SSL VPN and Zone-Based firewall

Zone-Based firewall (ZBF) is Cisco implementation of stateful firewall on IOS. The name Zone-Based firewall comes from zones, which are the main concept in the configuration. This means that you need to create zones and firewall policy is then configured between these zones. Router interfaces are applied to these zones. Class-maps and policy-maps are used to create firewall policy. Class-maps are used to identify traffic, while policy-maps creates actually firewall policy. Traffic is denied by default between zones, so if you want to pass traffic you need to create policy. Bellow you can see an example of basic ZBF configuration, which permits all tcp and udp traffic from inside zone to outside zone.

!

zone security inside

zone security outside

!

class-map type inspect match-any FW_TCP-UDP

 match protocol tcp

 match protocol udp

!

policy-map type inspect FW_IN-OUT

 class type inspect FW_TCP-UDP

  inspect

!

zone-pair security IN-OUT source inside destination outside

 service-policy type inspect FW_IN-OUT

!

!

interface FastEthernet0/0

 description Inside

 ip address 192.168.1.1 255.255.255.0

 zone-member security inside

!

interface FastEthernet0/1

 description Outside

 ip address 192.0.0.1 255.255.255.0

 zone-member security outside

!

!

Cisco SSL VPN solution is used for remote SSL connection to the secured environment. This solution is specially suitable for small business environments. You can find basic configuration bellow.

 

!

!

aaa new-model

aaa authentication login SSLVPN local

!

!

ip local pool VPN_POOL 192.168.100.10 192.168.100.50

!

!

crypto pki trustpoint VPN_TRUSTPOINT

 enrollment selfsigned

 usage ssl-server

 subject-name CN=sslvpn.example.com

 revocation-check crl

 rsakeypair keys.example.com

!

!

webvpn gateway SSLVPN_GATEWAY

 ip address 192.0.0.1 port 4443

 ssl trustpoint VPN_TRUSTPOINT

 inservice

!

webvpn context SSLVPN

 !

 policy group default

 !

 policy group SSLVPN_POLICY

   functions svc-enabled

   svc address-pool "VPN_POOL" netmask 255.255.255.0

   svc split include 192.168.1.0 255.255.255.0

 !

 default-group-policy SSLVPN_POLICY

 aaa authentication list SSLVPN

 gateway SSLVPN_GATEWAY

 !

 ssl authenticate verify all

 inservice

!

If you want your remote users to communicate with inside zone you have to put those users in ZBF configuration, because traffic between zone member and non-member is denied by default. You can put remote users in the inside zone, or even better in separate zone and then control which traffic could flow between those zones. In the example configuration bellow you can see how to only permit http to inside zone.

!

!

interface Loopback0

 ip address 192.168.100.1 255.255.255.0

!

interface Virtual-Template1

 ip unnumbered Loopback0

 zone-member security vpn_users

!

webvpn context SSLVPN

 virtual-template 1

!

class-map type inspect match-any FW_HTTP

 match protocol http

!

policy-map type inspect FW_VPN-IN

 class type inspect FW_HTTP

  inspect

!

zone-pair security VPN-OUT source vpn_users destination inside

 service-policy type inspect FW_VPN-IN

!

Now you have the ability to control your Remote VPN users with Zone-Based firewall.