VPN Connection through Zone based Firewall Router Configuration Example

Similar documents
Router Allows VPN Clients to Connect IPsec and Internet Using Split Tunneling Configuration Example

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

IOS Router : Easy VPN (EzVPN) in Network Extension Mode (NEM) with Split tunnelling Configuration Example

LAN to LAN IPsec Tunnel Between a Cisco VPN 3000 Concentrator and Router with AES Configuration Example

Configuring IOS to IOS IPSec Using AES Encryption

Firewall Stateful Inspection of ICMP

PIX/ASA 7.x and Later : Easy VPN with Split Tunneling ASA 5500 as the Server and Cisco 871 as the Easy VPN Remote Configuration Example

Configuring Dynamic Multipoint VPN Using GRE Over IPsec With OSPF, NAT, and Cisco IOS Firewall

EIGRP on SVTI, DVTI, and IKEv2 FlexVPN with the "IP[v6] Unnumbered" Command Configuration Example

IPsec Management Configuration Guide Cisco IOS Release 12.4T

L2TP IPsec Support for NAT and PAT Windows Clients

Quick Note. Configure an IPSec VPN tunnel in Aggressive mode between a TransPort LR router and a Cisco router. Digi Technical Support 7 October 2016

VPN Between Sonicwall Products and Cisco Security Appliance Configuration Example

Configuring Layer 2 Tunneling Protocol (L2TP) over IPSec

Lab 9: VPNs IPSec Remote Access VPN

co Configuring PIX to Router Dynamic to Static IPSec with

Advanced IPv6 Training Course. Lab Manual. v1.3 Page 1

IPsec Anti-Replay Window Expanding and Disabling

Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

Using NAT in Overlapping Networks

Three interface Router without NAT Cisco IOS Firewall Configuration

Internet. SonicWALL IP Cisco IOS IP IP Network Mask

Lab Configuring Static Routes Instructor Version 2500

Table of Contents. Cisco PIX/ASA 7.x Enhanced Spoke to Spoke VPN Configuration Example

Table of Contents. Cisco Enhanced Spoke to Client VPN Configuration Example for PIX Security Appliance Version 7.0

Table of Contents. Cisco NAT Order of Operation

Chapter 8 Lab Configuring a Site-to-Site VPN Using Cisco IOS

Table of Contents. Cisco IPSec Tunnel through a PIX Firewall (Version 7.0) with NAT Configuration Example

Contents. Introduction. Prerequisites. Background Information

IPsec Anti-Replay Window: Expanding and Disabling

IPsec Dead Peer Detection Periodic Message Option

Policy Based Routing with the Multiple Tracking Options Feature Configuration Example

CCNA Security PT Practice SBA

Secure ACS Database Replication Configuration Example

Sample Business Ready Branch Configuration Listings

ASA/PIX: Remote VPN Server with Inbound NAT for VPN Client Traffic with CLI and ASDM Configuration Example

Context Based Access Control (CBAC): Introduction and Configuration

Loading Internet Protocol Security (IPSec) (CDR-882/780/790/990 Cellular Router)

This document is intended to give guidance on how to read log entries from a Cisco PIX / ASA. The specific model in this case was a PIX 501.

Implementing Dynamic Multipoint VPN for IPv6

Invalid Security Parameter Index Recovery

How to Configure a Cisco Router Behind a Non-Cisco Cable Modem

Configuration Example of ASA VPN with Overlapping Scenarios Contents

1.1 Configuring HQ Router as Remote Access Group VPN Server

IPsec Dead Peer Detection Periodic Message Option

Basic Router Configuration using SDM

Configuring Redundant Routing on the VPN 3000 Concentrator

IOS/CCP: Dynamic Multipoint VPN using Cisco Configuration Professional Configuration Example

Configuring a VPN Using Easy VPN and an IPSec Tunnel, page 1

IPsec Dead Peer Detection Periodic Message Option

Quick Note 060. Configure a TransPort router as an EZVPN Client (XAUTH and MODECFG) to a Cisco Router running IOS 15.x

IPsec Virtual Tunnel Interfaces

Configure the ASA for Dual Internal Networks

Cisco Virtual Office: Easy VPN Deployment Guide

Configuring Router to Router IPsec (Pre shared Keys) on GRE Tunnel with IOS Firewall and NAT

IPsec Dead Peer Detection PeriodicMessage Option

Use NAT to Hide the Real IP Address of CTC to Establish a Session with ONS 15454

Cisco IOS Firewall Authentication Proxy

Configuring Authentication Proxy

Invalid Security Parameter Index Recovery

How to Configure the Cisco VPN Client to PIX with AES

Configuring a Cisco 827 Router to Support PPPoE Clients, Terminating on a Cisco 6400 UAC

Lab Configuring Dynamic and Static NAT (Solution)

MWA Deployment Guide. VPN Termination from Smartphone to Cisco ISR G2 Router

HOME-SYD-RTR02 GETVPN Configuration

Mediant MSBR. Version 6.8. Security Setup. Configuration Guide. Version 6.8. AudioCodes Family of Multi-Service Business Routers (MSBR)

Lab Configuring Dynamic and Static NAT (Instructor Version Optional Lab)

Implementing Traffic Filters and Firewalls for IPv6 Security

Troubleshooting the Security Appliance

Abstract. Avaya Solution & Interoperability Test Lab

Chapter 10 - Configure ASA Basic Settings and Firewall using ASDM

8K GM Scale Improvement

IPsec Anti-Replay Window Expanding and Disabling

Chapter 8: Lab A: Configuring a Site-to-Site VPN Using Cisco IOS

HOW TO CONFIGURE AN IPSEC VPN

Configuring the PIX Firewall and VPN Clients Using PPTP, MPPE and IPSec

Support for policy-based routing applies to the Barracuda Web Security Gateway running version 6.x only.

CONFIGURATION DU SWITCH

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

Static VTI R1: (previous tunnel 0 config remains the same)

Cisco Configuring Hub and Spoke Frame Relay

Configuring IOS Server Load Balancing with HTTP Probes in the Dispatched Mode

Configuring IDS TCP Reset Using VMS IDS MC

Lab Troubleshooting Using traceroute Instructor Version 2500

Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI

Lab Troubleshooting IPv4 and IPv6 Static Routes (Instructor Version Optional Lab)

Google Cloud VPN Interop Guide

Lab Configuring and Verifying Standard IPv4 ACLs (Instructor Version Optional Lab)

Troubleshooting. Testing Your Configuration CHAPTER

Lab Configuring Basic RIPv2 (Solution)

Basic Router Configuration

CCNA Security 1.0 Student Packet Tracer Manual

Lab 4.5.5a Configure a PIX Security Appliance Site-to-Site IPSec VPN Tunnel Using CLI

Lab - Configuring a Switch Management Address

Chapter 10 Lab 10-2, Securing VLANs INSTRUCTOR VERSION

Chapter 4 Lab A: Configuring CBAC and Zone-Based Firewalls

Configuring Authentication Proxy

Configuring Transparent and Proxy Media Redirection Using ACNS Software 4.x

Network Security CSN11111

Configuring FlexVPN Spoke to Spoke

Transcription:

VPN Connection through Zone based Firewall Router Configuration Example Document ID: 112051 Contents Introduction Prerequisites Requirements Components Used Conventions Background Information Configure Network Diagram Configurations Verify Troubleshoot Related Information Introduction This document provides a sample configuration that demonstrates how to configure a Router with Zone Based Firewall that also serve as Remote acess VPN gateway. Prerequisites Requirements There are no specific requirements for this document. Components Used The information in this document is based on these software and hardware versions: Cisco IOS Router 1721 Cisco IOS Software Release 12.4T and later The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command. Conventions Refer to the Cisco Technical Tips Conventions for more information on document conventions. Background Information Zone based policy firewalls implement unidirectional firewall policy between groups of interfaces known as zones. These examine the source and destination zones from the ingress and egress interfaces for a firewall

policy. In the current scenario, Zone based firewall is configured on the VPN Gateway router. It allows VPN traffic from internet (outside zone) to self zone. The virtual template interface is made as part of security zone. The internal network has a server that users on the Internet can access once they are connected through Remote access VPN that terminates on VPN Gateway router. IP address of the Internal server 72.16.10.20 IP address of the Remote Client PC 92.168.100.10 All users on the internal network are allowed unrestricted access to the Internet. All traffic from the Internal users is ed on passing through the Router. Configure In this section, you are presented with the information to configure the features described in this document. Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section. Network Diagram This document uses this network setup: Configurations This document uses these configurations: VPN Gateway#show run Building configuration... VPN Gateway Current configuration : 3493 bytes version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password encryption

hostname VPN Gateway boot start marker boot end marker aaa new model Define local authentication aaa authentication login default local aaa authorization network default local Output suppressed Define the isakmp policy parameters crypto isakmp policy 1 encr 3des authentication pre share group 2 crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 10 Define the group policy information crypto isakmp client configuration group cisco key cisco dns 6.0.0.2 wins 7.0.0.1 domain cisco.com pool dpool acl 101 Define the ISAKMP profile crypto isakmp profile vi match identity group cisco isakmp authorization list default client configuration address respond virtual template 1 Define the transform set parameters crypto ipsec transform set set esp 3des esp sha hmac Define the IPSec profile crypto ipsec profile vi set transform set set set isakmp profile vi

Define the local username and password username cisco privilege 15 password 0 cisco archive log config hidekeys Define the Zone based firewall Class maps class map type match any Internet cmap match protocol icmp match protocol tcp match protocol udp match protocol http match protocol https match protocol pop3 match protocol pop3s match protocol smtp class map type match all ICMP cmap match access group name ICMP class map type match all IPSEC cmap match access group name ISAKMP_IPSEC class map type match all SSHaccess cmap match access group name SSHaccess Define the Zone based firewall Policy maps policy map type inside outside pmap class type Internet cmap class type ICMP cmap class class default drop policy map type outside inside pmap class type ICMP cmap class class default drop policy map type Outside Router pmap class type SSHaccess cmap class type ICMP cmap class type IPSEC cmap pass class class default drop Define zones zone security inside zone security outside Define zone pairs zone pair security inside to outside source inside destination outside service policy type inside outside pmap zone pair security outside to router source outside destination self service policy type Outside Router pmap zone pair security outside to inside source outside destination inside

service policy type outside inside pmap interface Ethernet0 ip address 172.16.10.20 255.255.255.0 Define interface as part of inside zone zone member security inside half duplex interface FastEthernet0 ip address 209.165.201.2 255.255.255.224 Define interface as part of outside zone zone member security outside speed auto interface Virtual Template1 type tunnel ip unnumbered FastEthernet0 Define interface as part of outside zone zone member security outside tunnel source FastEthernet0 tunnel mode ipsec ipv4 tunnel protection ipsec profile vi Define the local pool range ip local pool dpool 5.0.0.1 5.0.0.3 Output suppressed ip access list extended ICMP permit icmp any any echo permit icmp any any echo reply permit icmp any any traceroute ip access list extended ISAKMP_IPSEC permit udp any any eq isakmp permit ahp any any permit esp any any permit udp any any eq non500 isakmp ip access list extended SSHaccess permit tcp any any eq 22 access list 101 permit ip 172.16.10.0 0.0.0.255 any control plane line con 0 line aux 0 line vty 0 4 end

Verify Use this section to confirm that your configuration works properly. The Output Interpreter Tool (registered customers only) (OIT) supports certain show commands. Use the OIT to view an analysis of show command output. 1. Use this command in order to verify the interface status. 2. VPN Gateway#show ip interface brief Interface IP Address OK? Method Status Protocol Ethernet0 172.16.10.20 YES NVRAM up up FastEthernet0 209.165.201.2 YES NVRAM up up Virtual Access1 unassigned YES unset down down Virtual Access2 209.165.201.2 YES TFTP up up Virtual Template1 209.165.201.2 YES TFTP down down Use this command in order to verify the ISAKMP tunnel status. VPN Gateway#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn id slot status 209.165.201.2 192.168.100.10 QM_IDLE 1001 0 ACTIVE IPv6 Crypto ISAKMP SA 3. Use this command in order to verify the state of crypto sockets. VPN Gateway#show crypto socket Number of Crypto Socket connections 1 Vi2 Peers (local/remote): 209.165.201.2/192.168.100.10 Local Ident (addr/mask/port/prot): (0.0.0.0/0.0.0.0/0/0) Remote Ident (addr/mask/port/prot): (5.0.0.1/255.255.255.255/0/0) IPSec Profile: "vi" Socket State: Open Client: "TUNNEL SEC" (Client State: Active) Crypto Sockets in Listen state: Client: "TUNNEL SEC" Profile: "vi" Map name: "Virtual Template1 head 0" 4. Verify the active groups on router. VPN Gateway#show crypto session summary detail Crypto session current status Code: C IKE Configuration mode, D Dead Peer Detection K Keepalives, N NAT traversal, X IKE Extended Authentication Interface: Virtual Access2 Profile: vi Group: cisco Assigned address: 5.0.0.1 Uptime: 00:13:52 Session status: UP ACTIVE Peer: 192.168.100.10 port 1069 fvrf: (none) ivrf: (none) Phase1_id: cisco Desc: (none) IKE SA: local 209.165.201.2/500 remote 192.168.100.10/1069 Active Capabilities:CD connid:1001 lifetime:23:46:05 IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 5.0.0.1 Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 10 drop 0 life (KB/Sec) 4520608/2767 Outbound: #pkts enc'ed 10 drop 0 life (KB/Sec) 4520608/2767

Use this command in order to display the runtime type policy map statistics. VPN Gateway#show policy map type zone pair Zone pair: inside to outside Service policy : inside outside pmap Class map: Internet cmap (match any) Match: protocol icmp Match: protocol tcp Match: protocol udp Match: protocol http Match: protocol https Match: protocol pop3 Match: protocol pop3s Match: protocol smtp Session creations since subsystem startup or last reset 0 Maxever session counts (estab/half open/terminating) [0:0:0] Last session created never Maxever session creation rate 0 Class map: ICMP cmap (match all) Match: access group name ICMP Session creations since subsystem startup or last reset 0 Maxever session counts (estab/half open/terminating) [0:0:0] Last session created never Maxever session creation rate 0 Class map: class default (match any) Match: any Drop Zone pair: outside to router Service policy : Outside Router pmap Class map: SSHaccess cmap (match all) Match: access group name SSHaccess Session creations since subsystem startup or last reset 0

5. Maxever session counts (estab/half open/terminating) [0:0:0] Last session created never Maxever session creation rate 0 Class map: ICMP cmap (match all) Match: access group name ICMP Packet ion statistics [process switch:fast switch] icmp packets: [93:0] Session creations since subsystem startup or last reset 6 Maxever session counts (estab/half open/terminating) [0:2:0] Last session created 00:07:02 Maxever session creation rate 2 Class map: IPSEC cmap (match all) Match: access group name ISAKMP_IPSEC Pass 57 packets, 7145 bytes Class map: class default (match any) Match: any Drop 2 packets, 44 bytes Zone pair: outside to inside Service policy : outside inside pmap Class map: ICMP cmap (match all) Match: access group name ICMP Packet ion statistics [process switch:fast switch] icmp packets: [1:14] Session creations since subsystem startup or last reset 2 Maxever session counts (estab/half open/terminating) [1:1:0] Last session created 00:09:15 Maxever session creation rate 1 Class map: class default (match any) Match: any Drop 6. Use ping in order to verify the connectivity to the Internal server. E:\Documents and Settings\Administrator>ping 172.16.10.20 Pinging 172.16.10.20 with 32 bytes of data: Reply from 172.16.10.20: bytes=32 time=206ms TTL=254 Reply from 172.16.10.20: bytes=32 time=63ms TTL=254 Reply from 172.16.10.20: bytes=32 time=20ms TTL=254 Reply from 172.16.10.20: bytes=32 time=47ms TTL=254

Troubleshoot Ping statistics for 172.16.10.20: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli seconds: Minimum = 20ms, Maximum = 206ms, Average = 84ms There is currently no specific troubleshooting information available for this configuration. Related Information Cisco IOS Firewall Technical Support & Documentation Cisco Systems Contacts & Feedback Help Site Map 2014 2015 Cisco Systems, Inc. All rights reserved. Terms & Conditions Privacy Statement Cookie Policy Trademarks of Cisco Systems, Inc. Updated: Jul 06, 2010 Document ID: 112051

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback