{"id":184,"date":"2015-06-23T06:52:32","date_gmt":"2015-06-23T06:52:32","guid":{"rendered":"http:\/\/www.balajibandi.com\/blog\/?p=184"},"modified":"2017-08-26T09:02:07","modified_gmt":"2017-08-26T08:02:07","slug":"anyconnect-vpn-and-cisco-ios-zone-based-policy-firewall-zbf","status":"publish","type":"post","link":"https:\/\/www.balajibandi.com\/?p=184","title":{"rendered":"AnyConnect VPN and Cisco IOS Zone Based Policy Firewall (ZBF)"},"content":{"rendered":"

In this article, we will consider a scenario where AnyConnect VPN will be configured on a Cisco IOS router on which the Zone Based Policy Firewall (ZBF) is also enabled. To find out more about the IOS Zone Based Policy Firewall,<\/p>\n

The default configuration of AnyConnect on Cisco IOS routers presents interoperability problems between AnyConnect VPN and ZBF. The issue is that when ZBF is enabled on a router, any interface that is not part of a security zone cannot communicate with other interfaces that are members of security zones. However, the virtual interface for AnyConnect VPN connections (Virtual-Access1 when one WebVPN context is defined) cannot be configured and therefore, cannot be assigned to a security zone. This presents a problem: AnyConnect VPN users cannot connect to any device in a zone.<\/p>\n

Note<\/strong>: In previous IOS versions, the virtual interface for AnyConnect VPN used to be SSLVPN-VIF0. The \u201c0\u201d increases as you add more WebVPN contexts.<\/p>\n

Let us try to replicate this problem using the lab setup below before we consider the solution to it.<\/p>\n

\"\"<\/p>\n

We will create two security zones on the AnyConnect router: inside and outside. We will allow only HTTP and HTTPS from the outside to the inside zone and inspect TCP, UDP and ICMP from the inside to the outside.<\/p>\n

The configuration on the router including ZBF and AnyConnect VPN is as follows:<\/p>\n

aaa new-model\r\naaa authentication login webvpn local\r\n!\r\nusername cisco secret cisco\r\n!\r\nzone security inside\r\nzone security outside\r\n!\r\ninterface FastEthernet0\/0\r\nip address 41.1.1.2 255.255.255.0\r\nzone-member security outside\r\n!\r\ninterface FastEthernet0\/1\r\nip address 192.168.10.1 255.255.255.0\r\nzone-member security inside\r\n!\r\nip local pool ANYCONNECT_POOL 192.168.10.51 192.168.10.60\r\n!\r\nip http server\r\nip http secure-server\r\n!\r\nwebvpn gateway AnyConnect_RTR\r\nip address 41.1.1.2 port 443\r\nssl trustpoint TP-self-signed-4279256517\r\ninservice\r\n!\r\nwebvpn install svc disk0:\/webvpn\/anyconnect-linux-3.1.08009-k9.pkg sequence 1\r\n!\r\nwebvpn context Anyconnect\r\nssl authenticate verify all\r\n!\r\npolicy group AnyConnectPolicy\r\nfunctions svc-enabled\r\nsvc address-pool \"ANYCONNECT_POOL\" netmask 255.255.255.0\r\nsvc keep-client-installed\r\nsvc split include 192.168.10.0 255.255.255.0\r\n!\r\ndefault-group-policy AnyConnectPolicy\r\naaa authentication list webvpn\r\ngateway AnyConnect_RTR\r\ninservice\r\n!\r\nclass-map type inspect match-any CMAP_INSIDE_TO_OUTSIDE\r\nmatch protocol tcp\r\nmatch protocol udp\r\nmatch protocol icmp\r\nclass-map type inspect match-any CMAP_OUTSIDE_TO_INSIDE\r\nmatch protocol http\r\nmatch protocol https\r\n!\r\npolicy-map type inspect PMAP_INSIDE_TO_OUTSIDE\r\nclass type inspect CMAP_INSIDE_TO_OUTSIDE\r\ninspect\r\nclass class-default\r\ndrop\r\npolicy-map type inspect PMAP_OUTSIDE_TO_INSIDE\r\nclass type inspect CMAP_OUTSIDE_TO_INSIDE\r\ninspect\r\nclass class-default\r\ndrop\r\n!\r\nzone-pair security ZP_INSIDE_TO_OUTSIDE source inside destination outside\r\nservice-policy type inspect PMAP_INSIDE_TO_OUTSIDE\r\nzone-pair security ZP_OUTSIDE_TO_INSIDE source outside destination inside\r\nservice-policy type inspect PMAP_OUTSIDE_TO_INSIDE\r\n<\/pre>\n
If we check the interfaces on the router, we will see that Virtual-Access1 interface that I mentioned:<\/p>\n
\"\"<\/p>\n
Like I said, this virtual interface is not configurable (because there is no associated Virtual-Template interface):<\/p>\n
\"\"<\/p>\n
Just to confirm that AnyConnect VPN users will not be able to connect to the inside network (e.g. 192.168.10.100), I will connect using the AnyConnect VPN client.<\/p>\n
\"\"<\/p>\n
Now if I try to ping the 192.168.10.100 IP address from the VPN user, I will not get a reply even though the router can successfully ping that IP address.<\/p>\n
\"\"<\/p>\n
\"\"<\/p>\n
If we turn on logging for firewall-dropped packets using the command ip inspect log drop-pkt<\/em><\/strong>, we will see the reason why the ICMP from the VPN user failed: \u201cOne of the interfaces not being cfged for zoning\u201d.<\/p>\n
\"\"<\/p>\n
So how do we fix this problem? We do this by creating a virtual-template interface and referencing it under the WebVPN context. Since this virtual-template interface is like any normal interface, it can be configured with several features including making it a member of a security zone.<\/p>\n
The following configuration is what we need to make this work:<\/p>\n
interface Virtual-Template1\r\nip unnumbered FastEthernet0\/1\r\nzone-member security inside\r\n!\r\nwebvpn context Anyconnect\r\nno inservice\r\nvirtual-template 1\r\ninservice\r\n<\/pre>\n
 <\/p>\n
To test this configuration, I will disconnect from the VPN session and connect again.<\/p>\n
\"\"<\/p>\n
If I check the router\u2019s IP routing table, we will see that another virtual-access interface (not Virtual-Access1) has been cloned from the virtual-template for this VPN session and there is a static route through that interface:<\/p>\n
\"\"<\/p>\n
Finally, if we try to ping from the VPN user, the ping is now successful:<\/p>\n
\"\"<\/p>\n
In this configuration, we put AnyConnect VPN users in the same security zone as the internal network. However, it is also possible to create another zone for VPN users and then configure policies between the VPN zone and the internal zone.<\/p>\n
Below is an example configuration that allows only SSH from the VPN zone to the internal (inside) zone.<\/p>\n
zone security vpn\r\n!\r\nclass-map type inspect match-all CMAP_VPN_TO_INSIDE\r\nmatch protocol ssh\r\n!\r\npolicy-map type inspect PMAP_VPN_TO_INSIDE\r\nclass type inspect CMAP_VPN_TO_INSIDE\r\ninspect\r\n!\r\nzone-pair security ZP_VPN_TO_INSIDE source vpn destination inside\r\nservice-policy type inspect PMAP_VPN_TO_INSIDE\r\n!\r\ninterface Virtual-Template1\r\nzone-member security vpn\r\n<\/pre>\n
I will disconnect and reconnect for the configuration to take effect. I will first try to ping that address but since ICMP is not allowed in the policy, the ping will fail. Next I will try to open an SSH connection and since that is allowed, then I should be able to connect:<\/p>\n
\"\"<\/p>\n
Summary<\/strong><\/p>\n
This brings us to the end of this article where we have discussed the issue faced on routers that have both AnyConnect VPN and IOS Zone Based Policy Firewall configured. To resolve this issue, we configured a Virtual-Template interface and attached it under the WebVPN context.<\/p>\n
I hope you have found this article insightful.<\/p>\n
References and Further reading<\/strong><\/p>\n
    \n
  • AnyConnect VPN Client on IOS Router with IOS Zone Based Policy Firewall Configuration Example:http:\/\/www.cisco.com\/c\/en\/us\/support\/docs\/security\/anyconnect-vpn-client\/111891-anyconnect-ios-zbpf-config.html<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
    In this article, we will consider a scenario where AnyConnect VPN will be configured on a Cisco IOS router on which the Zone Based Policy Firewall (ZBF) is also enabled. To find out more about the IOS Zone Based Policy Firewall, The default configuration of AnyConnect on Cisco IOS routers presents interoperability problems between AnyConnect […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,2],"tags":[],"class_list":["post-184","post","type-post","status-publish","format-standard","hentry","category-ccie-sec","category-cisco"],"_links":{"self":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/184","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=184"}],"version-history":[{"count":3,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/184\/revisions"}],"predecessor-version":[{"id":468,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/184\/revisions\/468"}],"wp:attachment":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=184"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=184"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=184"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}