Search:  

 
 
   All FAQsSite FAQDSL FAQCable TechAbout DSLDistanceCLECSDSL Hurdles»»






how-to block ads



Search for: in all FAQs
FAQ RevisionsEditors: skj See Profile, Covenant See Profile, aryoba See Profile, Phraxos See Profile
Last modified on 2009-11-05 16:17:22

40.2 Security Sample Configurations

·Basic Internet Firewall ACL for Routers without IOS image Firewall feature
·Configure DMZ on routers
·Sample IOS Firewall (CBAC) router configuration
·Sample Configuration of ACL-CBAC-IDS/IPS-IPSec VPN on router
·Zone-Based Firewall Sample Configuration
·Internet access restriction without a proxy server/websense solution?
·Various Site-to-Site IPSec VPN: Cisco, Juniper, Checkpoint, Sonicwall, Zywall
·How do I configure a Zywall/PIX IPSec VPN
·Private Routing over VPN: NAT/PAT, GRE, IPSec Sample Configurations
·Configure router and ASA/PIX Firewall to support various VPN technologies
·Configure router as both Internet router and VPN Concentrator
·Configure PIX/ASA as both Internet Firewall and VPN Concentrator
·Multiple networks share same Internet lines or same devices transparently
You probably have a router running basic IOS image without Firewall (FW) feature. You understand that you need a good firewall to protect your network from Internet intruders. There are choices to tackle the problem.

1. Setup a hardware firewall (i.e. PIX Firewall) in front of the router
2. Upgrade the router to run IOS image with FW feature
3. Apply basic Firewall ACL to Internet-facing router interface

Option 1

Check out the following FAQ for sample configuration on setting a PIX Firewall in front of a router.
»Cisco Forum FAQ »Internet - PIX/ASA - Router - LAN

This setup should be the best approach to tackle the problem. However there are some constraints that might prevent you to choose this option, such as:

1. Financial burden
2. The router has integrated modem (i.e. DSL, cable modem, T1, ISDN) or the router Internet-facing (WAN) interface is not Ethernet interface
3. You do BGP peering with another AS, hence requires a router or layer-3 switch to be the public edge equipment

When the WAN interface router is not Ethernet or your router is BGP peering, then you then have a choice to setup a hardware firewall behind the router, while the router run basic firewall ACL.

Check out the following FAQ for sample configuration on setting a PIX Firewall behind a router.
»Cisco Forum FAQ »Internet - Router - PIX/ASA - LAN

When you have financial burden, then the only choice is to have the router run basic firewall ACL.

Option 2

Upgrading the router is also a good approach. There are followings that might prevent you to do so.

1. You currently don't have proper Smartnet contract and upgrading the contract might be a hassle
2. The router might run too hot on memory and CPU when the router already run heavy routing
3. Activating any additional features on router (including FW feature) will take the router resources (memory and CPU) that might degrade the router robustness or performance
4. You don't have management control over the router, since there is another party doing so (i.e. your ISP or vendor)
5. You need to meet government agency regulations and using the router as a firewall might not meet such regulations

When you have at least one of those situations, then your best option should be putting a hardware firewall in front of or behind the router.

Option 3

This option is the most economical and might be a quick way to tackle the problem. Keep in mind that

1. This basic Firewall ACL only works on certain situations and certain protocol usages
2. Should you choose to implement this basic Firewall ACL on the router, it is suggested to have additional hardware firewall sitting behind the router for long-term solution

Assumptions on the sample configuration:

* There is Ethernet 0 interface as your LAN interface and Ethernet 1 interface as your WAN interface
* You have a single static Public IP address within your network (the 1.1.1.2/30)
* The Internet default gateway is 1.1.1.1/30
* Your LAN only has 10.0.0.0/24 as internal network and nothing else
* You run public Web and Mail servers (the www and smtp) using the 1.1.1.2 as the public IP address
* The internal Mail server IP address is 10.0.0.2 and the internal Web server IP address is 10.0.0.3
* You also use 1.1.1.2 for Internet browsing traffic from your LAN
* You use your ISP DNS servers to browse the Internet (the TCP and UDP port 53)
* Your LAN user typical daily usage is only browsing the Internet (that only use protocol TCP) and no other protocols used
* You keep logs on potential illegitimate traffic attempts

Following is the sample configuration


Notes:

1. The sample configuration is not intended as full router configuration. It only shows related commands.

2. ACL 100: Inbound Traffic Firewall
* The key of the Firewall ACL (ACL 100) is the "established" keyword
* Internet browsing mean outbound connections initiated from your LAN out to the Internet
* Most common Internet browsing (i.e. open up websites, FTP sites, some Internet video or audio live streaming) only requires protocol TCP
* With Internet browsing, only established TCP packets that are necessary to enter your network as reply packets
* These established TCP packets are TCP ACK (acknowledge) during the three-way handshake or on ESTABLISHED mode (the actual data transfer); and RST (reset to close the connection)
* With "established" keyword, only TCP packet ACK and RST will be permitted to enter your network
* Note that there is no need to specify "access-list 100 permit tcp any eq 53 host 1.1.1.2" since the "access-list 100 permit tcp any host 1.1.1.2 established" would take care reply TCP port 53 (DNS) packets
* This ACL assumes that you have static IP address assignment from ISP (the real static IP; not static by DHCP - read this FAQ for more info »Cisco Forum FAQ »Between DHCP, PPP, Dynamic, and Static IP Address ). If your router must receive ISP IP address from ISP DHCP server, then you need to permit incoming bootps traffic as well. Here is the ACL 100 looks like which incorporates ISP DHCP incoming bootps packets.


* Sometimes you need permit some basic ICMP traffic to pass through the router which are Echo Reply (ICMP Type 0), Unreachable (ICMP Type 3), and Time Exceeded (ICMP Type 11). When this is the case, then the ACL 100 should look something like this


3. ACL 101: Outbound Traffic Firewall
* Those TCP and UDP ports are known used by virus/worm, therefore outbound connection to the Internet on such ports should be blocked
* The host IP addresses are "invalid IP addresses" in Internet browsing perspective
* Since only the 1.1.1.0/30 subnet is used as the Public IP subnet, any other IP addresses from different subnet try to go out to the Internet using the router should be illegitimate traffic; hence should be blocked

4. ACL 110: NAT/PAT Traffic Firewall
* NAT/PAT sourcing from any IP address within your Public IP subnet or any IP address other than your internal subnet should be illegitimate traffic and known used by DOS (Denial of Service) attack; hence should be blocked
* No private subnet on the Internet, hence NAT/PAT to those subnets should be blocked as well

5. Blackholing illegitimate traffic
Since there are no other private subnets within your network than 10.0.0.0/24, traffic to other private subnets should go to Null interface (black hole).

In addition, there should be blackhole routes in place for unassigned or reserved IANA IP addresses since a lot of time, hackers use these IP addresses. For more info on these unassigned or reserved IANA IP addresses, check out the following IANA site.

Abuse Issues and IP Addresses

As illustration, you can verify (after the link research) that 23.0.0.0/8 IP subnet is IANA reserved IP addresses. Therefore there should be no traffic to and from 23.0.0.0/8. The black hole route for this then should be the following

More Sample Configuration using ACL as Basic Firewall
»Cisco Forum FAQ »Configure DMZ on routers

feedback form

by aryoba See Profile
last modified: 2009-01-12 16:24:02

Suggested prerequisite reading:
»Cisco Forum FAQ »Basic Internet Firewall ACL for Routers without IOS image Firewall feature

On these sample configurations, it is assumed the following occur

* There are at least three network segments; outside (i.e. WAN or The Internet), inside (LAN), DMZ
* These segments are within their own subnet (Layer-3 separation)
* Inside subnet is 10.0.0.0/24 and DMZ subnet is 10.0.1.0/24

Sample #1: Total Separation between Inside and DMZ

This sample assumes the following
* Internet-only access for DMZ
* DMZ cannot access inside
* Inside cannot access DMZ

ACL Approach

1. Using One Router


2. Using Two Routers, which one is the Internet Router and another is internal router

Internet Router

Internal Router

VRF Routing Approach


Sample #2: Restricted Access on DMZ specific services from Inside

This sample assumes the following
* Internet-only access for DMZ
* DMZ cannot access inside
* Inside can access DMZ only for web (TCP port 80) and email (TCP port 25)


Sample #3: Restricted Access on DMZ most applications from Inside

This sample assumes the following
* Internet-only access for DMZ
* DMZ cannot access inside
* Inside can access DMZ on any TCP-based application and DNS (TCP and UDP port 53)
* Note that most applications are TCP-based. Therefore this sample applies to most network



feedback form

by aryoba See Profile
last modified: 2009-08-30 05:35:41

When your router is running IOS image with FW feature, you can implement CBAC as a Stateful Firewall IOS-based. With such inspection, the router can inspect inbound traffic from outside such as The Internet to inside the network. The router can also inspect outbound traffic from inside the network to outside. Note that the sample configurations implement outbound inspection on the WAN (Internet) interface that regulate outbound traffic from inside to the Internet.

Typically no inspection is necessary or even needed to regulate traffic between inside or non-Internet interfaces. When there are no public servers hanging off the router and there are only outbound traffic such as Internet browsing (in addition of no inspection between inside interfaces), there should be no reason to implement inspection on inside interface. Therefore it is common practice to implement inspection on the WAN (Internet) interface to regulate outbound traffic when there are multiple non-Internet interfaces on the router and/or there are no inbound traffic.

Inspecting Generic Traffic

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$uOpf$emfDhaV0/UALCYwjF.iHf/
!
no aaa new-model
ip subnet-zero
no ip source-route
!
ip inspect name OUTBOUND cuseeme
ip inspect name OUTBOUND ftp
ip inspect name OUTBOUND h323
ip inspect name OUTBOUND netshow
ip inspect name OUTBOUND rcmd
ip inspect name OUTBOUND realaudio
ip inspect name OUTBOUND rtsp
ip inspect name OUTBOUND sqlnet
ip inspect name OUTBOUND tcp
ip inspect name OUTBOUND udp
ip inspect name OUTBOUND vdolive
ip inspect name OUTBOUND icmp
ip ssh break-string
isdn switch-type basic-net3
!
!
!
!
!
!
interface Ethernet0
description LAN
ip address 192.168.0.16 255.255.255.0
no ip proxy-arp
ip nat inside
!
interface BRI0
no ip address
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-net3
ppp authentication chap pap callin
!
interface Dialer1
description ISP
ip address negotiated
ip access-group 121 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect OUTBOUND out
encapsulation ppp
no ip split-horizon
dialer pool 1
dialer remote-name Cisco1
dialer idle-timeout 360
dialer string 08089916001 class DialClass
dialer hold-queue 10
dialer load-threshold 20 either
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname host-username
ppp chap password 7 ****
ppp pap sent-username username-here password 7 ****
!
ip nat inside source list 23 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
!
map-class dialer DialClass
access-list 23 permit 192.168.0.0 0.0.0.255
access-list 121 remark **** Permitted inbound packets ****
access-list 121 deny udp any range 137 139 any
access-list 121 deny tcp any range 137 139 any
access-list 121 deny icmp any any echo
access-list 121 permit icmp any any echo-reply
access-list 121 permit icmp any any time-exceeded
access-list 121 permit icmp any any unreachable
access-list 121 deny icmp any any
access-list 121 permit ip any any time-range TIME
access-list 121 deny ip any any log-input
dialer-list 1 protocol ip permit
!
!
line con 0
exec-timeout 0 0
transport preferred all
transport output all
stopbits 1
line vty 0 4
access-class 23 in
exec-timeout 0 0
login local
transport preferred all
transport input all
transport output all
!
no rcapi server
!
!
time-range TIME
periodic daily 0:00 to 23:59
!
!
end

Inspecting Instant Messaging Traffic

1. Medium Security Policy on Application Traffic

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 ???????????????????????
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
!
!
ip cef
ip inspect log drop-pkt
ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM https
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM esmtp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM tcp
ip inspect name SDM_MEDIUM udp
ip inspect name SDM_MEDIUM vdolive
ip inspect name SDM_MEDIUM sip
ip inspect name SDM_MEDIUM sip-tls
ip tcp synwait-time 10
no ip bootp server
ip domain name wtbhome.net
ip name-server 71.242.0.12
ip ssh time-out 60
ip ssh authentication-retries 2
!
appfw policy-name SDM_MEDIUM
application im aol
service default action allow alarm
service text-chat action allow alarm
server permit name login.oscar.aol.com
server permit name toc.oscar.aol.com
server permit name oam-d09a.blue.aol.com
application im msn
service default action allow alarm
service text-chat action allow alarm
server permit name messenger.hotmail.com
server permit name gateway.messenger.hotmail.com
server permit name webmessenger.msn.com
application http
strict-http action allow alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action allow alarm
application im yahoo
service default action allow alarm
service text-chat action allow alarm
server permit name scs.msg.yahoo.com
server permit name scsa.msg.yahoo.com
server permit name scsb.msg.yahoo.com
server permit name scsc.msg.yahoo.com
server permit name scsd.msg.yahoo.com
server permit name cs16.msg.dcn.yahoo.com
server permit name cs19.msg.dcn.yahoo.com
server permit name cs42.msg.dcn.yahoo.com
server permit name cs53.msg.dcn.yahoo.com
server permit name cs54.msg.dcn.yahoo.com
server permit name ads1.vip.scd.yahoo.com
server permit name radio1.launch.vip.dal.yahoo.com
server permit name in1.msg.vip.re2.yahoo.com
server permit name data1.my.vip.sc5.yahoo.com
server permit name address1.pim.vip.mud.yahoo.com
server permit name edit.messenger.yahoo.com
server permit name messenger.yahoo.com
server permit name http.pager.yahoo.com
server permit name privacy.yahoo.com
server permit name csa.yahoo.com
server permit name csb.yahoo.com
server permit name csc.yahoo.com
!
username tborland privilege 15 secret 5 ??????????????
!
!
!
bridge irb
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect SDM_MEDIUM out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
!
interface Dot11Radio0
no ip address
!
encryption mode ciphers tkip
!
encryption vlan 1 mode ciphers tkip
!
ssid wtbhome
vlan 1
authentication open
authentication key-management wpa
wpa-psk ascii 7 ******
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
no dot11 extension aironet
no cdp enable
bridge-group 1
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no snmp trap link-status
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
description Bridge to Internal Network
ip address 192.168.0.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1412
!
ip classless
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip any any
access-list 103 remark VTY Access-class list
access-list 103 remark SDM_ACL Category=1
access-list 103 permit ip 192.168.0.0 0.0.0.255 any
access-list 103 deny ip any any
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 103 in
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

2. High Security Policy on Application Traffic

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 ???????????????????????
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
clock timezone PST -8
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.10
!
ip dhcp pool sdm-pool
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 208.67.222.222 208.67.220.220
!
!
no ip domain lookup
ip domain name yourdomain.com
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip inspect log drop-pkt
ip inspect name SDM_HIGH appfw SDM_HIGH
ip inspect name SDM_HIGH icmp
ip inspect name SDM_HIGH dns
ip inspect name SDM_HIGH esmtp
ip inspect name SDM_HIGH https
ip inspect name SDM_HIGH imap reset
ip inspect name SDM_HIGH pop3 reset
ip inspect name SDM_HIGH tcp
ip inspect name SDM_HIGH udp
!
appfw policy-name SDM_HIGH
application im aol
service default action reset alarm
service text-chat action reset alarm
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action reset alarm
service text-chat action reset alarm
server deny name messenger.hotmail.com
server deny name gateway.messenger.hotmail.com
server deny name webmessenger.msn.com
audit-trail on
application http
strict-http action reset alarm
port-misuse im action
port-misuse p2p action reset alarm
port-misuse tunneling action reset alarm
application im yahoo
service default action reset alarm
service text-chat action reset alarm
server deny name scs.msg.yahoo.com
server deny name scsa.msg.yahoo.com
server deny name scsb.msg.yahoo.com
server deny name scsc.msg.yahoo.com
server deny name scsd.msg.yahoo.com
server deny name cs16.msg.dcn.yahoo.com
server deny name cs19.msg.dcn.yahoo.com
server deny name cs42.msg.dcn.yahoo.com
server deny name cs53.msg.dcn.yahoo.com
server deny name cs54.msg.dcn.yahoo.com
server deny name ads1.vip.scd.yahoo.com
server deny name radio1.launch.vip.dal.yahoo.com
server deny name in1.msg.vip.re2.yahoo.com
server deny name data1.my.vip.sc5.yahoo.com
server deny name address1.pim.vip.mud.yahoo.com
server deny name edit.messenger.yahoo.com
server deny name messenger.yahoo.com
server deny name http.pager.yahoo.com
server deny name privacy.yahoo.com
server deny na
server deny name csb.yahoo.com
server deny name csc.yahoo.com
audit-trail on
!
!
crypto pki trustpoint TP-self-signed-2642721116
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2642721116
revocation-check none
rsakeypair TP-self-signed-2642721116
!
!
crypto pki certificate chain TP-self-signed-2642721116
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32363432 37323131 3136301E 170D3038 30313136 30353033
34325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 36343237
32313131 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CB9E 16476447 E416F6C1 A994AB08 1525CF8E FA38C653 49ED2B44 34A66AC9
4D9C2677 71756644 0D54DBB1 11C224E5 4D17EC67 2148384A FE15B177 3C8D3710
4338044F 6672B697 9FEBC408 EA552F2A 6B2C7035 2E38B6F8 55E09757 0AC5A2
163FFA91 C26D8443 3EFBDFD1 CE078C9C 350AE5E5 EE866021 491C4362 8476AD3D
0E930203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
551D1104 19301782 15526F75 7465722E 796F7572 646F6D61 696E2E63 6F6D301F
0603551D 23041830 16801444 9A67C06B 63BCAF40 5D467966 AA658D22 F6353430
1D060355 1D0E0416 0414449A 67C06B63 BCAF405D 467966AA 658D22F6 3534300D
06092A86 4886F70D 01010405 00038181 005D6986 D31370A4 A327EB4B FF7ED748
25C11602 76C2A0B7 A0A1D670 7DF73001 BFAEEFF9 E6C4BE6F EB9BF6DC 1FD7D8
9B571B6E C4A4307C B1A03F91 92EF08BF B249D567 1A46D51D 3405862C A88BFCC7
AD9B755A B2BB1298 271B6952 7A08CD61 F89A31B6 A2DB9C6F 62B00F6D 7089A7FB
44D7D866 D527960F 7A138B26 92252C4B D4
quit
username tborland privilege 15 secret 5 ??????????????
!
!
!
bridge irb
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ETH-WAN$
no ip address
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
ip mtu 1492
ip inspect SDM_HIGH out
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname [my dsl account]
ppp chap password 0 [password]
ppp pap sent-username [my_dsl_account] password 0 [password]
ppp ipcp dns request
ppp ipcp route default
ppp ipcp address accept
!
interface BVI1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.0
ip access-group 100 in
ip tcp adjust-mss 1452
!
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
!
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip any any log
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 1 in
transport input ssh
!
scheduler max-task-time 5000
end

Some discussions

»801 ISDN access list woes
»Cisco 831 hardened config example?

feedback form

by aryoba See Profile
last modified: 2009-01-21 08:40:39

Extracted from following thread:
»[HELP] IOS IPS -- Is the performance hit worth it?

Note:
To run this configuration, your router needs to run IOS image that has IPSec/IDS feature and have the signature file on its flash memory. Check out the following FAQ for more info.

»Cisco Forum FAQ »Protect my network! How do I do that using Cisco IOS?



feedback form

by aryoba See Profile
last modified: 2007-07-11 11:09:37

Note:

* Router needs to run 12.4 IOS image with Firewall support


Discussions
»[HELP] Multi-Interface Firewall Config Help

feedback form

by aryoba See Profile
last modified: 2009-02-09 16:09:49

A solution which uses the router to filter Internet access (web traffic), allowing what is defined to go through and deny all others.

Option 1: Using CBAC feature

This "work around" is the use of Cisco's Web Filtering functionality which goes hand in hand with the Websense products. This FAQ will utilise the current functionality of the Websense solution without a server by deviating from the original design of this suite of technologies by Cisco.

Note that this is only supported in IOS that have the CBAC functionality.

First off, create an ACL which will be used in the Java filter statement that allows everything through which will not trigger the Java applet scanner which can be CPU intensive. If not, degraded performance can occur.


Define the IP INSPECT statements as below and then add what URLs are allowed to be accessed such as www.google.com and www.froogle.com in the example below:


The statement "ip urlfilter exclusive-domain www.xxxx.com" adds a domain name to or from the exclusive domain list so that the firewall does not have to send look-up requests to the Websense server. So, regardless of the Websense server being available or not, which in this case does not exist, the router will allow all HTTP requests to the above domains through.

There is a setting which is defined by the statement "ip urlfilter allow-mode on/off" where if the router can't talk to the Websense server, it will allow web traffic through or deny it depending on this setting. There is no Websense server defined at all but what we will do is turn off the allow-mode so all traffic will be denied bar the ones defined in the exclusive-domain statement.


Now the configuration has been setup, it then has to be applied to the interface like a normal ip inspect statement, for example:


or


Option 2: Using QoS CBWFQ feature

Using the same previous situation, the permitted web sites are only www.google.com and www.froogle.com; while traffic to other sites are blocked. This time the filtering technique is utilising CBWFQ which is also applied to the WAN interface.


CBWFQ (Class Based Weighted Fair Queue) is Cisco QoS (Quality of Service) feature that can be used to shape or to drop certain traffic. In this sample configuration, outbound traffic to www.google.com, to www.froogle.com, and to ISP DNS servers are set to guarantee 20% bandwidth during congestion. Other traffic will be dropped even when there is no congestion.

Let's review another illustration. Some organizations prevent their employee to access public social sites such as www.myspace.com and adult (porn) sites such as www.playboy.com; while still permit access to other Internet sites. Using the CBWFQ, following is blocked-access sample configuration.


More illustration on CBWFQ technique to restrict/maintain website access
»[Config] QoS with CBWFQ to prioritize a website

Note:
Using similar approach, you can also implement NBAR (Network Based Application Recognition) to restrict or even to drop/block Internet access, especially P2P (Peer-to-Peer) traffic. Check out the following FAQ for more info.

»Cisco Forum FAQ »Restrict Traffic Flow including P2P (Peer to Peer) using NBAR: An Overview

Option 3: Using ACL IP Address-Based

The downside of the two previous sample configurations is that your router may not support such feature. A good side is that most router support access block by IP addresses or subnets. Following is illustration on how to block access by the site's IP addresses, which the filter is applied to the LAN interface.

Let's revisit the www.myspace.com access block. Using DNS A record and WHOIS checks, it is revealed that currently myspace.com subnet is 216.178.32.0/20 (from 216.178.32.0 to 216.178.47.255). Following is the sample configuration of block access to myspace.com based on its IP addresses.


Side Note:
You can use following site for public DNS A record and WHOIS checking
http://www.iptools.com/

Keep in mind that this block access method only works when myspace.com still occupies the 216.178.32.0/20 subnet. It was known that originally myspace.com did not occupy this subnet. When the blocked site IP addresses are moved to different subnet, then there will be a need to adjust the blocked IP subnet to the new one. This adjustment is not needed when one of the two previous options is deployed.

This FAQ was inspired by the following post:
»How to Configure Internet Access restrictions ?

feedback form

by Covenant See Profile edited by aryoba See Profile
last modified: 2009-03-11 15:05:19

Suggested prerequisite reading
»Cisco Forum FAQ »Setting Up Private Site-To-Site Connections

Introduction

Setting up site-to-site IPSec VPN connection in general involves two phases. Phase 1 is called ISAKMP SA (Security Association) establishment and Phase 2 is called IPSec SA establishment.

Phase 1

In general, Phase 1 deals with confirmation among sites that are about to establish secure connection across unsecure network. This process is to verify that each site is authorized to establish such connection. Following is further description.

Phase 1 is to establish the ISAKMP key matching with remote site. One popular technique of this ISAKMP key matching is to use preshared key. This key is basically a string (combination of alphabets, numbers, and characters) that both sites agree to use. The key is then stored (and encrypted) within each VPN device configuration.

Phase 1 in IPSec VPN connection establishment is also involving the remote VPN device IP address (peer). A popular technique is to specifically set the remote peer IP address (for security purposes); known as static configuration. With this specific static configuration, both preshared key and remote IP address are statically configured into the VPN device.

During the Phase 1 VPN tunnel establishment using the static configuration of both preshared key and remote IP address, the two VPN peer IP addresses (the local and the remote) must match. If the two VPN peer IP addresses match, then the next step is to match the preshared key between the two VPN devices.

This preshared key matching process is done within an encapsulated secure (encrypted) tunnel. The encapsulation type and method used is the encryption specified for the Phase 1. In other word, Phase 1 VPN tunnel establishment in this case involves matching process of three factors where all the three are statically configured into both VPN devices. If there is a change needed to the either one of the three, manual adjustment is needed.

The three factors are VPN peer IP addresses, preshared key, and encryption type and method. In this specific example, those three factors are the key of how Phase 1 process take place to verify security association establishment between sites that are about to setup secure connection over untrusted network.

Phase 2

Once Phase 1 is passed successfully, then the setup process moves to the Phase 2. In general, Phase 2 deals with traffic management of the actual data communication between sites. There will be mechanism to determine which data goes where, encrypted or not.

In Cisco security device, one mechanism factor is to use access list. An access list is used to specify or regulate which data (source and destination IP addresses or subnets) need to be encrypted or decrypted (going through the VPN tunnel).

Similar to the Phase 1, there is also specific remote VPN peer IP addresses and IPSec VPN tunnel type and method only for the Phase 2. All the access list, remote VPN peer IP addresses, and the Phase 2 IPSec VPN tunnel type and method are statically configured into both VPN devices. The actual data passing (that are encrypted before leaving local VPN device to go to the remote VPN device; and are decrypted when arriving at local VPN device from the remote VPN device) are encapsulated within the Phase 2 IPSec VPN tunnel.

In other word, the access list, VPN peer IP addresses, and IPSec VPN tunnel type and method are the key to establish the Phase 2. Once Phase 2 is established, the actual data between sites will be passing.

Between Phase 1 and Phase 2

Note that only the Phase 2 involves the IPSec protocol, either ESP (Protocol 50) or AH (Protocol 51). Both Phase 1 (ISAKMP) and Phase 2 (IPSec) use specific encryption type (i.e. AES, 3DES, DES) and hash (MD5 or SHA). Specifically for Phase 1, there is the Diffie-Hellman group type (Group 1, 2, or 5) and the ISAKMP SA (Security Association) timeout or lifetime.

Cisco Configuration Guide
An Introduction to IP Security (IPSec) Encryption
Virtual Private Networks with the Cisco PIX Firewall - Introduction and Implementation

Illustration

Let's review the following PIX IPSec VPN tunnel configuration


To understand the complete picture, please review the PIX-to-PIX IPSec Fully Meshed Sample Configuration.

Side Note:
Further understanding regarding each PIX command and technology behind it, check out the following Cisco link:
Cisco PIX Firewall Command Reference Version 6.3

Note that from VPN connection perspective, the actual data can only be passing between two sites when followings are met (in addition of other basic interconnectivity requirement)

* Phase 1 is established: matching VPN peer IP address, preshared key, Phase 1 encryption type and method
* Phase 2 is established: matching VPN peer IP address, access list, Phase 2 IPSec type and method
* Proper IP Routing is in place: either by static routes or by dynamic routing protocol

In other words, configuration between two VPN devices must match.

Sample Configurations

Following is sample configuration of site-to-site IPSec VPN tunnel between two sites. As to full mesh (or partially mesh) site-to-site VPN involving three or more sites, it is basically similar setup as the single site-to-site VPN between two sites. You just need to setup the tunnel one by one; between 1st and 2nd sites, between 1st and 3rd sites, between 2nd and 3rd sites, and so on.

Specifically in setting up IPSec tunnel on Cisco router, PIX, or ASA in hub and spoke, partially mesh, or fully mesh setup that involve three or more sites; you need to use different sequence number of "crypto map" command for each remote VPN IP address and specific access list that regulate the encrypted traffic. The PIX-to-PIX sample configuration illustrates that.

PIX to PIX
Configuring PIX to PIX to PIX IPSec Fully Meshed

Router to Router

1. Basic Configuration
Configuring Router-to-Router IPSec Using AES Encryption
Configuring IPSec Between Three Routers Using Split Tunneling
Configuring IPSec Router-to-Router Hub and Spoke
Configuring IPSec Router-to-Router Hub and Spoke with Communication Between the Spokes
Configuring IPSec Router-to-Router Fully Meshed

2. Extended Configuration
Configuring an IPSec Tunnel through a Firewall with NAT
Configuring a Router IPsec Tunnel Private-to-Private Network with NAT and a Static
Configuring an IPSec Tunnel Between Routers with Duplicate LAN Subnets
Configuring IPSec Router-to-Router, Pre-shared, NAT Overload Between a Private and a Public Network
Configuring a Router-to-Router LAN-to-LAN Tunnel with a Router Initiating IKE Aggressive Mode
Configuring an IPsec Router Dynamic LAN-to-LAN Peer and VPN Clients

Router to VPN 3000 Concentrator
Configuring the Cisco VPN 3000 Concentrator to a Cisco Router
EZ VPN

PIX to Router
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml

PIX to VPN 3000 Concentrator
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml

PIX to Checkpoint 4.1 Firewall
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008009420f.shtml

PIX to Checkpoint NG Firewall
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800ef796.shtml

PIX to Juniper Netscreen Firewall
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801c4445.shtml

PIX to Sonicwall
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml

PIX to Zywall
»Cisco Forum FAQ »How do I configure a Zywall/PIX IPSec VPN

Various Cisco Devices to Microsoft Windows server
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b12b5.shtml

Some discussions
»[Config] Configuring More Than 1 VPN Tunnel (871w)

Basic Troubleshooting

1. Phase 2 (IPSec - the actual data passing)

* Make sure the data source and destination IP addresses or subnets match the regulating access list
* Check the data passing process between the two sites. In Cisco equipment, you can issue the show crypto ipsec sa command or feature which will show the SA (Security Association) between encrypted traffic (outgoing data) and decrypted traffic (incoming data)

2. Phase 1 (ISAKMP - the key)

* Assuming you use preshared key, make sure the remote VPN peer IP address and key match between two VPN device configuration
* Check the Phase 1 VPN tunnel up/down status between two sites. In Cisco equipment, you can issue the show crypto isakmp sa command or feature which will show the up/down tunnel status between local VPN peer IP address and remote VPN peer IP address.
* Issue simple connection test to the remote site (the remote VPN peer IP address) such as ICMP ping and traceroute (whenever possible)
* Reboot one or both VPN devices sometime might solve VPN connectivity issue

As a general rule, configuration of each VPN device in site-to-site IPSec VPN tunnel scenario must match as mentioned previously. ACL, NAT, encryption type used, and routing table are just some of the key points to check in addition to the Phases 1 and 2 verification.

Further Reading

VPN Tunnel To Support Non-IP traffic and/or Dynamic Routing Protocols: GRE over IPSec
»Cisco Forum FAQ »Private Routing over VPN: NAT/PAT, GRE, IPSec Sample Configurations

feedback form

by aryoba See Profile
last modified: 2009-09-03 09:37:18

The network layout that this configuration works for is
192.168.0.0 /24 -> Zywall 2x -> Speedstream 5100(PPOE)->internet ->Cisco 1720 -> x.x.x.192 /26 public ip pool -> Pix 501 -> 192.168.1.0 /24
The outside interface of the Pix is x.x.x.194

Pix config

MYCOFW# write t
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname MYCOFW
domain-name MYCOMPANY.com
access-list To-Internet permit ip 192.168.1.0 255.255.255.0 any
access-list To-Internet permit ip 192.168.2.0 255.255.255.0 any
access-list To-Internet permit icmp any any
access-list From-Internet permit tcp any host x.x.x.196 eq smtp
access-list From-Internet permit icmp any x.x.x.192 255.255.255.192 echo
access-list From-Internet permit icmp any x.x.x.192 255.255.255.192 echo-reply
access-list From-Internet permit icmp any x.x.x.192 255.255.255.192 unreachable
access-list From-Internet permit icmp any x.x.x.192 255.255.255.192 time-exceeded
access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list to-internet permit icmp any any
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.194 255.255.255.192
ip address inside 192.168.1.25 255.255.255.0
ip local pool MYCOippool 192.168.2.1-192.168.2.254
global (outside) 1 x.x.x.200-x.x.x.250 netmask 255.255.255.192
global (outside) 1 x.x.x.251
nat (inside) 0 access-list NoNAT
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
access-group From-Internet in interface outside
access-group To-Internet in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.193 1
http 192.168.1.0 255.255.255.0 inside
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set MyCOTransf esp-3des esp-md5-hmac
crypto dynamic-map MYCOdynmap 10 set transform-set MYCOTransf
crypto map MYCOmap 10 ipsec-isakmp dynamic MYCOdynmap
crypto map MYCOmap client configuration address initiate
crypto map MYCOmap client configuration address respond
crypto map MYCOmap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp identity address
isakmp client configuration address-pool local MYCOippool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
vpngroup MYCOvpn address-pool NONATippool
vpngroup MYCOvpn dns-server 205.171.3.65
vpngroup MYCOvpn wins-server 192.168.1.1
vpngroup MYCOvpn default-domain MYCOMPANY.com
vpngroup MYCOvpn idle-time 1800
vpngroup MYCOvpn password ********
vpngroup MYCO address-pool NONATippool
vpngroup MYCO dns-server 192.168.1.1 205.171.3.65
vpngroup MYCO wins-server 192.168.1.1
vpngroup MYCO default-domain MYCO.com
vpngroup MYCO idle-time 1800
vpngroup MYCO password ********
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 client configuration address local NONATippool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn username xxxx password xxxx
vpdn username yyyy password yyyyy
vpdn username zzzz password zzzzz
vpdn enable outside

Zywall Config:

Menu 27.1.1 - IPSec Setup

Index #= 1 Name= Work
Active= Yes Keep Alive= Yes Nat Traversal= No
Local ID type= IP Content=
My IP Addr= 0.0.0.0
Peer ID type= IP Content= x.x.x.194
Secure Gateway Address= x.x.x.194
Protocol= 17
Local: Addr Type= SUBNET
IP Addr Start= 192.168.0.0 End/Subnet Mask= 255.255.255.0
Port Start= 0 End= N/A
Remote: Addr Type= SUBNET
IP Addr Start= 192.168.1.0 End/Subnet Mask= 255.255.255.0
Port Start= 0 End= N/A
Enable Replay Detection= Yes
Key Management= IKE

Menu 27.1.1.1 - IKE Setup

Phase 1
Negotiation Mode= Main
PSK= ********
Encryption Algorithm= 3DES
Authentication Algorithm= MD5
SA Life Time (Seconds)= 28800
Key Group= DH2

Phase 2
Active Protocol= ESP
Encryption Algorithm= 3DES
Authentication Algorithm= MD5
SA Life Time (Seconds)= 28800
Encapsulation= Tunnel
Perfect Forward Secrecy (PFS)= None

In addition I had to enable 2 firewall rules on the Zywall Wan/WanZywall interface.
1) Source address (x.x.x.192 255.255.255.192) Destination (Any) forward Any Tcp Any Udp

2) source address (Any) Destination (Any) forward (ike,gre,ah,esp) I also include icmp & auth, though I don't think these are necessary for the vpn, they help with dslr line monitoring & my mail server.

This is a thumbnail of the image, click to enlarge.


feedback form

by TerryMiller See Profile edited by aryoba See Profile
last modified: 2008-12-29 16:13:38

Suggested Prerequisite Reading
»Cisco Forum FAQ »Setting Up Private Site-To-Site Connections

Introduction

When a local network needs to communicate with remote network, there are in general two ways of doing it. One way is to utilize Public network (such as the Internet) and another way is to utilize Private network. Traditionally, Private network consists of dedicated or private circuits of T1/E1 (and higher), ISDN, and frame relay. With today's VPN technology, one can utilize Public network to transport Private network with less cost than dedicated Public network, more convenient since it is On-Demand based, and yet still secure just like the traditional Private network.

On implementation side, there must be a way to distinguish which traffic destined to Public network and which traffic destined to Private network. With IPSec VPN, this is where Split Tunnel come into place. With proper implementation, Split Tunnel decides which traffic destined to Public network and which traffic destined to Private network.

Another scenario is when there is physical device separation between Public network gateway and Private network gateway. In VPN implementation, the Private network gateway is the device that terminates the VPN tunnel where the Public network gateway is the device that connects directly to the Public network. When there is a IPSec VPN implementation, then typically the Private network gateway terminates the IPSec tunnel where the Public network gateway passes the IPSec tunnel just like passes any other IP traffic.

In some network, Public network gateway and Private network gateway resides at the same physical device. When this is the case, the same physical device terminates the IPSec tunnel and then passes the IPSec tunnel just like passes traffic destined to Public network.

Typical IPSec VPN tunnel implementation is to not NAT/PAT traffic destined to Private network and to NAT/PAT only those traffic destined to Public network. Therefore there must be some mechanism that regulate which traffic to NAT/PAT and which traffic not to NAT/PAT. In Cisco devices, this mechanism is controlled by ACL that regulate such traffic.

With routing protocol, there might be a need to implement GRE tunnel in addition to the IPSec tunnel. Depending on the implementation, there can be one device terminating the GRE tunnel, one device terminating the IPSec tunnel (that carries the GRE tunnel), and another device passes the GRE/IPSec (GRE over IPSec) tunnel just like passes traffic destined to Public network. Check out the following FAQ for more info on GRE/IPSec tunnel.

»Cisco Forum FAQ »Between GRE/IPSEC and IPSEC VPN tunnels

Following is a list of sample configuration with various design and implementation.

Static Routes over VPN

PIX Firewall passing IPSec tunnel

Configuring an IPSec Tunnel through a PIX Firewall with NAT

IPSec tunnel passthrough on NAT/PAT Device and Utilize Single Public IP Address For Both Internet and IPSec Tunnel (Split Tunneling)

1. Router as the NAT/PAT Device
IOS Router to Pass a LAN-to-LAN IPSec Tunnel via PAT

2. PIX Firewall as the NAT/PAT Device
IPsec Tunnel Pass Through a PIX Firewall With use of Access List and with NAT Configuration Example

3. Static mappings with overloaded NAT and VPN
Configuring Router-to-Router IPsec (Pre-shared Keys) on GRE Tunnel with IOS Firewall and NAT



Kindly provided by Manta See Profile courtesy of these posts.

Quoted Post #1

Problem:

Two 837 routers connected to ADSL lines. R1 is at Site1 and R2 at Site2. Both have single fixed IP addresses and run an ISAKMP/IPSEC tunnel between them to route the LAN traffic between sites. This works fine but the problem is that when a static NAT entry is put in so that, for example, Remote Desktop is available from the internet to a particular PC at Site1 then it stops access to any Remote Desktop from Site2.

Solution:

Change the IPSEC tunnel so that it only carries traffic from the loopback interface of R1 to the loopback interface of R2. Then run a GRE tunnel over that IPSEC tunnel and route and site to site traffic via Tunnel0.

Site1: 10.0.0.0/24 GW: 10.0.0.254
Site2: 10.1.0.0/24 GW: 10.1.0.1

Sample Configuration:

! Last configuration change at 11:16:23 BST Thu Jun 3 2004 by gareth
! NVRAM config last updated at 11:16:25 BST Thu Jun 3 2004 by gareth
!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
!
hostname Site1
!
logging queue-limit 100
enable secret 5
!
username
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
aaa new-model
!
!
aaa authentication login local-auth local-case
aaa session-id common
ip subnet-zero
no ip source-route
no ip domain lookup
ip domain name
!
!
no ip bootp server
ip cef
ip inspect udp idle-time 15
ip inspect tcp idle-time 1800
ip inspect tcp finwait-time 1
ip inspect tcp synwait-time 15
ip inspect name INTERNET-OUT tcp alert on
ip inspect name INTERNET-OUT udp alert on
ip inspect name INTERNET-OUT http alert on
ip audit notify log
ip audit po max-events 100
ip audit smtp spam 100
ip audit name INTERNET-OUT info action alarm
ip audit name INTERNET-OUT attack action alarm drop reset
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 11
encr 3des
authentication pre-share
group 5
crypto isakmp key address
!
!
crypto ipsec transform-set lan-lan-tunnel esp-3des esp-sha-hmac
!
crypto map vpn-tunnel 10 ipsec-isakmp
description IPSec tunnel to carry GRE
set peer
set transform-set lan-lan-tunnel
set pfs group5
match address site2-gre
!
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.255
!
interface Tunnel0
ip address 192.168.2.1 255.255.255.0
keepalive 3 3
tunnel source Loopback0
tunnel destination 192.168.1.2
!
interface Ethernet0
ip access-group Ethernet_In in
ip address 10.0.0.254 255.255.255.0
ip access-group Ethernet-In in
ip nat inside
hold-queue 100 out
!
interface ATM0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer0
ip address negotiated
ip access-group Internet_In in
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect INTERNET-OUT out
encapsulation ppp
dialer pool 1
dialer-group 1
ppp chap hostname
ppp chap password
crypto map vpn-tunnel
!
ip nat inside source list NAT interface Dialer0 overload
! Collection of static mappings removed but example given
ip nat inside source static tcp interface Dialer0
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.1.0.0 255.255.255.0 Tunnel0
no ip http server
no ip http secure-server
!
!
ip access-list extended Ethernet-In
remark Invalid internet addresses
deny ip any 0.0.0.0 0.255.255.255 log
permit ip 10.0.0.0 0.0.0.255 10.1.0.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 any
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 127.0.0.0 0.255.255.255 log
deny ip any 169.254.0.0 0.0.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.0.2.0 0.0.0.255 log
deny ip any 192.168.0.0 0.0.255.255 log
remark Lock down email to servers
permit tcp host 10.0.0.2 any eq smtp
deny tcp any any eq smtp log
deny tcp any any eq pop3 log
remark other
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit tcp any any
permit udp any any
deny ip any any log
ip access-list extended Internet-In
remark vpn enable
!Unsure if next two lines needed but it's belt and braces
permit esp host any
permit udp host eq isakmp any eq isakmp
permit ip host 192.168.1.2 host 192.168.1.1
remark Invalid internet addresses
deny ip 0.0.0.0 0.255.255.255 any log
permit ip 10.1.0.0 0.0.0.255 10.0.0.0 0.0.0.255
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 169.254.0.0 0.0.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.0.2.0 0.0.0.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
remark Port Mappings
remark SMTP mail mapping
permit tcp any any eq smtp
remark SSH access mappings
permit tcp host any eq 22
remark Other
permit icmp host any echo
permit icmp any any unreachable
permit icmp any any time-exceeded
permit icmp any any echo-reply
remark SNTP time servers
permit udp host 158.43.128.33 eq ntp any
permit udp host 158.43.128.66 eq ntp any
deny ip any any log
ip access-list extended NAT
! Don't know if these NAT Deny's are necessary any more but it's two hot to think about it at the moment.
deny ip 10.0.0.0 0.0.0.255 10.1.0.0 0.0.0.255
deny ip 10.1.0.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 any
ip access-list extended site2-gre
permit ip host 192.168.1.1 host 192.168.1.2
radius-server authorization permit missing Service-Type
banner login $
Access to this device is only permitted by authorised users
All access to this device is logged
$
!
line con 0
logging synchronous
login authentication local-auth
no modem enable
stopbits 1
line aux 0
login authentication local-auth
stopbits 1
line vty 0 4
logging synchronous
login authentication local-auth
transport input ssh
!
scheduler max-task-time 5000
sntp server 158.43.128.33
sntp server 158.43.128.66
!
end

Quoted Post #2

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
!
hostname
!
boot-start-marker
boot-end-marker
!
logging buffered 40960 warnings
enable secret
!
aaa new-model
!
!
aaa group server radius wireless-radius
server 10.1.0.2 auth-port 1645 acct-port 1646
ip radius source-interface Vlan1
!
aaa authentication login local-auth local-case
aaa authentication login wireless-eap group wireless-radius
aaa authentication ppp default local-case
!
!
aaa session-id common
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
dot11 association mac-list 700
dot11 syslog
!
dot11 ssid w-secure
vlan 2
authentication open eap wireless-eap
authentication key-management wpa
!
dot11 ssid w-ps3
vlan 3
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii
!
no ip source-route
ip cef
!
!
!
!
no ip bootp server
no ip domain lookup
ip domain name bullet-systems.com
ip multicast-routing
ip inspect udp idle-time 15
ip inspect tcp idle-time 1800
ip inspect tcp finwait-time 1
ip inspect tcp synwait-time 15
ip inspect name INTERNET-OUT tcp alert on
ip inspect name INTERNET-OUT udp alert on
ip inspect name INTERNET-OUT http java-list 2 alert on
ip inspect name INTERNET-OUT ftp alert on timeout 300
ip inspect name INTERNET-OUT tftp alert on
ip inspect name INTERNET-OUT sip alert on
ip inspect name INTERNET-OUT rtsp alert on
ip ips name INTERNET-OUT
!
multilink bundle-name authenticated
!
!
username secret
!
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 5
crypto isakmp key address
crypto isakmp key address
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set ipsec-tunnel esp-3des esp-sha-hmac
!
crypto map vpn-tunnel 100 ipsec-isakmp
description A to B IPSec tunnel to carry GRE
set peer
set transform-set ipsec-tunnel
set pfs group5
match address adsl-gre
!
crypto map vpn-tunnel 110 ipsec-isakmp
description A to B via SDSL
set peer set transform-set ipsec-tunnel
set pfs group5
match address sdsl-gre
!
archive
log config
hidekeys
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map match-any voip
match ip rtp 9000 20
match access-group name voip
!
!
policy-map voip
class voip
priority 516
class class-default
fair-queue
!
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.255
!
interface Loopback5
ip address 192.168.1.5 255.255.255.255
!
interface Tunnel0
description Tunnel over ADSL
bandwidth 800
ip unnumbered Loopback0
ip load-sharing per-packet
ip multicast boundary multicast-boundary
ip virtual-reassembly
ip tcp adjust-mss 1200
qos pre-classify
keepalive 3 3
tunnel source Loopback0
tunnel destination 192.168.1.2
tunnel key 0
tunnel bandwidth transmit 800
!
interface Tunnel5
description Tunnel SDSL
bandwidth 800
bandwidth receive 1024
ip unnumbered Loopback5
ip load-sharing per-packet
ip multicast boundary multicast-boundary
ip virtual-reassembly
ip tcp adjust-mss 1200
qos pre-classify
keepalive 3 3
tunnel source Loopback5
tunnel destination 192.168.1.6
tunnel key 5
tunnel bandwidth transmit 800
!
!
interface ATM0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
pvc 0/38
ubr 832
encapsulation aal5mux ppp dialer
dialer pool-member 1
service-policy output voip
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
!
encryption vlan 2 mode ciphers aes-ccm
!
encryption vlan 3 mode ciphers aes-ccm
!
ssid w-secure
!
ssid w-ps3
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.2
description Wireless VLAN for laptop and trusted machines
encapsulation dot1Q 2
ip address 10.2.2.1 255.255.255.0
ip helper-address 10.1.0.2
ip nat inside
ip virtual-reassembly
!
interface Dot11Radio0.3
description Wireless VLAN for PS3
encapsulation dot1Q 3
ip address 10.2.3.1 255.255.255.0
ip access-group wireless-lockdown in
ip helper-address 10.1.0.2
ip pim sparse-dense-mode
ip nat inside
ip virtual-reassembly
!
interface Vlan1
description Local Area Network
bandwidth 100000
ip address 10.1.0.1 255.255.255.0
ip access-group ethernet-in in
ip nbar protocol-discovery
ip pim sparse-dense-mode
ip nat inside
ip virtual-reassembly
hold-queue 100 out
!
interface Dialer0
description ADSL line 8192kbps/832kbps
bandwidth 8192
ip address negotiated
ip access-group internet-in in
no ip proxy-arp
ip multicast boundary multicast-boundary
ip nat outside
ip inspect INTERNET-OUT out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp chap hostname
ppp chap password
crypto map vpn-tunnel
!
no ip forward-protocol nd
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.1.1.0 255.255.255.0 Tunnel0
ip route 10.1.1.0 255.255.255.0 Tunnel5
!
!
no ip http server
no ip http secure-server
ip nat translation timeout 1800
ip nat translation tcp-timeout 300
ip nat translation finrst-timeout 15
ip nat translation syn-timeout 45
ip nat translation max-entries host 10.1.0.52 1500
ip nat pool used-ip-block prefix-length 29
ip nat pool unused-ip-block prefix-length 29
ip nat inside source list nat-list pool used-ip-block overload
ip nat inside source static tcp extendable
ip nat inside source static udp extendable
!
ip access-list standard multicast-boundary
deny 239.255.0.0 0.0.255.255
permit any
!
ip access-list extended sdsl-gre
permit ip host 192.168.1.5 host 192.168.1.6
!
ip access-list extended ethernet-in
permit ip any host 192.168.2.2
remark Invalid internet addresses
deny ip any 0.0.0.0 0.255.255.255 log
deny ip any 127.0.0.0 0.255.255.255 log
deny ip any 169.254.0.0 0.0.255.255 log
deny ip any 192.0.2.0 0.0.0.255 log
deny ip any 192.168.0.0 0.0.255.255 log
remark Other
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit tcp any any
permit udp any any
permit igmp 10.1.0.0 0.0.0.255 any
deny ip any any log
!
ip access-list extended internet-in
permit esp host any
permit udp host eq isakmp any eq isakmp
remark Invalid internet addresses
deny ip 0.0.0.0 0.255.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 169.254.0.0 0.0.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.0.2.0 0.0.0.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
permit tcp any any eq domain
permit udp any any eq domain
remark Other
permit icmp any any unreachable
permit icmp any any time-exceeded
permit icmp any any echo-reply
permit udp host 158.43.128.33 any eq ntp
permit udp host 158.43.128.66 any eq ntp
deny ip any any log
!
ip access-list extended adsl-gre
permit ip host 192.168.1.1 host 192.168.1.2
!
ip access-list extended nat-list
deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
permit ip 10.1.0.0 0.0.255.255 any
permit ip 10.2.2.0 0.0.0.255 any
permit ip 10.2.3.0 0.0.0.255 any
!
ip access-list extended voip
permit ip any 217.10.79.0 0.0.0.255
permit udp host 10.1.0.2 range 9000 9020 any
!
ip access-list extended wireless-lockdown
permit tcp 10.2.3.0 0.0.0.255 host 10.1.0.2 eq domain
permit udp 10.2.3.0 0.0.0.255 host 10.1.0.2 eq domain
permit tcp 10.2.3.0 0.0.0.255 host 10.1.1.2 eq domain
permit udp 10.2.3.0 0.0.0.255 host 10.1.1.2 eq domain
permit ip 10.2.3.0 0.0.0.255 host 10.1.0.3
permit udp any eq bootpc any eq bootps
deny ip 10.2.3.0 0.0.0.255 10.0.0.0 0.255.255.255 log
deny ip 10.2.3.0 0.0.0.255 192.168.0.0 0.0.255.255 log
permit igmp 10.2.3.0 0.0.0.255 any
permit ip 10.2.3.0 0.0.0.255 any
!
ip radius source-interface Vlan1
logging history size 100
access-list 1 remark SNMP access
access-list 1 permit 10.1.0.2
access-list 1 deny any log
!
access-list 2 remark JAVA applet firewall exception list
access-list 2 permit 72.5.124.95
access-list 2 permit 85.210.20.0 0.0.0.255
!
!
access-list 700 permit 0123.4567.8901 0000.0000.0000
!
snmp-server community RO 1
snmp-server contact Me
snmp-server chassis-id
snmp-server enable traps tty
!
!
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.1.0.2 auth-port 1645 acct-port 1646 key
radius-server vsa send accounting
!
control-plane
!
banner login ^CC
Access to this device is only permitted by authorised users
All access to this device is logged
^C
!
line con 0
logging synchronous
login authentication local-auth
no modem enable
stopbits 1
line aux 0
login authentication local-auth
stopbits 1
line vty 0 4
exec-timeout 20 0
logging synchronous
login authentication local-auth
transport input ssh
!
scheduler max-task-time 5000
sntp server 158.43.128.33
sntp server 158.43.128.66
!
!
end




Private Routing over VPN

GRE/IPSec tunnel to support IP Routing Protocols

Configuring a GRE Tunnel over IPSec with OSPF
GRE over IPSec with EIGRP to Route Through a Hub and Multiple Remote Sites

New Feature on ASA/PIX Firewall running OS version 7.x or later

With new OS version, it is no longer requirement to encapsulate OSPF into GRE tunnel in order to pass it through IPSec VPN tunnel. By running OS version 7.x or later, ASA or PIX Firewall is now able to pass OSPF through IPSec VPN tunnel just like pass through GRE or any IP traffic. Check out the following link for sample configuration.

PIX/ASA 7.x and later: VPN/IPsec with OSPF Configuration Example

IPX Routing over GRE/IPSec

Configuring GRE and IPSec with IPX Routing
Configuring IPSec with EIGRP and IPX Using GRE Tunneling

DMVPN

When Cisco routers act as the VPN device at all sites, it is simpler and scalable to run DMVPN between routers instead the previous GRE over IPSec approach. With DMVPN, there will be no need to manually setup each tunnel for each connection between two sites. DMVPN will be "dynamically" setting up necessary tunnels.

Should you decide to run DMVPN, verify your router IOS image version support it. IOS image version with either Advanced Enterprise or Advanced IP Services features should support DMVPN.

Check out following links for more info on DMVPN.

Dynamic Multipoint IPsec VPNs (Using Multipoint GRE/NHRP to Scale IPsec VPNs)
Configuring DMVPN Spoke Router in Full Mesh IPsec VPN Using SDM
Configuring Dynamic Multipoint VPN Using GRE Over IPsec With OSPF, NAT, and Cisco IOS Firewall

feedback form

by Covenant See Profile edited by aryoba See Profile
last modified: 2009-09-03 09:40:04

Remote VPN to Office Network Using Various VPN connection technology

1. Office Network behind Cisco Router

Configure VPN on a router to support Microsoft VPN Client
Configuring Cisco Router and VPN Clients Using PPTP and MPPE
»Cisco Forum FAQ »Configure router as both Internet router and VPN Concentrator

2. Office Network behind ASA/PIX Firewall
Configuring the PIX Firewall and VPN Clients Using PPTP, MPPE and IPSec
Configuring L2TP Over IPSec Between PIX Firewall and Windows 2000 PC Using Certificates
L2TP Over IPsec Between Windows 2000/XP PC and PIX/ASA 7.2 Using Pre-shared Key Configuration Example

Note on ASA/PIX Firewall:
To keep the office network of having uninterrupted Internet connection while establishing IPSec tunnel coming in from remote users, you want to keep the "isakmp nat-traversal" command. You may need to increase the value from 20 to 30 secs (or to any value other than default) to make the regular web traffic passing while remote user VPN in.

To keep the Internet access for the remote users while IPSec VPN into the Office Network, you need to use the "vpngroup split-tunnel" command. On this command, you need to associate it with the access list that control the encrypted traffic. In other word, you may use the same access list that is used in the "nat 0 (inside)" command.

Here is the command reference list for details

ISAKMP
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/gl.html#wp1027312

VPNGROUP
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/tz.html#wp1099471

IPSec Remote VPN to Office Network While Maintain Internet Connection

Office Network behind Cisco router
Router Allows VPN Clients to Connect IPsec and Internet Using Split Tunneling Configuration Example
»Cisco Forum FAQ »Configure router as both Internet router and VPN Concentrator

Office Network behind PIX/ASA

1. Running 6.X image version
»Cisco Forum FAQ »Configure PIX/ASA as both Internet Firewall and VPN Concentrator

2. Running 7.X image version
»Cisco Forum FAQ »Configure PIX/ASA as both Internet Firewall and VPN Concentrator
ASA/PIX: Allow Split Tunneling for VPN Clients on the ASA Configuration Example

feedback form

by aryoba See Profile
last modified: 2009-04-28 12:51:36

Sample Configuration of IPSec VPN Concentrator

1. Using Local Credential to do AAA (Authentication, Authorization and Accounting)

service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VPN
!
boot-start-marker
boot-end-marker
!
!
!--- Enable Authentication, Authorization and Accounting (AAA) for user authentication and group authorization.
!
aaa new-model
!
!--- In order to enable Xauth for user authentication, enable the aaa authentication commands.
!
aaa authentication login userauthen local
!
!--- In order to enable group authorization, enable the aaa authorization commands.
!
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
!
!--- For local authentication of the IPsec user, create the user with a password
!
username user password 0 cisco
!
!
!
!--- Create an Internet Security Association and Key Management Protocol (ISAKMP) policy for Phase 1 negotiations.
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
!--- Create a group that is used to specify the WINS and DNS server addresses to the VPN Client,
!--- along with the pre-shared key for authentication.
!--- Use ACL 101 used for the Split Tunneling in the VPN Clinet end.
!
crypto isakmp client configuration group vpnclient
key cisco123
dns 10.10.10.10
wins 10.10.10.20
domain cisco.com
pool ippool
acl 101
!
!--- Create the Phase 2 Policy for actual data encryption.
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
!--- Create a dynamic map and apply the transform set that was created earlier.
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!--- Create the actual crypto map, and apply the AAA lists that were created earlier.
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0/0
description LAN interface
ip address 10.10.10.1 255.255.255.0
half-duplex
ip nat inside
!
!--- Apply the crypto map on the outbound interface.
!
interface FastEthernet1/0
description WAN interface
ip address 172.16.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
!
!--- Create a pool of addresses to be assigned to the VPN Clients.
!
ip local pool ippool 192.168.1.1 192.168.1.254
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 172.16.1.2
!
!--- Enables Network Address Translation (NAT) of the inside source address that matches access list 111
!--- and gets PATed with the FastEthernet IP address.
!
ip nat inside source list 111 interface FastEthernet1/0 overload
!
!--- The access list is used to specify which subnets are permitted to access the router
!
access-list 10 remark Permittable Subnet To Access
access-list 10 permit 10.10.10.0 0.0.0.255
access-list 10 permit 192.168.1.0 0.0.0.255
!
!--- The access list is used to specify which traffic is to be translated for the outside Internet.
!
access-list 111 remark NAT for Internet Traffic Only
access-list 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit ip 10.10.10.0 0.0.0.255 any
!
!--- Configure the interesting traffic to be encrypted from the VPN Client to the central site router (access list 101).
!--- Apply this ACL in the ISAKMP configuration.
!
access-list 101 remark No NAT for VPN traffic
access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
!
control-plane
!
line con 0
line aux 0
line vty 0 4
access-class 10 in
transport input ssh
!
end

2. Using external TACACS+ server to do AAA (Authentication, Authorization and Accounting)

service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VPN
!
boot-start-marker
boot-end-marker
!
!
enable secret 0 [ENTER ENABLE MODE PASSWORD HERE]
!
!--- Enable Authentication, Authorization and Accounting (AAA) for user authentication and group authorization.
!
aaa new-model
!
!--- In order to enable Xauth for user authentication, enable the aaa authentication commands.
!
aaa authentication login userauthen group tacacs+ local
aaa authentication enable userauthen group tacacs+ enable
!
!--- In order to enable group authorization, enable the aaa authorization commands.
!
aaa authorization console
aaa authorization exec groupauthor group tacacs+ local
aaa authorization commands 15 groupauthor group tacacs+ local
aaa authorization network groupauthor group tacacs+ local
!
!--- In order to record all commands entered or executed, enable the aaa accounting commands.
!
aaa accounting exec groupauthor start-stop group tacacs+
aaa accounting commands 15 groupauthor start-stop group tacacs+
aaa accounting network groupauthor start-stop group tacacs+
aaa accounting connection groupauthor start-stop group tacacs+
!
aaa session-id common
!
resource policy
!
!
!--- For local authentication of the IPsec user, create the user with a password
!
username user password 0 cisco
!
!
!
!--- Create an Internet Security Association and Key Management Protocol (ISAKMP) policy for Phase 1 negotiations.
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
!--- Create a group that is used to specify the WINS and DNS server addresses to the VPN Client,
!--- along with the pre-shared key for authentication.
!--- Use ACL 101 used for the Split Tunneling in the VPN Clinet end.
!
crypto isakmp client configuration group vpnclient
key cisco123
dns 10.10.10.10
wins 10.10.10.20
domain cisco.com
pool ippool
acl 101
!
!--- Create the Phase 2 Policy for actual data encryption.
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
!--- Create a dynamic map and apply the transform set that was created earlier.
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!--- Create the actual crypto map, and apply the AAA lists that were created earlier.
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0/0
description LAN interface
ip address 10.10.10.1 255.255.255.0
half-duplex
ip nat inside
!
!--- Apply the crypto map on the outbound interface.
!
interface FastEthernet1/0
description WAN interface
ip address 172.16.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
!
!--- Create a pool of addresses to be assigned to the VPN Clients.
!
ip local pool ippool 192.168.1.1 192.168.1.254
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 172.16.1.2
!
tacacs-server host [ENTER TACACS SERVER IP ADDRESS HERE]
tacacs-server key 0 [ENTER THE SECRET KEY HERE]
!
!--- Enables Network Address Translation (NAT) of the inside source address that matches access list 111
!--- and gets PATed with the FastEthernet IP address.
!
ip nat inside source list 111 interface FastEthernet1/0 overload
!
!--- The access list is used to specify which subnets are permitted to access the router
!
access-list 10 remark Permittable Subnet To Access
access-list 10 permit 10.10.10.0 0.0.0.255
access-list 10 permit 192.168.1.0 0.0.0.255
!
!--- The access list is used to specify which traffic is to be translated for the outside Internet.
!
access-list 111 remark NAT for Internet Traffic Only
access-list 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit ip 10.10.10.0 0.0.0.255 any
!
!--- Configure the interesting traffic to be encrypted from the VPN Client to the central site router (access list 101).
!--- Apply this ACL in the ISAKMP configuration.
!
access-list 101 remark No NAT for VPN traffic
access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
!
control-plane
!
line con 0
line aux 0
line vty 0 4
access-class 10 in
transport input ssh
!
end

Note:
* For more info on AAA and TACACS+ server, check out the following
»Cisco Forum FAQ »Securing access to routers with AAA commands

Sample Configuration of PPTP Windows VPN Concentrator

This is a simple configuration for Cisco router with one interface connected to your ISP using DHCP and NAT, and the second interface connected to your private network. With this configuration remote users can access your private network via a Windows VPN connection.

!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname myrouter
!
no logging console
!
aaa new-model
aaa authentication ppp default local
aaa authorization network default if-authenticated
aaa session-id common
!
enable secret 5 XXXXXXXXXXX
enable password 7 XXXXXXXXX
!
username admin privilige 15 password 7 XXXXXXXXXXX
username johndoe password 7 XXXXXXXXXXXXXXXXXX
!
ip routing
ip subnet 0
ip domain-name mydomain.com
ip name-server 192.168.2.1
ip icmp rate-limit unreachable 2000
ip icmp rate-limit unreachable DF 2000
no ip source route
no ip finger
no ip bootp server
no service tcp-small-servers
no service udp-small-servers
no boot network
no service config
!
router rip
version 2
network 192.168.0.0
passive-interface FastEthernet 0/0
no auto-summary
!
!
ip audit notify log
ip audit smtp spam 25
ip audit po max-events 50
ip audit name AUDIT.1 info action alarm
ip audit name AUDIT.1 attack action alarm drop reset
!
vpdn enable
!
vpdn-group 1
accept-dialin
protocol pptp
virtual-template 1
local name my-vpn
!
!
async-bootp dns-server 192.168.2.1
async-bootp nbns-server 192.169.2.1
!
!
interface FastEthernet0/0
description WAN Interface
ip address dhcp
ip nat outside
ip access-group filter_wan_in in
ip audit AUDIT.1 in
no ip unreachables
no ip directed-broadcast
no ip proxy-arp
no ip route-cache
no cdp enable
duplex auto
speed auto
!
interface FastEthernet0/1
description LAN Interface
ip address 192.168.1.1 255.255.0.0
ip nat inside
ip access-group filter_lan_in in
ip access-group filter_lan_out out
cdp enable
duplex auto
speed auto
!
interface Virtual-Template1
ip unnumbered FastEthernet0/1
ip mroute-cache
peer default ip address pool VPN-IN
ppp encrypt mppe 40 required
ppp authentication ms-chap
!
!
ip local pool VPN-IN 192.168.2.51 192.168.2.53
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.1.1 1723 interface FastEthernet0/0 1723
!
ip classless
no ip http server
!
ip access-list extended filter_wan_in
! use this to deny any incoming traffic
permit ip any any
deny ip any any log
!
ip access-list extended filter_lan_in
permit ip any host 192.168.2.51
permit ip any host 192.168.2.52
permit ip any host 192.168.2.53
deny udp any eq 137 any
deny udp any eq 138 any
deny tcp any eq 135 any
deny tcp any eq 139 any
deny tcp any eq 445 any
permit icmp any any
permit ip 192.168.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.25.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip any 192.168.0.0 0.0.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any any log
!
ip access-list extended filter_lan_out
permit ip host 192.168.2.51 any
permit ip host 192.168.2.52 any
permit ip host 192.168.2.53 any
permit icmp any any net-unreachable
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any packet-too-big
permit icmp any any administratively-prohibited
permit icmp any any source-quench
permit icmp any any ttl-exceeded
permit icmp any any echo-reply
deny icmp any any
deny udp any any eq 137
deny udp any any eq 138
deny tcp any any eq 135
deny tcp any any eq 139
deny tcp any any eq 445
deny ip any any log
!
access-list 1 remark NAT Source Restrictions
access-list 1 permit any
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
line con 0
password 7 XXXXXXXXXXXXXXXXX
line aux 0
line vty 0 4
password 7 XXXXXXXXXXXXXXXXXXXXXXXXX
!
!
end

The majority of the above configuration is fairly standard and can be found in other FAQs so I will just stick to the settings for getting the router to accept VPN connections.

The first bit:

aaa new-model
aaa authentication ppp default local
aaa authorization network default if-authenticated
aaa session-id common

simply enables the access control model for logins.

username admin privilige 15 password 7 XXXXXXXXXXX
username johndoe password 7 XXXXXXXXXXXXXXXXXX

defines the users and their passwords. These users can log in either over VPN or directly via telnet (or ssh if configured)

vpdn enable
!
vpdn-group 1
accept-dialin
protocol pptp
virtual-template 1
local name my-vpn

this enables virtual private dialup networking (vpdn) using point-to-point tunneling protocol (pptp)

interface Virtual-Template1
ip unnumbered FastEthernet0/1
ip mroute-cache
peer default ip address pool VPN-IN
ppp encrypt mppe 40 required
ppp authentication ms-chap

creates a virtual-template bound to the LAN port of the router and assigns an ip address to the client from the VPN-IN pool

ip local pool VPN-IN 192.168.2.51 192.168.2.53

defines the ip addresses available to the VPN clients (3 in this case)

ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.1.1 1723 interface FastEthernet0/0 1723

defines the static port mappings for NAT 1723 is the port for pptp

The ACLs can be customized to you needs but note how the VPN client addresses are reversed....
--> Fa0/1 In -->
--> Fa0/1 In -->

Now all that left is to configure the client computers. With windows XP it's easy....
1) open up the Network Connections folder
2) click "Create a new connection"
3) click Next
4) choose "Connect to the network at my workplace" then click Next
5) select "Virtual Private Network connection" then click Next
6) Enter a name for the connection and lick Next
7) Now you can set the VPN connection to auto-dial or not, choose either, then click Next
8) Enter the IP address of your Router (this is the public address). Since in our case it's assigned by dhcp we could use a dyndns address here
9) Click Next
10) Click Finish

Once the Wizard has completed right-click the new connection, then click Properties. On the Security tab select "Advanced (custom settings)" and click the Settings button.

Verify that the Data encryption drop-down has "Require Encryption" selected. Then make sure Microsoft CHAP (MS-CHAP) and (MS-CHAP v2) are enabled and click Ok.

Finally goto the Networking tab and change the "type of VPN" from Automatic to "PPTP VPN", then click the Settings button and verify that:
1) Enable LCP Extensions - is checked
2) Enable software compression - is checked
3) Negotiate multi-link - is not checked

Now your all set and ready to go.....

-b

Some discussion
»[Config] How do I assign default gateway for a PPTP VPN client

Note that in general, PPTP VPN connection is less secure than the "industry-standard" IPSec VPN connection. Therefore it is strongly suggested to use the IPSec VPN connection instead.

Sample Configuration of VPN Concentrator Using Other VPN Technologies
»Cisco Forum FAQ »Configure router and ASA/PIX Firewall to support various VPN technologies

feedback form

by mandraw See Profile edited by aryoba See Profile
last modified: 2009-08-31 16:09:45

Suggested prerequisite reading:
»Cisco Forum FAQ »Various Site-to-Site IPSec VPN: Cisco, Juniper, Checkpoint, Sonicwall, Zywall

Note:
All of the following sample configurations assume the ASA or PIX Firewall uses static Public IP address. Typically you assign one IP address of the IP block provided by your ISP to the ASA or PIX Firewall Outside interface. Assigning static IP address to VPN Concentrator (the ASA or PIX Firewall in this case) is considered best practice to keep security in place especially when the VPN Concentrator runs Site-to-Site VPN.

Sample Configuration of IPSec VPN Concentrator

When you plan to have a PIX or ASA firewall to act as both firewall and VPN concentrator, following is the sample configuration.

Assumptions:
* The 1st LAN subnet is 192.168.0.0/24 with 192.168.0.1 (the PIX inside interface) as the default gateway
* There is also 10.0.0.0/8 as 2nd LAN subnet, where from PIX or ASA firewall is reachable via 192.168.0.2
* There will be remote users VPN into the PIX using Cisco VPN Client software, creating ESP-based IPSec VPN tunnel
* There are separate subnets for VPN users. In these sample configurations, there are 192.168.1.0/24 for VPN users logged in as Admin and 192.168.2.0/24 for VPN users logged in as Sales.
* Note that you cannot use the same subnet for both LAN and VPN users due to routing consistency
* No default gateway to access the LAN subnet will be received by VPN users once the IPSec VPN tunnel is established; which will set the VPN users' PC to proxy arp to reach the LAN subnet
* There are multiple VPN groups where one is for Admin users and another is for Sales users. This way the PIX or ASA firewall can distinguish between one user and another
* When Admin users wish to VPN in as Admin let's say, then the users must use the appropriate VPN group credential (in this case, the Admin VPN group credential) which include the correct PIX or ASA firewall Public IP address and VPN group password
* As general rule, all settings in PIX or ASA firewall must match all settings in the VPN Client software. Some of those settings are the VPN group credentials, routing, and permitted subnets in the ACL. Any slightest mismatch will cause connection problem.

1. Single VPN User Group without external AAA Server

* The remote users will VPN in using specific Group Authentication credential, which in this sample configuration is Admin as the Group Name and is ******** as the Group Password as indicated on the vpngroup Admin password ******** command
* The VPN users log in as Admin receive IP address within the admin range from 192.168.1.1 to 192.168.1.254 (the 192.168.1.0/24 subnet).
* No external AAA (Authentication, Authorization, and Accounting) server as the TACACS+/RADIUS server
* SSH attempt to the PIX/ASA itself is not authenticated on the OS version 7.0 or above sample configuration and is authenticated locally on the OS version 6.3 sample configuration

PIX Firewall configuration running OS version 6.3


ASA/PIX Firewall Sample Configuration running OS version 7.0 or above


2. Multiple VPN User Groups with external AAA Server

* The remote users will VPN in using specific Group Authentication credential, which in this sample configuration is either Admin or Sales
* The VPN users log in as Admin receive IP address within the admin range from 192.168.1.1 to 192.168.1.254 (the 192.168.1.0/24 subnet). Similarly, the VPN users log in as Sales receive IP address within the sales range from 192.168.2.1 to 192.168.2.254 (the 192.168.2.0/24 subnet).
* There is a TACACS+/RADIUS server at 192.168.0.204 to serve the AAA (Authentication, Authorization, and Accounting) functionality for all remote users
Note: check out following FAQ for more info on TACACS and RADIUS
»Cisco Forum FAQ »Secure and Monitor Network Access with AAA (TACACS/RADIUS) and Privilege Level
* The TACACS+ service is used to provide PIX/ASA configuration management access, such as telnet and ssh to the PIX/ASA itself
* The RADIUS service is used to provide production access (the LAN) to remote VPN users
* The aaa authentication match command will authenticate remote user login attempts according to the RADIUS credential that are being used to log in
* The aaa authorization match command will authorize remote user access to only specific subnets according to the authenticated RADIUS credential that are acknowledged
* The aaa accounting match command will record all activities done by all remote users according to their RADIUS credential

PIX Firewall configuration running OS version 6.3


3. Single VPN User Group with external Windows Active Directory Domain Controller Server

* The remote users will VPN in using specific Group Authentication credential, which in this sample configuration is Admin as the Group Name as indicated on the tunnel-group Admin type ipsec-ra command; and is ******** as the Group Password as indicated on the tunnel-group Admin ipsec-attributes pre-shared-key * command
* The VPN users log in as Admin receive IP address within the admin range from 192.168.1.1 to 192.168.1.254 (the 192.168.1.0/24 subnet).
* Starting OS version 7.0, AAA server protocol of NT (Microsoft Windows Active Directory Domain Controller), LDAP (RFC 4510), Kerberos (RFC 4120), and SDI (RSA SecurID) are available as alternatives of TACACS+ and RADIUS
* In this sample configuration, external Microsoft Windows Active Directory Domain Controller server is used primarily to authenticate remote users
* The use of such Microsoft authentication system is defined on the aaa-server NT_DOMAIN command, which include the protocol, Domain Controller name and IP address.
* When the Domain Controller is unavailable or unreachable, local credentials as indicated on the username Admin1 password ***** encrypted privilege 15 and the username Admin2 password ***** encrypted privilege 15 commands are used as failover to authenticate remote users
* This failover mechanism is defined on the tunnel-group Admin general-attributes authentication-server-group NT_DOMAIN LOCAL command
* Similar authentication process for Sales remote user group, however there is no failover to local credentials
* Telnet attempt to the PIX/ASA itself is not authenticated

ASA/PIX Firewall Sample Configuration running OS version 7.0 or above


Notes:

* Since the PIX or ASA firewall acts as both firewall and VPN concentrator, the isakmp nat-traversal is necessary to simultaneously serve VPN users accessing the LAN subnet and to keep LAN subnet machines able to access the Internet

* When the PIX or ASA firewall is dedicated to only serve as VPN Concentrator, then the isakmp nat-traversal, the global 1-nat 1 pair commands might not be necessary

* Remote users can opt to either enable transparent tunneling or not when using the Cisco VPN Client software. When transparent tunneling is enabled, the ESP protocol is encapsulated within UDP (UDP port 4500) by default, which then makes the VPN traffic able to pass through any NAT/PAT device in between. This encapsulation feature is useful when either there is any NAT/PAT device in between or ESP protocol is not permitted to pass through. In addition, this encapsulation feature also enables the remote users to be able to access the LAN and the Internet at the same time.

* As you may notice, configuration with sufficient amount of external authentication servers such as AAA (TACACS+/RADIUS) server and Domain Controller server is more secure and accountable

* When your network currently does not have AAA server, you can setup one for free. Check out this FAQ for details.
»Cisco Forum FAQ »Are there Free authentication packages for TACACS or RADIUS to secure my router?

* If specific remote users must authenticate with specific AAA server, then you can simply modify the AAA command to do so. Following is illustration

Sample Configuration of PPTP or L2TP Windows VPN Concentrator and Others
»Cisco Forum FAQ »Configure router and ASA/PIX Firewall to support various VPN technologies

feedback form

by Covenant See Profile edited by aryoba See Profile
last modified: 2009-06-11 12:10:07

Example 1:
Router running VRF-aware Zone-Based Firewall

Network Setup

Internet
|
|
Router
*
* Trunk
*
Switch with Multiple VLAN

When The Network Design Fits

Scenario 1
There are multiple tenants within the same building that share the same switch, same router, and same Internet line. From each tenant's perspective, there is a dedicated Internet connection and dedicated network only for them. This means that they cannot see other tenant's network, even though all tenants share the same equipments and the same Internet line.

Scenario 2
There is single tenant within the same building. The tenant has multiple networks; which are Public, Private, DMZ, and Lab. Due to security policy, there must be total separation between all networks. From each network's perspective, there is a dedicated Internet connection and dedicated network only for them. This means that each network cannot see or talk to others, even though all networks share the same equipments and the same Internet line.

Note that there might be other scenarios that the network design fits. However the previous two scenarios should be sufficient for illustration sake.

Objectives
* To have multiple networks on all equipments (in this case, the switch and the router)
* Each network cannot see other networks
* All networks share the same Internet line
* There must be decent firewall implemented on the router for security

Solution
Deploy VRF-aware CBAC or Zone-Based Firewall

Implementation
* Trunk the router and the switch
* Create VLAN on the switch
* Create sub-interfaces on the router
* Assign IP address on each sub-interface
* Each sub-interface IP address will be default gateway of each respective VLAN
* Assign each network its own VLAN
* Assign each VLAN its own VRF label
* Implement the VRF-aware CBAC or Zone-Based Firewall as indicated above

Sample Configuration

Cisco IOS VRF-aware Zone-Based Firewall


Switch


Discussions and More Sample Configurations

Cisco IOS Firewall Classic and Zone-Based Virtual Firewall Application Configuration Example

Example 2:
Router, ASA, and Switch with VRF, Multiple Context, and Trunking

Let's say there is a T1/E1 circuit you need to dedicate only for Production network and there is a separate DSL/Cable/Wireless connection only for Internet access. Typically the T1/E1 circuit is used only for server connectivity and internal usage and the DSL/Cable/Wireless is for vendor or business partner that need access to Internet only without the need of accessing Production network. Following is the network design.

T1/E1 circuit DSL/Cable/Wireless
| |
| |
T1/E1 and DSL/Cable/Wireless
router
*
* Trunk to ASA
* Outside
ASA on Multiple Context mode
* Inside
* Trunk to Switch
*
Switch

Objectives
* To have multiple networks on all equipments (in this case; the switch, the ASA, and the router)
* There are three networks in place which are Production, Internet Only, and admin
* The Production network is for server connectivity and internal usage
* The Internet-Only network is for vendor or business partner that need access to Internet only without the need of accessing Production network
* The admin network is for general network administration purpose
* Each network (Production, Internet Only, and admin) cannot see other networks
* All networks share the same equipment
* Production network only uses T1/E1 and can never use the DSL/Cable/Wireless at anytime
* Internet-Only network only uses DSL/Cable/Wireless and can never use the T1/E1 at anytime
* Admin network does not need Internet access and is just for general network administration
* There must be dedicated firewall implemented for each network as security measure

Solution
Deploy VRF, Multiple Context, and Trunking

Implementation
* Trunk router FastEthernet0/0 port and ASA Outside port
* Create three VLAN within the trunk as Outside networks where 1st VLAN is for Production, 2nd VLAN is for Internet Only, and 3rd VLAN is for admin
* Connect T1/E1 to router Serial0/0 port and connect DSL/Cable/Wireless to router FastEthernet0/1 port
* Trunk ASA Inside port and Switch
* Create three VLAN within the trunk as Inside networks where 1st VLAN is for Production, 2nd VLAN is for Internet Only, and 3rd VLAN is for admin
* Set some switch ports for Production network, some switch ports for Internet Only, and some switch ports for admin
* Setup Multiple Context on the ASA consists of Production Context, InternetOnly Context, and admin Context
* Each context will be dedicated firewall for each network; i.e. Production Context is dedicated (virtual) firewall for Production network
* Set Outside and Inside network for Production Context, InternetOnly Context, and admin Context
* The ASA Production Context does NAT/PAT where the router does NAT/PAT for InternetOnly Context
* No NAT/PAT necessary for admin Context

Sample Configuration

Router


System Context


Admin Context


Production Context


InternetOnly Context


Switch



feedback form

by aryoba See Profile
last modified: 2009-10-05 09:54:17



Sunday, 08-Nov 23:49:48 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.