out out
cdp enable
duplex auto
speed auto
!
interface Virtual-Template1
ip unnumbered FastEthernet0/1
ip mroute-cache
peer default ip address pool VPN-IN
ppp encrypt mppe 40 required
ppp authentication ms-chap
!
!
ip local pool VPN-IN 192.168.2.51 192.168.2.53
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.1.1 1723 interface FastEthernet0/0 1723
!
ip classless
no ip http server
!
ip access-list extended filter_wan_in
! use this to deny any incoming traffic
permit ip any any
deny ip any any log
!
ip access-list extended filter_lan_in
permit ip any host 192.168.2.51
permit ip any host 192.168.2.52
permit ip any host 192.168.2.53
deny udp any eq 137 any
deny udp any eq 138 any
deny tcp any eq 135 any
deny tcp any eq 139 any
deny tcp any eq 445 any
permit icmp any any
permit ip 192.168.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.25.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip any 192.168.0.0 0.0.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any any log
!
ip access-list extended filter_lan_out
permit ip host 192.168.2.51 any
permit ip host 192.168.2.52 any
permit ip host 192.168.2.53 any
permit icmp any any net-unreachable
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any packet-too-big
permit icmp any any administratively-prohibited
permit icmp any any source-quench
permit icmp any any ttl-exceeded
permit icmp any any echo-reply
deny icmp any any
deny udp any any eq 137
deny udp any any eq 138
deny tcp any any eq 135
deny tcp any any eq 139
deny tcp any any eq 445
deny ip any any log
!
access-list 1 remark NAT Source Restrictions
access-list 1 permit any
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
line con 0
password 7 XXXXXXXXXXXXXXXXX
line aux 0
line vty 0 4
password 7 XXXXXXXXXXXXXXXXXXXXXXXXX
!
!
end

The majority of the above configuration is fairly standard and can be found in other FAQs so I will just stick to the settings for getting the router to accept VPN connections.

The first bit:

aaa new-model
aaa authentication ppp default local
aaa authorization network default if-authenticated
aaa session-id common

simply enables the access control model for logins.

username admin privilige 15 password 7 XXXXXXXXXXX
username johndoe password 7 XXXXXXXXXXXXXXXXXX

defines the users and their passwords. These users can log in either over VPN or directly via telnet (or ssh if configured)

vpdn enable
!
vpdn-group 1
accept-dialin
protocol pptp
virtual-template 1
local name my-vpn

this enables virtual private dialup networking (vpdn) using point-to-point tunneling protocol (pptp)

interface Virtual-Template1
ip unnumbered FastEthernet0/1
ip mroute-cache
peer default ip address pool VPN-IN
ppp encrypt mppe 40 required
ppp authentication ms-chap

creates a virtual-template bound to the LAN port of the router and assigns an ip address to the client from the VPN-IN pool

ip local pool VPN-IN 192.168.2.51 192.168.2.53

defines the ip addresses available to the VPN clients (3 in this case)

ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.1.1 1723 interface FastEthernet0/0 1723

defines the static port mappings for NAT 1723 is the port for pptp

The ACLs can be customized to you needs but note how the VPN client addresses are reversed....
--> Fa0/1 In -->
--> Fa0/1 In -->

Now all that left is to configure the client computers. With windows XP it's easy....
1) open up the Network Connections folder
2) click "Create a new connection"
3) click Next
4) choose "Connect to the network at my workplace" then click Next
5) select "Virtual Private Network connection" then click Next
6) Enter a name for the connection and lick Next
7) Now you can set the VPN connection to auto-dial or not, choose either, then click Next
8) Enter the IP address of your Router (this is the public address). Since in our case it's assigned by dhcp we could use a dyndns address here
9) Click Next
10) Click Finish

Once the Wizard has completed right-click the new connection, then click Properties. On the Security tab select "Advanced (custom settings)" and click the Settings button.

Verify that the Data encryption drop-down has "Require Encryption" selected. Then make sure Microsoft CHAP (MS-CHAP) and (MS-CHAP v2) are enabled and click Ok.

Finally goto the Networking tab and change the "type of VPN" from Automatic to "PPTP VPN", then click the Settings button and verify that:
1) Enable LCP Extensions - is checked
2) Enable software compression - is checked
3) Negotiate multi-link - is not checked

Now your all set and ready to go.....

-b

Some discussion
»[Config] How do I assign default gateway for a PPTP VPN client
»VPN - Can't ping next-hop

Note that in general, PPTP VPN connection is less secure than the "industry-standard" IPSec VPN connection. Therefore it is strongly suggested to use the IPSec VPN connection instead.

Sample Configuration of VPN Concentrator Using Other VPN Technologies
»Cisco Forum FAQ »Configure router and ASA/PIX Firewall to support various VPN technologies

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by mandraw edited by aryoba
last modified: 2013-01-15 16:25:30

Configure PIX/ASA as both Internet Firewall and VPN Concentrator

Suggested prerequisite reading:
»Cisco Forum FAQ »Various Site-to-Site IPSec VPN: Cisco, Juniper, Checkpoint, Sonicwall, Zywall

Note:
All of the following sample configurations assume the ASA or PIX Firewall uses static Public IP address. Typically you assign one IP address of the IP block provided by your ISP to the ASA or PIX Firewall Outside interface. Assigning static IP address to VPN Concentrator (the ASA or PIX Firewall in this case) is considered best practice to keep security in place especially when the VPN Concentrator runs Site-to-Site VPN.

Sample Configuration of IPSec VPN Concentrator

When you plan to have a PIX or ASA firewall to act as both firewall and VPN concentrator, following is the sample configuration.

Assumptions:
* The 1st LAN subnet is 192.168.0.0/24 with 192.168.0.1 (the PIX inside interface) as the default gateway
* There is also 10.0.0.0/8 as 2nd LAN subnet, where from PIX or ASA firewall is reachable via 192.168.0.2
* There will be remote users VPN into the PIX using Cisco VPN Client software, creating ESP-based IPSec VPN tunnel
* There are separate subnets for VPN users. In these sample configurations, there are 192.168.1.0/24 for VPN users logged in as Admin and 192.168.2.0/24 for VPN users logged in as Sales.
* Note that you cannot use the same subnet for both LAN and VPN users due to routing consistency
* No default gateway to access the LAN subnet will be received by VPN users once the IPSec VPN tunnel is established; which will set the VPN users' PC to proxy arp to reach the LAN subnet
* There are multiple VPN groups where one is for Admin users and another is for Sales users. This way the PIX or ASA firewall can distinguish between one user and another
* When Admin users wish to VPN in as Admin let's say, then the users must use the appropriate VPN group credential (in this case, the Admin VPN group credential) which include the correct PIX or ASA firewall Public IP address and VPN group password
* As general rule, all settings in PIX or ASA firewall must match all settings in the VPN Client software. Some of those settings are the VPN group credentials, routing, and permitted subnets in the ACL. Any slightest mismatch will cause connection problem.

1. Single VPN User Group without external AAA Server

* The remote users will VPN in using specific Group Authentication credential, which in this sample configuration is Admin as the Group Name and is ******** as the Group Password as indicated on the vpngroup Admin password ******** command
* The VPN users log in as Admin receive IP address within the admin range from 192.168.1.1 to 192.168.1.254 (the 192.168.1.0/24 subnet).
* No external AAA (Authentication, Authorization, and Accounting) server as the TACACS+/RADIUS server
* SSH attempt to the PIX/ASA itself is not authenticated on the OS version 7.0 or above sample configuration and is authenticated locally on the OS version 6.3 sample configuration

PIX Firewall configuration running OS version 6.3

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password **** encrypted
passwd **** encrypted
hostname pixfirewall
domain-name yournetwork.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
object-group network VPN-Admin
network-object 192.168.1.0 255.255.255.0
access-list 10 remark Split Tunnel for VPN Admin
access-list 10 permit ip any object-group VPN-Admin
access-list nonat remark No NAT within VPN tunnel
access-list nonat permit ip any object-group VPN-Admin
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 2.2.2.2 255.255.255.0
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool admin 192.168.1.1-192.168.1.254
pdm history enable
arp timeout 14400
global (outside) 1 2.2.2.3
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 2.2.2.1 1
route inside 10.0.0.0 255.0.0.0 192.168.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authorization command LOCAL 
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset10 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set myset20 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset10
crypto dynamic-map dynmap 20 set transform-set myset20
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 30
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup Admin address-pool admin
vpngroup Admin dns-server 192.168.0.2
vpngroup Admin wins-server 192.168.0.3
vpngroup Admin default-domain yournetwork.com
vpngroup Admin split-tunnel 10
vpngroup Admin idle-time 1800
vpngroup Admin password ********
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
username Admin password ***** encrypted privilege 15
terminal width 80
 

ASA/PIX Firewall Sample Configuration running OS version 7.0 or above

ASA Version 7.2(3) 
!
hostname asa
domain-name yournetwork.com
enable password ***** encrypted
names
dns-guard
!
interface FastEthernet0/0
 description Internet
 nameif outside
 security-level 0
 ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/1
 description LAN
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0 
!
passwd ***** encrypted
ftp mode passive
object-group network VPN-Admin  
network-object 192.168.1.0 255.255.255.0
access-list 10 remark Split Tunnel for VPN Admin  
access-list 10 permit ip any object-group VPN-Admin  
access-list nonat remark No NAT within VPN tunnel  
access-list nonat permit ip any object-group VPN-Admin
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool admin 192.168.1.1-192.168.1.254
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 2.2.2.3
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 2.2.2.1 1  
route inside 10.0.0.0 255.0.0.0 192.168.0.2 1  
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
service resetoutside
crypto ipsec transform-set myset10 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set myset20 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset10
crypto dynamic-map dynmap 20 set transform-set myset20
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal 30
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
group-policy Admin internal
group-policy Admin attributes
 dns-server value 192.168.0.2
 wins-server value 192.168.0.3
 vpn-idle-timeout 1440
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 10
 default-domain value yournetwork.com
tunnel-group Admin type ipsec-ra
tunnel-group Admin general-attributes
 address-pool admin
 default-group-policy Admin
tunnel-group Admin ipsec-attributes
 pre-shared-key *
prompt hostname context 
 

2. Multiple VPN User Groups with external AAA Server

* The remote users will VPN in using specific Group Authentication credential, which in this sample configuration is either Admin or Sales
* The VPN users log in as Admin receive IP address within the admin range from 192.168.1.1 to 192.168.1.254 (the 192.168.1.0/24 subnet). Similarly, the VPN users log in as Sales receive IP address within the sales range from 192.168.2.1 to 192.168.2.254 (the 192.168.2.0/24 subnet).
* There is a TACACS+/RADIUS server at 192.168.0.204 to serve the AAA (Authentication, Authorization, and Accounting) functionality for all remote users
Note: check out following FAQ for more info on TACACS and RADIUS
»Cisco Forum FAQ »Secure and Monitor Network Access with AAA (TACACS/RADIUS) and Privilege Level
* The TACACS+ service is used to provide PIX/ASA configuration management access, such as telnet and ssh to the PIX/ASA itself
* The RADIUS service is used to provide production access (the LAN) to remote VPN users
* The aaa authentication match command will authenticate remote user login attempts according to the RADIUS credential that are being used to log in
* The aaa authorization match command will authorize remote user access to only specific subnets according to the authenticated RADIUS credential that are acknowledged
* The aaa accounting match command will record all activities done by all remote users according to their RADIUS credential

PIX Firewall configuration running OS version 6.3

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password **** encrypted
passwd **** encrypted
hostname pixfirewall
domain-name yournetwork.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
object-group network VPN-Admin
network-object 192.168.1.0 255.255.255.0
object-group network VPN-Sales
network-object 192.168.2.0 255.255.255.0
object-group network Sales-Network
network-object 10.0.0.0 255.255.254.0
access-list 10 remark Split Tunnel for VPN Admin
access-list 10 permit ip any object-group VPN-Admin
access-list 20 remark Split Tunnel for VPN Sales
access-list 20 permit ip any object-group VPN-Sales
access-list nonat remark No NAT within VPN tunnel
access-list nonat permit ip any object-group VPN-Admin
access-list nonat permit ip any object-group VPN-Sales
access-list admin remark Permitable Subnet for Admin to access
access-list admin permit ip object-group VPN-Admin any
access-list sales remark Permitable Subnet for Sales to access
access-list sales permit ip object-group VPN-Sales object-group Sales-Network
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 2.2.2.2 255.255.255.0
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool admin 192.168.1.1-192.168.1.254
ip local pool sales 192.168.2.1-192.168.2.254
pdm history enable
arp timeout 14400
global (outside) 1 2.2.2.3
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 2.2.2.1 1
route inside 10.0.0.0 255.0.0.0 192.168.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server TACACS+ (inside) host 192.168.0.204 cisco timeout 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host 192.168.0.204 cisco timeout 10
aaa-server LOCAL protocol local
aaa authentication telnet console TACACS+
aaa authentication ssh console TACACS+
aaa authentication enable console TACACS+
aaa authentication match admin inbound RADIUS
aaa authentication match sales inbound RADIUS
aaa authorization command TACACS+
aaa authorization match admin inbound RADIUS
aaa authorization match sales inbound RADIUS
aaa accounting match admin inbound RADIUS
aaa accounting match sales inbound RADIUS
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset10 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set myset20 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset10
crypto dynamic-map dynmap 20 set transform-set myset20
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 30
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Admin address-pool admin
vpngroup Admin dns-server 192.168.0.2
vpngroup Admin wins-server 192.168.0.3
vpngroup Admin default-domain yournetwork.com
vpngroup Admin split-tunnel 10
vpngroup Admin idle-time 1800
vpngroup Admin password ********
vpngroup Sales address-pool sales
vpngroup Sales dns-server 192.168.0.2
vpngroup Sales wins-server 192.168.0.3
vpngroup Sales default-domain yournetwork.com
vpngroup Sales split-tunnel 20
vpngroup Sales idle-time 1800
vpngroup Sales password ********
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
terminal width 80
 

3. Single VPN User Group with external Windows Active Directory Domain Controller Server

* The remote users will VPN in using specific Group Authentication credential, which in this sample configuration is Admin as the Group Name as indicated on the tunnel-group Admin type ipsec-ra command; and is ******** as the Group Password as indicated on the tunnel-group Admin ipsec-attributes pre-shared-key * command
* The VPN users log in as Admin receive IP address within the admin range from 192.168.1.1 to 192.168.1.254 (the 192.168.1.0/24 subnet).
* Starting OS version 7.0, AAA server protocol of NT (Microsoft Windows Active Directory Domain Controller), LDAP (RFC 4510), Kerberos (RFC 4120), and SDI (RSA SecurID) are available as alternatives of TACACS+ and RADIUS
* In this sample configuration, external Microsoft Windows Active Directory Domain Controller server is used primarily to authenticate remote users
* The use of such Microsoft authentication system is defined on the aaa-server NT_DOMAIN command, which include the protocol, Domain Controller name and IP address.
* When the Domain Controller is unavailable or unreachable, local credentials as indicated on the username Admin1 password ***** encrypted privilege 15 and the username Admin2 password ***** encrypted privilege 15 commands are used as failover to authenticate remote users
* This failover mechanism is defined on the tunnel-group Admin general-attributes authentication-server-group NT_DOMAIN LOCAL command
* Similar authentication process for Sales remote user group, however there is no failover to local credentials
* Telnet attempt to the PIX/ASA itself is not authenticated

ASA/PIX Firewall Sample Configuration running OS version 7.0 or above

ASA Version 7.2(3) 
!
hostname asa
domain-name yournetwork.com
enable password ***** encrypted
names
dns-guard
!
interface FastEthernet0/0
 description Internet
 nameif outside
 security-level 0
 ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/1
 description LAN
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0 
!
passwd ***** encrypted
ftp mode passive
object-group network VPN-Admin  
network-object 192.168.1.0 255.255.255.0
object-group network VPN-Sales  
network-object 192.168.2.0 255.255.255.0
object-group network Sales-Network  
network-object 10.0.0.0 255.255.254.0  
access-list 10 remark Split Tunnel for VPN Admin  
access-list 10 permit ip any object-group VPN-Admin  
access-list 20 remark Split Tunnel for VPN Sales  
access-list 20 permit ip object-group Sales-Network object-group VPN-Sales
access-list nonat remark No NAT within VPN tunnel  
access-list nonat permit ip any object-group VPN-Admin
access-list nonat permit ip any object-group VPN-Sales
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool admin 192.168.1.1-192.168.1.254
ip local pool sales 192.168.2.1-192.168.2.254
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 2.2.2.3
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 2.2.2.1 1  
route inside 10.0.0.0 255.0.0.0 192.168.0.2 1  
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server NT_DOMAIN protocol nt
aaa-server NT_DOMAIN host 192.168.0.2
 nt-auth-domain-controller DomainController1
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
service resetoutside
crypto ipsec transform-set myset10 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set myset20 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset10
crypto dynamic-map dynmap 20 set transform-set myset20
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal 30
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
group-policy Admin internal
group-policy Admin attributes
 dns-server value 192.168.0.2
 wins-server value 192.168.0.3
 vpn-idle-timeout 1440
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 10
 default-domain value yournetwork.com
group-policy Sales internal  
group-policy Sales attributes  
 dns-server value 192.168.0.2  
 wins-server value 192.168.0.3  
 vpn-idle-timeout 1440  
 split-tunnel-policy tunnelspecified  
 split-tunnel-network-list value 20
 default-domain value yournetwork.com  
username Admin1 password ***** encrypted privilege 15
username Admin1 attributes
 vpn-group-policy Admin
 group-lock value Admin
username Admin2 password ***** encrypted privilege 15
username Admin2 attributes
 vpn-group-policy Admin
 group-lock value Admin
tunnel-group Admin type ipsec-ra
tunnel-group Admin general-attributes
 address-pool admin
 authentication-server-group NT_DOMAIN LOCAL
 default-group-policy Admin
tunnel-group Admin ipsec-attributes
 pre-shared-key *
tunnel-group Sales type ipsec-ra
tunnel-group Sales general-attributes
 address-pool sales
 authentication-server-group NT_DOMAIN
 default-group-policy Sales
tunnel-group Sales ipsec-attributes
 pre-shared-key *
prompt hostname context 
 

Notes:

* Since the PIX or ASA firewall acts as both firewall and VPN concentrator, the isakmp nat-traversal is necessary to simultaneously serve VPN users accessing the LAN subnet and to keep LAN subnet machines able to access the Internet

* When the PIX or ASA firewall is dedicated to only serve as VPN Concentrator, then the isakmp nat-traversal, the global 1-nat 1 pair commands might not be necessary

* Remote users can opt to either enable transparent tunneling or not when using the Cisco VPN Client software. When transparent tunneling is enabled, the ESP protocol is encapsulated within UDP (UDP port 4500) by default, which then makes the VPN traffic able to pass through any NAT/PAT device in between. This encapsulation feature is useful when either there is any NAT/PAT device in between or ESP protocol is not permitted to pass through. In addition, this encapsulation feature also enables the remote users to be able to access the LAN and the Internet at the same time.

* As you may notice, configuration with sufficient amount of external authentication servers such as AAA (TACACS+/RADIUS) server and Domain Controller server is more secure and accountable

* When your network currently does not have AAA server, you can setup one for free. Check out this FAQ for details.
»Cisco Forum FAQ »Are there Free TACACS+ or RADIUS authentication software to secure my router?

* If specific remote users must authenticate with specific AAA server, then you can simply modify the AAA command to do so. Following is illustration

aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server TACACS+ (inside) host 192.168.0.203 cisco timeout 10
aaa-server RADIUS-ADMIN protocol radius
aaa-server RADIUS-ADMIN max-failed-attempts 3
aaa-server RADIUS-ADMIN deadtime 10
aaa-server RADIUS-ADMIN (inside) host 192.168.0.204 cisco timeout 10
aaa-server RADIUS-SALES protocol radius
aaa-server RADIUS-SALES max-failed-attempts 3
aaa-server RADIUS-SALES deadtime 10
aaa-server RADIUS-SALES (inside) host 192.168.0.205 cisco timeout 10
aaa-server LOCAL protocol local
aaa authentication telnet console TACACS+
aaa authentication ssh console TACACS+
aaa authentication enable console TACACS+
aaa authentication match admin inbound RADIUS-ADMIN
aaa authentication match sales inbound RADIUS-SALES
aaa authorization command TACACS+
aaa authorization match admin inbound RADIUS-ADMIN
aaa authorization match sales inbound RADIUS-SALES
aaa accounting match admin inbound RADIUS-ADMIN
aaa accounting match sales inbound RADIUS-SALES
 

Sample Configuration of PPTP or L2TP Windows VPN Concentrator and Others
»Cisco Forum FAQ »Configure router and ASA/PIX Firewall to support various VPN technologies

Comparable Sample Configuration
»Cisco Forum FAQ »Configuring Juniper SRX as Internet Firewall and IPSec VPN Concentrator

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by Covenant edited by aryoba
last modified: 2012-08-02 09:31:08

Configuring Juniper SRX as Internet Firewall and IPSec VPN Concentrator

Comparable Sample Configuration:
»Cisco Forum FAQ »Configure PIX/ASA as both Internet Firewall and VPN Concentrator

Description

* In this sample configuration, the Juniper SRX is functioning as a single box of Internet Gateway; doing eBGP peer with ISP (without a need of a router), acting as Internet Firewall to internal mail server, doing NAT/PAT for internal machines sitting in Trust Zone, and acting as Internet IPSec VPN Concentrator to remote users over Untrust Zone (in this case, the Internet)
* The LAN subnet is 172.16.2.0/24 (Trust Zone) while the 1.1.1.0/24 is Public IP subnet assigned by the ISP serving as the firewall SSH management IP address and NAT/PAT IP addresses. You may note that the 1.1.1.1 is the NAT-ed IP address of a mail server, 1.1.1.253 is the PAT-ed IP address of internal machines to go out to the Internet, and 1.1.1.254 is the SSH management IP address of the firewall.
* The remote users can use any PC or server running any operating system. It is suggested to use Juniper-approved remote IPSec VPN client software such as Junos Pulse to connect to the firewall
* Once the remote users establish IPSec VPN tunnel to the firewall, the remote PC is assigned IP address within 192.168.0.0/24 range
* There is a split tunnel in place, meaning that traffic from and to 192.168.0.0/24 will be going through the tunnel while other traffic (i.e. Internet traffic from the remote PC) will be going outside the tunnel. In this sample configuration, both the LAN subnet (172.16.2.0/24) and the remote VPN subnet (192.168.0.0/24) are reachable only through the tunnel while other traffic are going outside the tunnel. You can simply add more LAN subnet to be reachable through the tunnel by specifying those subnets in remote-protected-resources command while traffic going outside the tunnel is specified in remote-exception command to activate the split tunnel. When the remote PC is a Windows machine, you can verify such split tunnel condition by issuing route print or netstat -r to show the PC's routing table.
* You may notice that there is permit any any rule for inbound traffic from Untrust (the Internet) to Trust (the LAN) which will be treated as encrypted tunnel. Even though this rule may seem as security risk, no insecure traffic is going through since the rule is only applicable for IPSec VPN traffic. When there is an inbound plain-text (unencrypted) traffic, the firewall drops the traffic since the traffic does not meet the IPSec VPN policy.

Sample Configuration

## Last commit: 2012-07-27 11:06:31 EDT by admin
version 11.2R4.3;
system {
    host-name InternetFirewall;
    time-zone America/New_York;
    root-authentication {
        encrypted-password "********"; ## SECRET-DATA
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    login {
        user admin {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "*******"; ## SECRET-DATA
            }
        }
    }
    services {
        ssh;
        xnm-clear-text;
        web-management {
            http {
                interface ge-0/0/2.0;
            }
            https {
                system-generated-certificate;
                interface ge-0/0/2.0;
            }
        }
        dhcp {
            pool 172.16.2.0/24 {
                address-range low 172.16.2.250 high 172.16.2.254;
                domain-name diablo.com;
                name-server {
                    4.2.2.2;
                    8.8.8.8;
                }
                router {
                    172.16.2.1;
                }
                propagate-settings vlan.2;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    processes {
        general-authentication-service {
            traceoptions {
                file jtac size 1m files 10 world-readable;
                flag all;
            }
        }
    }
    ntp {
        server 64.90.182.55;
        server 96.47.67.105 prefer;
    }
}
interfaces {
    ge-0/0/0 {
        unit 0;
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 10.0.1.6/30;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                address 1.1.0.2/30;
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members vlan-DMZ01;
                }
            }
        }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-DMZ01;
                }
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-DMZ01;
                }
            }
        }
    }
    ge-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-DMZ01;
                }
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-DMZ01;
                }
            }
        }
    }
    ge-0/0/8 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-DMZ01;
                }
            }
        }
    }
    ge-0/0/9 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-DMZ01;
                }
            }
        }
    }
    ge-0/0/10 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-DMZ01;
                }
            }
        }
    }
    ge-0/0/11 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-DMZ01;
                }
            }
        }
    }
    ge-0/0/12 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-DMZ01;
                }
            }
        }
    }
    ge-0/0/13 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-DMZ01;
                }
            }
        }
    }
    ge-0/0/14 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-DMZ01;
                }
            }
        }
    }
    ge-0/0/15 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-DMZ01;
                }
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 1.1.1.254/32;
            }
        }
    }
    vlan {
        unit 2 {
            family inet {
                address 172.16.2.1/24;
            }
        }
    }
}
routing-options {
    aggregate {
        route 1.1.1.0/24 discard;
    }
    router-id 10.0.1.125;
}
protocols {
    bgp {
        group eBGP-ISP {
            description "Internet";
            preference 20;
            local-address 1.1.0.2;
            export 1.1.1.0/24;
            peer-as 4078;
            local-as 14079;
            neighbor 1.1.0.1 {
                graceful-restart;
            }
        }
    }
    ospf {
        preference 110;
        external-preference 110;
        area 0.0.0.255 {
            interface ge-0/0/2.0 {
                passive;
                metric 10;
            }
            interface lo0.0 {
                metric 10;
            }
            interface vlan.2 {
                passive;
                metric 10;
            }
        }
    }
    stp;
}
policy-options {
    policy-statement 1.1.1.0/24 {
        term eBGP {
            from {
                protocol aggregate;
                route-filter 1.1.1.0/24 exact;
            }
            then accept;
        }
    }
}
security {
    ike {
        traceoptions {
            file iketrace size 1m files 10 world-readable;
            flag all;
        }
        policy ike-dyn-vpn-policy {
            mode aggressive;
            proposal-set standard;
            pre-shared-key ascii-text "*******"; ## SECRET-DATA
        }
        gateway dyn-vpn-local-gw {
            ike-policy ike-dyn-vpn-policy;
            dynamic {
                hostname NY4vpn;
                connections-limit 2;
                ike-user-type group-ike-id;
            }
            external-interface ge-0/0/2.0;
            xauth access-profile dyn-vpn-access-profile;
        }
    }
    ipsec {
        policy ipsec-dyn-vpn-policy {
            proposal-set standard;
        }
        vpn dyn-vpn {
            ike {
                gateway dyn-vpn-local-gw;
                ipsec-policy ipsec-dyn-vpn-policy;
            }
        }
    }
    dynamic-vpn {
        access-profile dyn-vpn-access-profile;
        clients {
            IT_Support {
                remote-protected-resources {
                    192.168.0.0/24;
                    172.16.2.0/24;
                }
                remote-exceptions {
                    0.0.0.0/0;
                }
                ipsec-vpn dyn-vpn;
                user {
                    user01;
                }
            }
        }
    }
    flow {
        traceoptions {
            file jtac size 1m files 10 world-readable;
            flag basic-datapath;
            flag packet-drops;
            packet-filter pf1 {
                destination-prefix 1.1.0.2/32;
            }
            packet-filter pf2 {
                source-prefix 192.168.0.0/24;
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            pool source-nat_pool {
                address {
                    1.1.1.253/32;
                }
            }
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule nonat-rule-01 {
                    match {
                        source-address 172.16.2.0/24;
                        destination-address 1.1.1.252/32;
                    }
                    then {
                        source-nat {
                            off;
                        }
                    }
                }
                rule nonat-rule-02 {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 192.168.0./24;
                    }
                    then {
                        source-nat {
                            off;
                        }
                    }
                }
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            pool {
                                source-nat_pool;
                            }
                        }
                    }
                }
            }
        }
        destination {
            pool Mail_Server01 {
                address 172.16.2.4/32;
            }
            rule-set untrust-to-trust {
                from zone untrust;
                rule Mail {
                    match {
                        destination-address 1.1.1.1/32;
                    }
                    then {
                        destination-nat pool Mail_Server01;
                    }
                }
            }
        }
        proxy-arp {
            interface ge-0/0/2.0 {
                address {
                    1.1.1.253/32;
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy Mail {
                match {
                    source-address any;
                    destination-address Mail;
                    application junos-mail;
                }
                then {
                    permit;
                }
            }
            policy dyn-vpn-policy {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit {
                        tunnel {
                            ipsec-vpn dyn-vpn;
                        }
                    }
                }
            }
        }
        from-zone trust to-zone Management {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone Management {
            policy Remote_Management {
                match {
                    source-address any;
                    destination-address 1.1.1.254/32;
                    application junos-ssh;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            address-book {
                address 172.16.2.0/24 172.16.2.0/24;
                address 172.16.2.4/32 172.16.2.4/32;
                address-set Mail {
                    address 172.16.2.4/32;
                }
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.2;
            }
        }
        security-zone untrust {
            address-book {
                address 192.168.0.0/24 192.168.0.0/24;
            }
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0;
                ge-0/0/2.0 {
                    host-inbound-traffic {
                        system-services {
                            ike;
                            https;
                        }
                        protocols {
                            bgp;
                            ospf;
                        }
                    }
                }
            }
        }
        security-zone Management {
            address-book {
                address 1.1.1.254/32 1.1.1.254/32;
            }
            interfaces {
                lo0.0 {
                    host-inbound-traffic {
                        system-services {
                            ssh;
                        }
                        protocols {
                            ospf;
                        }
                    }
                }
            }
        }
    }
}
access {
    profile dyn-vpn-access-profile {
        client user01 {
            firewall-user {
                password "********"; ## SECRET-DATA
            }
        }
        address-assignment {
            pool dyn-vpn-address-pool;
        }
    }
    address-assignment {
        pool dyn-vpn-address-pool {
            family inet {
                network 192.168.0.0/24;
                xauth-attributes {
                    primary-dns 4.2.2.2/32;
                }
            }
        }
    }
    firewall-authentication {
        web-authentication {
            default-profile dyn-vpn-access-profile;
        }
    }
}
vlans {
    vlan-DMZ01 {
        vlan-id 2;
        l3-interface vlan.2;
    }
}
 

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by aryoba
last modified: 2012-08-03 15:47:46