2013/12/20

SSL VPN and Zone-Based firewall




Zone-Based firewall (ZBF) is Cisco implementation of stateful firewall on IOS. The name Zone-Based firewall comes from zones, which are the main concept in the configuration. This means that you need to create zones and firewall policy is then configured between these zones. Router interfaces are applied to these zones. Class-maps and policy-maps are used to create firewall policy. Class-maps are used to identify traffic, while policy-maps creates actually firewall policy. Traffic is denied by default between zones, so if you want to pass traffic you need to create policy. Bellow you can see an example of basic ZBF configuration, which permits all tcp and udp traffic from inside zone to outside zone.

!
zone security inside
zone security outside
!
class-map type inspect match-any FW_TCP-UDP
 match protocol tcp
 match protocol udp
!
policy-map type inspect FW_IN-OUT
 class type inspect FW_TCP-UDP
  inspect
!
zone-pair security IN-OUT source inside destination outside
 service-policy type inspect FW_IN-OUT
!
!
interface FastEthernet0/0
 description Inside
 ip address 192.168.1.1 255.255.255.0
 zone-member security inside
!
interface FastEthernet0/1
 description Outside
 ip address 192.0.0.1 255.255.255.0
 zone-member security outside
!
!

Cisco SSL VPN solution is used for remote SSL connection to the secured environment. This solution is specially suitable for small business environments. You can find basic configuration bellow.
 
!
!
aaa new-model
aaa authentication login SSLVPN local
!
!
ip local pool VPN_POOL 192.168.100.10 192.168.100.50
!
!
crypto pki trustpoint VPN_TRUSTPOINT
 enrollment selfsigned
 usage ssl-server
 subject-name CN=sslvpn.example.com
 revocation-check crl
 rsakeypair keys.example.com
!
!
webvpn gateway SSLVPN_GATEWAY
 ip address 192.0.0.1 port 4443
 ssl trustpoint VPN_TRUSTPOINT
 inservice
!
webvpn context SSLVPN
 !
 policy group default
 !
 policy group SSLVPN_POLICY
   functions svc-enabled
   svc address-pool "VPN_POOL" netmask 255.255.255.0
   svc split include 192.168.1.0 255.255.255.0
 !
 default-group-policy SSLVPN_POLICY
 aaa authentication list SSLVPN
 gateway SSLVPN_GATEWAY
 !
 ssl authenticate verify all
 inservice
!

If you want your remote users to communicate with inside zone you have to put those users in ZBF configuration, because traffic between zone member and non-member is denied by default. You can put remote users in the inside zone, or even better in separate zone and then control which traffic could flow between those zones. In the example configuration bellow you can see how to only permit http to inside zone.

!
!
interface Loopback0
 ip address 192.168.100.1 255.255.255.0
!
interface Virtual-Template1
 ip unnumbered Loopback0
 zone-member security vpn_users
!
webvpn context SSLVPN
 virtual-template 1
!
class-map type inspect match-any FW_HTTP
 match protocol http
!
policy-map type inspect FW_VPN-IN
 class type inspect FW_HTTP
  inspect
!
zone-pair security VPN-OUT source vpn_users destination inside
 service-policy type inspect FW_VPN-IN
!

Now you have the ability to control your Remote VPN users with Zone-Based firewall.

4 comments:

  1. Frankie Says,

    That's sound cool. I'm very glad by getting the direction to make Zone-Based firewall. I'm following your provided example to create a Zone-Based firewall and I hope that I will able to create on. Thanks :)

    ReplyDelete
  2. It proved to be Very helpful to me and I am sure to all the commentators here! American Netflix

    ReplyDelete
  3. Thanks for the post and great tips..even I also think that hard work is the most important aspect of getting success.. Cheap VPN

    ReplyDelete