40.2 Security Sample Configurations Cisco Forum FAQ

40.2 Security Sample Configurations Cisco Forum FAQ
Links: home · search · speed test · login · more ·

	Search for: in all FAQs
All FAQs » Cisco Forum FAQ » 40.2 Security Sample Configurations
FAQ Revisions	Editors: skj, Covenant, aryoba, Phraxos Last modified on 2008-11-21 15:11:04

40.2 Security Sample Configurations ·Basic Internet Firewall ACL for Routers without IOS image Firewall feature ·Configure DMZ on routers ·Sample IOS Firewall (CBAC) router configuration ·Sample Configuration of ACL-CBAC-IDS/IPS-IPSec VPN on router ·Zone-Based Firewall Sample Configuration ·Internet access restriction without a proxy server/websense solution? ·Various Site-to-Site IPSec VPN: Cisco, Juniper, Checkpoint, Sonicwall, Zywall ·How do I configure a Zywall/Pix ipsec VPN ·PAT/NAT Router/PIX passing through VPN tunnel ·Private Routing over VPN: GRE over IP Sec ·VPN: Static mappings with overloaded NAT and VPN ·Remote User VPN Connection To Office Network ·Configure router as both Internet router and VPN Concentrator ·Configure PIX/ASA as both Internet Firewall and VPN Concentrator
Basic Internet Firewall ACL for Routers without IOS image Firewall feature (#14453)
You probably have a router running basic IOS image without Firewall (FW) feature. You understand that you need a good firewall to protect your network from Internet intruders. There are choices to tackle the problem. 1. Setup a hardware firewall (i.e. PIX Firewall) in front of the router 2. Upgrade the router to run IOS image with FW feature 3. Apply basic Firewall ACL to Internet-facing router interface Option 1 Check out the following FAQ for sample configuration on setting a PIX in front of a router. »Cisco Forum FAQ »Internet - PIX - Router - LAN This setup should be the best approach to tackle the problem. However there are some constraints that might prevent you to choose this option, such as: 1. Financial burden 2. The router has integrated modem (i.e. DSL, cable modem, T1, ISDN) or the router Internet-facing (WAN) interface is not Ethernet interface 3. You do BGP peering with another AS, hence requires a router or layer-3 switch to be the public edge equipment When the WAN interface router is not Ethernet or your router is BGP peering, then you then have a choice to setup a hardware firewall behind the router, while the router run basic firewall ACL. Check out the following FAQ for sample configuration on setting a PIX behind a router. »Cisco Forum FAQ »Internet - Router - PIX - LAN When you have financial burden, then the only choice is to have the router run basic firewall ACL. Option 2 Upgrading the router is also a good approach. There are followings that might prevent you to do so. 1. You currently don't have proper Smartnet contract and upgrading the contract might be a hassle 2. The router might run too hot on memory and CPU when the router already run heavy routing 3. Activating any additional features on router (including FW feature) will take the router resources (memory and CPU) that might degrade the router robustness or performance 4. You don't have management control over the router, since there is another party doing so (i.e. your ISP or vendor) 5. You need to meet government agency regulations and using the router as a firewall might not meet such regulations When you have at least one of those situations, then your best option should be putting a hardware firewall in front of or behind the router. Option 3 This option is the most economical and might be a quick way to tackle the problem. Keep in mind that 1. This basic Firewall ACL only works on certain situations and certain protocol usages 2. Should you choose to implement this basic Firewall ACL on the router, it is suggested to have additional hardware firewall sitting behind the router for long-term solution Assumptions on the sample configuration: * There is Ethernet 0 interface as your LAN interface and Ethernet 1 interface as your WAN interface * You have a single static Public IP address within your network (the 1.1.1.2/30) * The Internet default gateway is 1.1.1.1/30 * Your LAN only has 10.0.0.0/24 as internal network and nothing else * You run public Web and Mail servers (the www and smtp) using the 1.1.1.2 as the public IP address * The internal Mail server IP address is 10.0.0.2 and the internal Web server IP address is 10.0.0.3 * You also use 1.1.1.2 for Internet browsing traffic from your LAN * You use your ISP DNS servers to browse the Internet (the TCP and UDP 53) * Your network daily usage is only browsing the Internet (that only use protocol TCP) and no other protocols used * You keep logs on potential illegitimate traffic attempts Following is the sample configuration interface Ethernet0 description LAN interface ip address 10.0.0.1 255.255.255.0 ip nat inside ! interface Ethernet1 description WAN interface ip address 1.1.1.2 255.255.255.252 ip access-group 100 in ip access-group 101 out ip nat outside ! ip route 0.0.0.0 0.0.0.0 1.1.1.1 ip route 10.0.0.0 255.0.0.0 Null0 ip route 172.16.0.0 255.240.0.0 Null0 ip route 192.168.0.0 255.255.0.0 Null0 ! ip nat inside source static tcp 10.0.0.2 25 1.1.1.2 25 ip nat inside source static tcp 10.0.0.3 80 1.1.1.2 80 ! ip nat inside source list 110 interface Ethernet1 overload ! access-list 100 remark Basic Firewall to protect from Internet intruders access-list 100 permit tcp any host 1.1.1.2 eq 25 access-list 100 permit tcp any host 1.1.1.2 eq 80 access-list 100 permit udp any eq 53 host 1.1.1.2 access-list 100 permit tcp any host 1.1.1.2 established access-list 100 deny ip any any log-input ! access-list 101 remark Deny Illegitimate Traffic go outbound access-list 101 deny tcp any any eq 135 log-input access-list 101 deny tcp any eq 135 any log-input access-list 101 deny udp any any eq 135 log-input access-list 101 deny udp any eq 135 any log-input access-list 101 deny tcp any any range 137 139 log-input access-list 101 deny tcp any range 137 139 any log-input access-list 101 deny udp any any range 137 139 log-input access-list 101 deny udp any range 137 139 any log-input access-list 101 deny tcp any any eq 445 log-input access-list 101 deny tcp any eq 445 any log-input access-list 101 deny udp any any eq 445 log-input access-list 101 deny udp any eq 445 any log-input access-list 101 deny tcp any any eq 593 log-input access-list 101 deny tcp any eq 593 any log-input access-list 101 deny tcp any any eq 707 log-input access-list 101 deny tcp any eq 707 any log-input access-list 101 deny tcp any any eq 4444 log-input access-list 101 deny tcp any eq 4444 any log-input access-list 101 deny ip host 0.0.0.0 any log-input access-list 101 deny ip host 255.255.255.255 any log-input access-list 101 deny ip 127.0.0.0 0.255.255.255 any log-input access-list 101 deny ip any 10.0.0.0 0.255.255.255 log-input access-list 101 deny ip any 172.16.0.0 0.15.255.255 log-input access-list 101 deny ip any 192.168.0.0 0.0.255.255 log-input access-list 101 permit ip 1.1.1.0 0.0.0.3 any access-list 101 deny ip any any log-input ! access-list 110 remark Deny NAT/PAT for Illegitimate Traffic access-list 110 deny ip 1.1.1.0 0.0.0.3 any log-input access-list 110 deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.255.255.255 log-input access-list 110 deny ip 10.0.0.0 0.0.0.255 172.16.0.0 0.15.255.255 log-input access-list 110 deny ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.255.255 log-input access-list 110 permit ip 10.0.0.0 0.0.0.255 any access-list 110 deny ip any any log-input Notes: 1. The sample configuration is not intended as full router configuration. It only shows related commands. 2. ACL 100: Inbound Traffic Firewall * The key of the Firewall ACL (ACL 100) is the "established" keyword * Internet browsing mean outbound connections initiated from your LAN out to the Internet * Most common Internet browsing (i.e. open up websites, FTP sites, some Internet video or audio live streaming) only requires protocol TCP * With Internet browsing, only established TCP packets that are necessary to enter your network as reply packets * These established TCP packets are TCP ACK (acknowledge) during the three-way handshake or on ESTABLISHED mode (the actual data transfer); and RST (reset to close the connection) * With "established" keyword, only TCP packet ACK and RST will be permitted to enter your network * Note that there is no need to specify "access-list 100 permit tcp any eq 53 host 1.1.1.2" since the "access-list 100 permit tcp any host 1.1.1.2 established" would take care reply TCP port 53 (DNS) packets * This ACL assumes that you have static IP address assignment from ISP (the real static IP; not static by DHCP - read this FAQ for more info »Cisco Forum FAQ »Between DHCP, PPP, Dynamic, and Static IP Address ). If your router must receive ISP IP address from ISP DHCP server, then you need to permit incoming bootps traffic as well. Here is the ACL 100 looks like which incorporates ISP DHCP incoming bootps packets. access-list 100 remark Basic Firewall to protect from Internet intruders access-list 100 permit udp any eq any eq bootps any eq bootpc access-list 100 permit tcp any any eq 25 access-list 100 permit tcp any any eq 80 access-list 100 permit udp any eq 53 any access-list 100 permit tcp any any established access-list 100 deny ip any any log-input 3. ACL 101: Outbound Traffic Firewall * Those TCP and UDP ports are known used by virus/worm, therefore outbound connection to the Internet on such ports should be blocked * The host IP addresses are "invalid IP addresses" in Internet browsing perspective * Since only the 1.1.1.0/30 subnet is used as the Public IP subnet, any other IP addresses from different subnet try to go out to the Internet using the router should be illegitimate traffic; hence should be blocked 4. ACL 110: NAT/PAT Traffic Firewall * NAT/PAT sourcing from any IP address within your Public IP subnet or any IP address other than your internal subnet should be illegitimate traffic and known used by DOS (Denial of Service) attack; hence should be blocked * No private subnet on the Internet, hence NAT/PAT to those subnets should be blocked as well 5. Blackholing illegitimate traffic Since there are no other private subnets within your network than 10.0.0.0/24, traffic to other private subnets should go to Null interface (black hole) More Sample Configuration using ACL as Basic Firewall »Cisco Forum FAQ »Configure DMZ on routers feedback form by aryoba last modified: 2008-03-29 18:51:44
Configure DMZ on routers (#15913)
Suggested prerequisite reading: »Cisco Forum FAQ »Basic Internet Firewall ACL for Routers without IOS image Firewall feature On these sample configurations, it is assumed the following occur * There are at least three network segments; outside (i.e. WAN or The Internet), inside (LAN), DMZ * These segments are within their own subnet (Layer-3 separation) * Inside subnet is 10.0.0.0/24 and DMZ subnet is 10.0.1.0/24 Sample #1: Total Separation between Inside and DMZ This sample assumes the following * Internet-only access for DMZ * DMZ cannot access inside * Inside cannot access DMZ interface Ethernet0 description LAN interface ip address 10.0.0.1 255.255.255.0 ip access-group 100 in ip nat inside ! interface Ethernet1 description WAN interface ip address 1.1.1.2 255.255.255.252 ip nat outside ! interface Ethernet2 description DMZ interface ip address 10.0.1.1 255.255.255.0 ip access-group 101 in ip nat inside ! ip route 0.0.0.0 0.0.0.0 1.1.1.1 ! ip nat inside source list 10 interface Ethernet1 overload ! access-list 10 remark Permitable Subnets to go out to the Internet access-list 10 permit 10.0.0.0 0.0.1.255 access-list 100 remark Restricted Inside network Access access-list 100 deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 access-list 100 permit ip 10.0.0.0 0.0.0.255 any access-list 101 remark Restricted DMZ network Access access-list 101 deny ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 101 permit ip 10.0.1.0 0.0.0.255 any Sample #2: Restricted Access on DMZ specific services from Inside This sample assumes the following * Internet-only access for DMZ * DMZ cannot access inside * Inside can access DMZ only for web (TCP port 80) and email (TCP port 25) interface Ethernet0 description LAN interface ip address 10.0.0.1 255.255.255.0 ip access-group 100 in ip nat inside ! interface Ethernet1 description WAN interface ip address 1.1.1.2 255.255.255.252 ip nat outside ! interface Ethernet2 description DMZ interface ip address 10.0.1.1 255.255.255.0 ip access-group 101 in ip nat inside ! ip route 0.0.0.0 0.0.0.0 1.1.1.1 ! ip nat inside source list 10 interface Ethernet1 overload ! access-list 10 remark Permitable Subnets to go out to the Internet access-list 10 permit 10.0.0.0 0.0.1.255 access-list 100 remark Restricted Inside network Access access-list 100 permit tcp 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 eq 25 access-list 100 permit tcp 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 eq 80 access-list 100 deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 access-list 100 permit ip 10.0.0.0 0.0.0.255 any access-list 101 remark Restricted DMZ network Access access-list 101 permit tcp 10.0.1.0 0.0.0.255 eq 25 10.0.0.0 0.0.0.255 access-list 101 permit tcp 10.0.1.0 0.0.0.255 eq 80 10.0.0.0 0.0.0.255 access-list 101 deny ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 101 permit ip 10.0.1.0 0.0.0.255 any Sample #3: Restricted Access on DMZ most applications from Inside This sample assumes the following * Internet-only access for DMZ * DMZ cannot access inside * Inside can access DMZ on any TCP-based application and DNS (TCP and UDP port 53) * Note that most applications are TCP-based. Therefore this sample applies to most network interface Ethernet0 description LAN interface ip address 10.0.0.1 255.255.255.0 ip access-group 100 in ip nat inside ! interface Ethernet1 description WAN interface ip address 1.1.1.2 255.255.255.252 ip nat outside ! interface Ethernet2 description DMZ interface ip address 10.0.1.1 255.255.255.0 ip access-group 101 in ip nat inside ! ip route 0.0.0.0 0.0.0.0 1.1.1.1 ! ip nat inside source list 10 interface Ethernet1 overload ! access-list 10 remark Permitable Subnets to go out to the Internet access-list 10 permit 10.0.0.0 0.0.1.255 access-list 100 remark Restricted Inside network Access access-list 100 permit tcp 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 access-list 100 permit udp 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 eq 53 access-list 100 deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255 access-list 100 permit ip 10.0.0.0 0.0.0.255 any access-list 101 remark Restricted DMZ network Access access-list 101 permit tcp 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255 established access-list 101 permit udp 10.0.1.0 0.0.0.255 eq 53 10.0.0.0 0.0.0.255 access-list 101 deny ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255 access-list 101 permit ip 10.0.1.0 0.0.0.255 any feedback form by aryoba last modified: 2008-05-29 10:43:54
Sample IOS Firewall (CBAC) router configuration (#13435)
When your router is running IOS image with FW feature, you can implement CBAC as a Stateful Firewall IOS-based. With such inspection, the router can inspect inbound traffic from outside such as The Internet to inside the network. The router can also inspect outbound traffic from inside the network to outside. Note that the sample configurations implement outbound inspection on the WAN (Internet) interface that regulate outbound traffic from inside to the Internet. Typically no inspection is necessary or even needed to regulate traffic between inside or non-Internet interfaces. When there are no public servers hanging off the router and there are only outbound traffic such as Internet browsing (in addition of no inspection between inside interfaces), there should be no reason to implement inspection on inside interface. Therefore it is common practice to implement inspection on the WAN (Internet) interface to regulate outbound traffic when there are multiple non-Internet interfaces on the router and/or there are no inbound traffic. Inspecting Generic Traffic version 12.3 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! enable secret 5 $1$uOpf$emfDhaV0/UALCYwjF.iHf/ ! no aaa new-model ip subnet-zero no ip source-route ! ip inspect name OUTBOUND cuseeme ip inspect name OUTBOUND ftp ip inspect name OUTBOUND h323 ip inspect name OUTBOUND netshow ip inspect name OUTBOUND rcmd ip inspect name OUTBOUND realaudio ip inspect name OUTBOUND rtsp ip inspect name OUTBOUND sqlnet ip inspect name OUTBOUND tcp ip inspect name OUTBOUND udp ip inspect name OUTBOUND vdolive ip inspect name OUTBOUND icmp ip ssh break-string isdn switch-type basic-net3 ! ! ! ! ! ! interface Ethernet0 description LAN ip address 192.168.0.16 255.255.255.0 no ip proxy-arp ip nat inside ! interface BRI0 no ip address encapsulation ppp dialer pool-member 1 isdn switch-type basic-net3 ppp authentication chap pap callin ! interface Dialer1 description ISP ip address negotiated ip access-group 121 in no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip inspect OUTBOUND out encapsulation ppp no ip split-horizon dialer pool 1 dialer remote-name Cisco1 dialer idle-timeout 360 dialer string 08089916001 class DialClass dialer hold-queue 10 dialer load-threshold 20 either dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname host-username ppp chap password 7 ** ppp pap sent-username username-here password 7 ! ip nat inside source list 23 interface Dialer1 overload ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 no ip http server no ip http secure-server ! ! map-class dialer DialClass access-list 23 permit 192.168.0.0 0.0.0.255 access-list 121 remark Permitted inbound packets access-list 121 deny udp any range 137 139 any access-list 121 deny tcp any range 137 139 any access-list 121 deny icmp any any echo access-list 121 permit icmp any any echo-reply access-list 121 permit icmp any any time-exceeded access-list 121 permit icmp any any unreachable access-list 121 deny icmp any any access-list 121 permit ip any any time-range TIME access-list 121 deny ip any any log-input dialer-list 1 protocol ip permit ! ! line con 0 exec-timeout 0 0 transport preferred all transport output all stopbits 1 line vty 0 4 access-class 23 in exec-timeout 0 0 login local transport preferred all transport input all transport output all ! no rcapi server ! ! time-range TIME periodic daily 0:00 to 23:59 ! ! end Inspecting Instant Messaging Traffic 1. Medium Security Policy on Application Traffic version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname Router ! boot-start-marker boot-end-marker ! logging buffered 51200 debugging logging console critical enable secret 5 ??????????????????????? ! aaa new-model ! ! aaa authentication login default local aaa authorization exec default local ! aaa session-id common ! resource policy ! clock timezone PCTime -5 clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00 ip subnet-zero no ip source-route ! ! ip cef ip inspect log drop-pkt ip inspect name SDM_MEDIUM appfw SDM_MEDIUM ip inspect name SDM_MEDIUM cuseeme ip inspect name SDM_MEDIUM dns ip inspect name SDM_MEDIUM ftp ip inspect name SDM_MEDIUM h323 ip inspect name SDM_MEDIUM https ip inspect name SDM_MEDIUM icmp ip inspect name SDM_MEDIUM imap reset ip inspect name SDM_MEDIUM pop3 reset ip inspect name SDM_MEDIUM rcmd ip inspect name SDM_MEDIUM realaudio ip inspect name SDM_MEDIUM rtsp ip inspect name SDM_MEDIUM esmtp ip inspect name SDM_MEDIUM sqlnet ip inspect name SDM_MEDIUM streamworks ip inspect name SDM_MEDIUM tftp ip inspect name SDM_MEDIUM tcp ip inspect name SDM_MEDIUM udp ip inspect name SDM_MEDIUM vdolive ip inspect name SDM_MEDIUM sip ip inspect name SDM_MEDIUM sip-tls ip tcp synwait-time 10 no ip bootp server ip domain name wtbhome.net ip name-server 71.242.0.12 ip ssh time-out 60 ip ssh authentication-retries 2 ! appfw policy-name SDM_MEDIUM application im aol service default action allow alarm service text-chat action allow alarm server permit name login.oscar.aol.com server permit name toc.oscar.aol.com server permit name oam-d09a.blue.aol.com application im msn service default action allow alarm service text-chat action allow alarm server permit name messenger.hotmail.com server permit name gateway.messenger.hotmail.com server permit name webmessenger.msn.com application http strict-http action allow alarm port-misuse im action reset alarm port-misuse p2p action reset alarm port-misuse tunneling action allow alarm application im yahoo service default action allow alarm service text-chat action allow alarm server permit name scs.msg.yahoo.com server permit name scsa.msg.yahoo.com server permit name scsb.msg.yahoo.com server permit name scsc.msg.yahoo.com server permit name scsd.msg.yahoo.com server permit name cs16.msg.dcn.yahoo.com server permit name cs19.msg.dcn.yahoo.com server permit name cs42.msg.dcn.yahoo.com server permit name cs53.msg.dcn.yahoo.com server permit name cs54.msg.dcn.yahoo.com server permit name ads1.vip.scd.yahoo.com server permit name radio1.launch.vip.dal.yahoo.com server permit name in1.msg.vip.re2.yahoo.com server permit name data1.my.vip.sc5.yahoo.com server permit name address1.pim.vip.mud.yahoo.com server permit name edit.messenger.yahoo.com server permit name messenger.yahoo.com server permit name http.pager.yahoo.com server permit name privacy.yahoo.com server permit name csa.yahoo.com server permit name csb.yahoo.com server permit name csc.yahoo.com ! username tborland privilege 15 secret 5 ?????????????? ! ! ! bridge irb ! ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 description $ES_WAN$$FW_OUTSIDE$ ip address dhcp ip access-group 101 in no ip redirects no ip unreachables no ip proxy-arp ip inspect SDM_MEDIUM out ip nat outside ip virtual-reassembly ip route-cache flow duplex auto speed auto no cdp enable ! interface Dot11Radio0 no ip address ! encryption mode ciphers tkip ! encryption vlan 1 mode ciphers tkip ! ssid wtbhome vlan 1 authentication open authentication key-management wpa wpa-psk ascii 7 ** ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root no dot11 extension aironet no cdp enable bridge-group 1 ! interface Dot11Radio0.1 encapsulation dot1Q 1 native no snmp trap link-status no cdp enable bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Vlan1 description Internal Network no ip address ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 bridge-group 1 bridge-group 1 spanning-disabled ! interface BVI1 description Bridge to Internal Network ip address 192.168.0.1 255.255.255.0 ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow ip tcp adjust-mss 1412 ! ip classless ! no ip http server no ip http secure-server ip nat inside source list 1 interface FastEthernet4 overload ! logging trap debugging access-list 1 remark INSIDE_IF=BVI1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.0.0 0.0.0.255 access-list 100 remark auto generated by Cisco SDM Express firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 remark auto generated by Cisco SDM Express firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 permit udp any eq bootps any eq bootpc access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any unreachable access-list 101 deny ip any any access-list 103 remark VTY Access-class list access-list 103 remark SDM_ACL Category=1 access-list 103 permit ip 192.168.0.0 0.0.0.255 any access-list 103 deny ip any any no cdp run ! control-plane ! bridge 1 protocol ieee bridge 1 route ip banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 no modem enable transport output telnet line aux 0 transport output telnet line vty 0 4 access-class 103 in transport input telnet ssh ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 end 2. High Security Policy on Application Traffic** version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! logging buffered 51200 warnings enable secret 5 ??????????????????????? ! aaa new-model ! ! aaa authentication login default local aaa authorization exec default local ! aaa session-id common ! resource policy ! clock timezone PST -8 ip cef ! ! no ip dhcp use vrf connected ip dhcp excluded-address 10.10.10.1 10.10.10.10 ! ip dhcp pool sdm-pool import all network 10.10.10.0 255.255.255.0 default-router 10.10.10.1 dns-server 208.67.222.222 208.67.220.220 ! ! no ip domain lookup ip domain name yourdomain.com ip name-server 208.67.222.222 ip name-server 208.67.220.220 ip inspect log drop-pkt ip inspect name SDM_HIGH appfw SDM_HIGH ip inspect name SDM_HIGH icmp ip inspect name SDM_HIGH dns ip inspect name SDM_HIGH esmtp ip inspect name SDM_HIGH https ip inspect name SDM_HIGH imap reset ip inspect name SDM_HIGH pop3 reset ip inspect name SDM_HIGH tcp ip inspect name SDM_HIGH udp ! appfw policy-name SDM_HIGH application im aol service default action reset alarm service text-chat action reset alarm server deny name login.oscar.aol.com server deny name toc.oscar.aol.com server deny name oam-d09a.blue.aol.com audit-trail on application im msn service default action reset alarm service text-chat action reset alarm server deny name messenger.hotmail.com server deny name gateway.messenger.hotmail.com server deny name webmessenger.msn.com audit-trail on application http strict-http action reset alarm port-misuse im action port-misuse p2p action reset alarm port-misuse tunneling action reset alarm application im yahoo service default action reset alarm service text-chat action reset alarm server deny name scs.msg.yahoo.com server deny name scsa.msg.yahoo.com server deny name scsb.msg.yahoo.com server deny name scsc.msg.yahoo.com server deny name scsd.msg.yahoo.com server deny name cs16.msg.dcn.yahoo.com server deny name cs19.msg.dcn.yahoo.com server deny name cs42.msg.dcn.yahoo.com server deny name cs53.msg.dcn.yahoo.com server deny name cs54.msg.dcn.yahoo.com server deny name ads1.vip.scd.yahoo.com server deny name radio1.launch.vip.dal.yahoo.com server deny name in1.msg.vip.re2.yahoo.com server deny name data1.my.vip.sc5.yahoo.com server deny name address1.pim.vip.mud.yahoo.com server deny name edit.messenger.yahoo.com server deny name messenger.yahoo.com server deny name http.pager.yahoo.com server deny name privacy.yahoo.com server deny na server deny name csb.yahoo.com server deny name csc.yahoo.com audit-trail on ! ! crypto pki trustpoint TP-self-signed-2642721116 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2642721116 revocation-check none rsakeypair TP-self-signed-2642721116 ! ! crypto pki certificate chain TP-self-signed-2642721116 certificate self-signed 01 3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 32363432 37323131 3136301E 170D3038 30313136 30353033 34325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 36343237 32313131 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100CB9E 16476447 E416F6C1 A994AB08 1525CF8E FA38C653 49ED2B44 34A66AC9 4D9C2677 71756644 0D54DBB1 11C224E5 4D17EC67 2148384A FE15B177 3C8D3710 4338044F 6672B697 9FEBC408 EA552F2A 6B2C7035 2E38B6F8 55E09757 0AC5A2 163FFA91 C26D8443 3EFBDFD1 CE078C9C 350AE5E5 EE866021 491C4362 8476AD3D 0E930203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603 551D1104 19301782 15526F75 7465722E 796F7572 646F6D61 696E2E63 6F6D301F 0603551D 23041830 16801444 9A67C06B 63BCAF40 5D467966 AA658D22 F6353430 1D060355 1D0E0416 0414449A 67C06B63 BCAF405D 467966AA 658D22F6 3534300D 06092A86 4886F70D 01010405 00038181 005D6986 D31370A4 A327EB4B FF7ED748 25C11602 76C2A0B7 A0A1D670 7DF73001 BFAEEFF9 E6C4BE6F EB9BF6DC 1FD7D8 9B571B6E C4A4307C B1A03F91 92EF08BF B249D567 1A46D51D 3405862C A88BFCC7 AD9B755A B2BB1298 271B6952 7A08CD61 F89A31B6 A2DB9C6F 62B00F6D 7089A7FB 44D7D866 D527960F 7A138B26 92252C4B D4 quit username tborland privilege 15 secret 5 ?????????????? ! ! ! bridge irb ! ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 description $ETH-WAN$ no ip address duplex auto speed auto pppoe enable pppoe-client dial-pool-number 1 ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$ no ip address ip tcp adjust-mss 1452 bridge-group 1 ! interface Dialer0 description $FW_OUTSIDE$ ip address negotiated ip access-group 101 in ip mtu 1492 ip inspect SDM_HIGH out encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap pap callin ppp chap hostname [my dsl account] ppp chap password 0 [password] ppp pap sent-username [my_dsl_account] password 0 [password] ppp ipcp dns request ppp ipcp route default ppp ipcp address accept ! interface BVI1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$ ip address 10.10.10.1 255.255.255.0 ip access-group 100 in ip tcp adjust-mss 1452 ! ! ! no ip http server no ip http secure-server ip nat inside source list 1 interface Dialer0 overload ! access-list 1 permit 10.10.10.0 0.0.0.255 access-list 100 remark auto generated by SDM firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 remark auto generated by SDM firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any unreachable access-list 101 deny ip any any log dialer-list 1 protocol ip permit ! ! ! ! control-plane ! bridge 1 protocol ieee bridge 1 route ip banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 no modem enable line aux 0 line vty 0 4 access-class 1 in transport input ssh ! scheduler max-task-time 5000 end Some discussion /forum/remark,13205912?hilite=801+woes »801 ISDN access list woes feedback form by aryoba last modified: 2008-05-20 09:49:43
Sample Configuration of ACL-CBAC-IDS/IPS-IPSec VPN on router (#14762)
Extracted from following thread: »[HELP] IOS IPS -- Is the performance hit worth it? Note: To run this configuration, your router needs to run IOS image that has IPSec/IDS feature and have the signature file on its flash memory. Check out the following FAQ for more info. »Cisco Forum FAQ »Protect my network! How do I do that using Cisco IOS? version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname Router ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 4096 debugging logging console critical enable secret 5 <removed> ! aaa new-model ! ! aaa authentication login default local aaa authentication ppp default group radius aaa authorization exec default local aaa authorization network default group radius aaa authorization network sdm_vpn_group_ml_1 group radius aaa accounting exec default start-stop group radius aaa accounting connection default start-stop group radius aaa accounting resource default start-stop-failure group radius ! aaa session-id common ! resource policy ! clock timezone GMT 0 clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00 no ip source-route ip icmp rate-limit unreachable 100 ip icmp rate-limit unreachable DF 1 ip cef ! ! ! ! ip tcp ecn ip tcp selective-ack ip tcp window-size 65537 ip tcp synwait-time 10 no ip bootp server ip domain name Company.local ip name-server 192.168.<x>.<server> ip ssh time-out 60 ip ssh authentication-retries 2 ip inspect tcp reassembly queue length 64 ip inspect name DEFAULT100 appfw DEFAULT100 ip inspect name DEFAULT100 ftp ip inspect name DEFAULT100 h323 ip inspect name DEFAULT100 icmp ip inspect name DEFAULT100 rcmd ip inspect name DEFAULT100 realaudio ip inspect name DEFAULT100 rtsp ip inspect name DEFAULT100 esmtp ip inspect name DEFAULT100 tftp ip inspect name DEFAULT100 udp ip inspect name DEFAULT100 ntp ip inspect name DEFAULT100 http ip inspect name DEFAULT100 https ip inspect name DEFAULT100 fragment maximum 250 timeout 1 ip inspect name DEFAULT100 tcp ip inspect name DEFAULT100 isakmp ip inspect name DEFAULT100 ipsec-msft ip inspect name DEFAULT100 l2tp ip inspect name DEFAULT100 pptp ip ips sdf location flash://sdmips.sdf ip ips sdf location flash://128MB.sdf autosave ip ips notify SDEE ip ips name sdm_ips_rule ip dhcp-server 192.168.x.server vpdn enable ! vpdn-group L2TP ! Default L2TP VPDN group accept-dialin protocol l2tp virtual-template 1 no l2tp tunnel authentication l2tp tunnel receive-window 256 ! ! appfw policy-name DEFAULT100 application http strict-http action allow alarm port-misuse tunneling action allow alarm ! password encryption aes ! crypto pki trustpoint TP-self-signed-3534083426 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3534083426 revocation-check none rsakeypair TP-self-signed-3534083426 ! crypto pki trustpoint titan enrollment mode ra enrollment url http://192.168.x.server:80/certsrv/mscep/mscep.dll usage ike password <removed> subject-name CN=Me,O=Company revocation-check crl none ! ! crypto pki certificate chain TP-self-signed-3534083426 certificate self-signed 01 <removed> quit crypto pki certificate chain titan certificate <removed> quit certificate ca <removed> quit no crypto engine onboard 0 ! crypto key pubkey-chain rsa named-key realm-cisco.pub signature key-string 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16 17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128 B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E 5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35 FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85 50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36 006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE 2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3 F3020301 0001 quit username xxx privilege 15 secret 5 <removed> ! ! ! crypto isakmp policy 1 encr 3des group 2 lifetime 900 ! crypto isakmp policy 2 encr 3des authentication pre-share group 2 lifetime 900 crypto isakmp key <removed> address 0.0.0.0 0.0.0.0 no-xauth ! crypto ipsec security-association idle-time 900 ! crypto ipsec transform-set ESP-3DES-SHA-transport esp-3des esp-sha-hmac mode transport crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto dynamic-map SDM_DYNMAP_1 1 description L2TP/IPSec set transform-set ESP-3DES-SHA-transport reverse-route ! ! crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! bridge irb ! ! ! interface Null0 no ip unreachables ! interface ATM0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip accounting access-violations ip route-cache flow no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.1 point-to-point description Internet$ES_WAN$$FW_OUTSIDE$ bandwidth 18147 ip address <my ip address> 255.255.248.0 ip access-group 101 in ip verify unicast reverse-path 103 no ip redirects no ip proxy-arp ip accounting access-violations ip mtu 1500 ip nbar protocol-discovery ip flow ingress ip flow egress ip nat outside ip inspect DEFAULT100 out ip ips sdm_ips_rule in ip ips sdm_ips_rule out ip virtual-reassembly no snmp trap link-status atm route-bridged ip atm route-bridged ipv6 pvc BeUnlimited 0/101 oam-pvc manage encapsulation aal5snap ! ipv6 enable ipv6 nd ra suppress crypto map SDM_CMAP_1 ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface Virtual-Template1 description L2TP ip unnumbered BVI1 no ip redirects no ip proxy-arp ip accounting access-violations ip nbar protocol-discovery ip flow ingress ip flow egress ip nat inside ip virtual-reassembly ip route-cache flow ip tcp adjust-mss 1360 peer default ip address dhcp ppp mtu adaptive ppp authentication eap ms-chap-v2 ppp ipcp header-compression ack ppp ipcp username unique ppp timeout idle 600 either ! interface Dot11Radio0 description Wireless interface no ip address no ip redirects no ip unreachables ip accounting access-violations countermeasure tkip hold-time 5 ! encryption mode ciphers tkip ! ssid Wireless authentication open authentication key-management wpa guest-mode wpa-psk ascii <removed> ! world-mode dot11d country GB indoor speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root no cdp enable bridge-group 1 bridge-group 1 spanning-disabled ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$ no ip address no ip redirects no ip unreachables ip accounting access-violations ip tcp adjust-mss 1452 bridge-group 1 ! interface BVI1 description LAN$ES_LAN$$FW_INSIDE$ ip address 192.168.<x>.1 255.255.255.0 ip access-group 100 in no ip redirects no ip proxy-arp ip accounting access-violations ip nbar protocol-discovery ip flow ingress ip flow egress ip nat inside ip virtual-reassembly ip route-cache flow ip tcp adjust-mss 1412 ! ip route 0.0.0.0 0.0.0.0 <gateway> ! ip flow-top-talkers top 25 sort-by bytes cache-timeout 36000 ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source list 1 interface ATM0.1 overload ip nat inside source static udp 192.168.<x>.<server> 5005 interface ATM0.1 5005 ip nat inside source static udp 192.168.<x>.<server> 1755 interface ATM0.1 1755 ip nat inside source static tcp 192.168.<x>.<server> 1755 interface ATM0.1 1755 ip nat inside source static tcp 192.168.<x>.<server> 554 interface ATM0.1 554 ip nat inside source static tcp 192.168.<x>.<server> 3389 interface ATM0.1 3389 ip nat inside source static tcp 192.168.<x>.<server> 1723 interface ATM0.1 1723 ip nat inside source static tcp 192.168.<x>.<server> 4125 interface ATM0.1 4125 ip nat inside source static tcp 192.168.<x>.<server> 444 interface ATM0.1 444 ip nat inside source static tcp 192.168.<x>.<server> 443 interface ATM0.1 443 ip nat inside source static tcp 192.168.<x>.<server> 25 interface ATM0.1 25 ip nat inside source static tcp 192.168.<x>.<server> 80 interface ATM0.1 80 ! logging trap debugging logging 192.168.<x>.<server> access-list 1 remark INSIDE_IF=BVI1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.<x>.0 0.0.0.255 access-list 100 remark auto generated by Cisco SDM Express firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 permit udp host 192.168.<x>.<server> eq 1645 host 192.168.<x>.1 access-list 100 permit udp host 192.168.<x>.<server> eq 1646 host 192.168.<x>.1 access-list 100 deny ip 87.194.32.0 0.0.7.255 any access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit gre any any log access-list 100 permit ip any any access-list 101 remark auto generated by Cisco SDM Express firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 deny ip host 0.0.0.0 any log access-list 101 deny ip 10.0.0.0 0.255.255.255 any log access-list 101 deny ip 172.16.0.0 0.15.255.255 any log access-list 101 deny ip 192.168.0.0 0.0.255.255 any log access-list 101 deny ip 127.0.0.0 0.255.255.255 any log access-list 101 deny ip host 255.255.255.255 any log access-list 101 deny ip 169.254.0.0 0.0.255.255 any log access-list 101 deny ip 0.0.0.0 0.255.255.255 any log access-list 101 permit tcp any host <my ip address> eq www access-list 101 permit esp any host <my ip address> access-list 101 permit udp any host <my ip address> eq isakmp access-list 101 permit udp any host <my ip address> eq non500-isakmp access-list 101 permit udp any host <my ip address> eq 5005 access-list 101 permit udp any host <my ip address> eq 1755 access-list 101 permit tcp any host <my ip address> eq 1755 access-list 101 permit tcp any host <my ip address> eq 554 access-list 101 permit tcp any host <my ip address> eq 3389 access-list 101 permit tcp any host <my ip address> eq 1723 access-list 101 permit gre any host <my ip address> log access-list 101 permit tcp any host <my ip address> eq 4125 access-list 101 permit tcp any host <my ip address> range 443 444 access-list 101 permit tcp any host <my ip address> eq smtp access-list 101 permit icmp any host <my ip address> echo-reply access-list 101 permit icmp any host <my ip address> time-exceeded access-list 101 permit icmp any host <my ip address> unreachable access-list 101 remark Auto generated by SDM for NTP (123) 0.uk.pool.ntp.org access-list 101 permit udp host 213.2.4.80 eq ntp host <my ip address> eq ntp access-list 101 remark Auto generated by SDM for NTP (123) 193.190.230.66 access-list 101 permit udp host 193.190.230.66 eq ntp host <my ip address> eq ntp access-list 101 deny icmp any any redirect log access-list 101 deny ip any any log access-list 102 remark VTY Access-class list access-list 102 remark SDM_ACL Category=1 access-list 102 permit ip 192.168.<x>.0 0.0.0.255 any access-list 102 deny ip any any access-list 103 remark Log any unicast reverse path packets access-list 103 remark SDM_ACL Category=1 access-list 103 remark Deny any packets that fail unicast reverse path access-list 103 deny ip any any log snmp-server community <removed> RW snmp-server community <removed> RO no cdp run ! ! ! radius-server host 192.168.<x>.<server> auth-port 1645 acct-port 1646 key 7 <removed> ! control-plane ! bridge 1 protocol ieee bridge 1 route ip banner exec ^C % Password expiration warning. ----------------------------------------------------------------------- Cisco Router and Security Device Manager (SDM) is installed on this device and it provides the default username "cisco" for one-time use. If you have already used the username "cisco" to login to the router and your IOS image supports the "one-time" user option, then this username has already expired. You will not be able to login to the router with this username after you exit this session. It is strongly suggested that you create a new username with a privilege level of 15 using the following command. username <myuser> privilege 15 secret 0 <mypassword> Replace <myuser> and <mypassword> with the username and password you want to use. ----------------------------------------------------------------------- ^C banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 no modem enable transport output telnet speed 115200 line aux 0 transport output telnet line vty 0 4 access-class 102 in transport input telnet ssh ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 ntp logging ntp clock-period 17175097 ntp source BVI1 ntp server 193.190.230.66 source ATM0.1 ntp server 213.2.4.80 source ATM0.1 ! webvpn install svc flash:/webvpn/svc.pkg end feedback form by aryoba last modified: 2007-07-11 11:09:37
Zone-Based Firewall Sample Configuration (#15839)
Note: * Router needs to run 12.4 IOS image !version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname Router ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 51200 logging console critical enable secret 5 <removed> ! aaa new-model ! ! aaa group server radius sdm-vpn-server-group-1 server <lan server ip> auth-port 1645 acct-port 1646 ! aaa authentication login local_authen local aaa authentication ppp default group radius aaa authorization exec local_author local aaa authorization network default group radius aaa authorization network sdm_vpn_group_ml_1 group sdm-vpn-server-group-1 aaa accounting exec default start-stop group radius aaa accounting connection default start-stop group radius aaa accounting resource default start-stop-failure group radius ! ! aaa session-id common clock timezone GMT 0 clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00 dot11 phone dot11 arp-cache no ip source-route ip icmp rate-limit unreachable 100 ip icmp rate-limit unreachable DF 1 ip cef ! ip nbar pdlm flash:/rtp-124.pdlm ! ! ! ip tcp ecn ip tcp selective-ack ip tcp window-size 169360 ip tcp synwait-time 10 no ip bootp server ip domain name johnpavel.local ip name-server <lan server ip> ip port-map user-terminal port tcp 3389 description Terminal Services ip port-map user-mmsu port udp 1755 description MMSU ip port-map user-sharepoint port tcp 444 description Windows Sharepoint Services ip port-map user-rtspu port udp 5005 description RTSPU ip port-map user-remote-web port tcp 4125 description Remote Web Workplace ip port-map user-nat-stun port udp 3478 description Simple Traversal of UDP through NAT ip ssh time-out 60 ip dhcp-server <lan server ip> login block-for 15 attempts 2 within 30 ! multilink bundle-name authenticated vpdn enable ! vpdn-group L2TP ! Default L2TP VPDN group accept-dialin protocol l2tp virtual-template 1 no l2tp tunnel authentication l2tp tunnel password 7 l2tp tunnel receive-window 256 ! parameter-map type inspect pmap-audit audit-trail on password encryption aes ! crypto pki trustpoint TP-self-signed-... ! crypto pki trustpoint <server> enrollment mode ra enrollment url http://<server>:80/certsrv/mscep/mscep.dll usage ike password 7 08781A1C2F495C4E422F545573087C7B10 revocation-check crl ! ! crypto pki certificate chain TP-self-signed-... quit crypto pki certificate chain ... quit no crypto engine onboard 0 ! ! username <user> privilege 15 secret 5 <removed> ! ! class-map type inspect match-all sdm-cls-http-1 match access-group name InternalServer match protocol http class-map type inspect match-any AllowedOut description Permitted Traffic to internet match protocol https match protocol dns match protocol imap match protocol icmp match protocol ftp match protocol smtp extended match protocol sip match protocol user-nat-stun match protocol ntp match protocol pop3 match protocol pptp match protocol rtsp match protocol realmedia match protocol netshow match protocol appleqtc match protocol streamworks match protocol vdolive match protocol telnet class-map type inspect match-all sdm-cls-http match protocol http class-map type inspect match-any SDM_GRE match access-group name SDM_GRE class-map type inspect match-any ExternallyVisibleProtocols description Externally-visible protocols match protocol http match protocol https match protocol smtp extended match protocol user-sharepoint match protocol user-remote-web match protocol pptp match class-map SDM_GRE match protocol user-terminal match protocol rtsp match protocol netshow match protocol user-mmsu match protocol user-rtspu class-map type inspect match-any returningGRE description Returning GRE for PPTP match class-map SDM_GRE class-map type inspect match-any SDM_ESP match access-group name SDM_ESP class-map type inspect match-all ICMPReply description Only certain pings permitted to router match access-group name ICMPReply class-map type inspect match-any RouterToOutside description Permit router-generated traffic out match protocol tcp match protocol udp match protocol icmp class-map type inspect match-all ExternallyVisibleServices description Externally-visible protocols headed to server match access-group name InternalServer match class-map ExternallyVisibleProtocols class-map type inspect match-any IPSec description For L2TP/IPSec match class-map SDM_ESP match protocol isakmp match protocol ipsec-msft class-map type inspect http match-any sdm-http-blockparam match request port-misuse any class-map type inspect match-any InvalidSource description Invalid source addresses for internally-generated outgoing traffic match access-group name InvalidSource class-map type inspect http match-any sdm-app-httpmethods match request method bcopy match request method bdelete match request method bmove match request method bpropfind match request method bproppatch match request method connect match request method copy match request method delete match request method edit match request method getattribute match request method getattributenames match request method getproperties match request method index match request method lock match request method mkcol match request method mkdir match request method move match request method notify match request method options match request method poll match request method propfind match request method proppatch match request method put match request method revadd match request method revlabel match request method revlog match request method revnum match request method save match request method search match request method setattribute match request method startrev match request method stoprev match request method subscribe match request method trace match request method unedit match request method unlock match request method unsubscribe class-map type inspect http match-any sdm-http-allowparam match req-resp protocol-violation ! ! policy-map type inspect RouterToInside description Router to LAN class class-default inspect policy-map type inspect InsideToRouter description LAN to router class class-default inspect policy-map type inspect http sdm-action-app-http class type inspect http sdm-http-blockparam log reset class type inspect http sdm-app-httpmethods log reset class type inspect http sdm-http-allowparam log allow class class-default policy-map type inspect InsideToOutside description LAN to Internet class type inspect returningGRE inspect pmap-audit class type inspect InvalidSource drop log class type inspect sdm-cls-http inspect service-policy http sdm-action-app-http class type inspect AllowedOut inspect class class-default drop log policy-map type inspect OutsideToInside description Internet to LAN (server) class type inspect ExternallyVisibleServices inspect pmap-audit class class-default drop log policy-map type inspect OutSideToRouter description Permitted traffic from internet to router class type inspect ICMPReply pass class type inspect IPSec pass class class-default drop log policy-map type inspect RouterToOutSide description Router to internet class type inspect RouterToOutside inspect pmap-audit class class-default pass ! zone security Inside zone security Outside zone-pair security InsideToOutside source Inside destination Outside service-policy type inspect InsideToOutside zone-pair security RouterToInside source self destination Inside service-policy type inspect RouterToInside zone-pair security InsideToRouter source Inside destination self service-policy type inspect InsideToRouter zone-pair security OutsideToRouter source Outside destination self service-policy type inspect OutSideToRouter zone-pair security RouterToOutside source self destination Outside service-policy type inspect RouterToOutSide zone-pair security OutsideToInside source Outside destination Inside service-policy type inspect OutsideToInside ! ! crypto isakmp policy 10 encr aes 256 group 2 ! crypto isakmp policy 20 encr aes 192 group 2 ! crypto isakmp policy 30 encr aes group 2 ! crypto isakmp policy 40 encr 3des group 2 ! crypto isakmp policy 50 encr aes 256 authentication pre-share group 2 ! crypto isakmp policy 60 encr aes 192 authentication pre-share group 2 ! crypto isakmp policy 70 encr aes authentication pre-share group 2 ! crypto isakmp policy 80 encr 3des authentication pre-share group 2 crypto isakmp key 6 <removed> address 0.0.0.0 0.0.0.0 no-xauth ! ! crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac mode transport crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac mode transport crypto ipsec transform-set ESP-AES192-SHA esp-aes 192 esp-sha-hmac mode transport crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac mode transport ! crypto dynamic-map Dynamic-CryptoMap 1 description IPSec set transform-set ESP-AES128-SHA ESP-3DES-SHA reverse-route ! ! crypto map IPSec-Policy 65535 ipsec-isakmp dynamic Dynamic-CryptoMap ! bridge irb ! ! ! interface Null0 no ip unreachables ! interface ATM0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip accounting access-violations ip route-cache flow no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.1 point-to-point description Be* Unlimited$ES_WAN$$FW_OUTSIDE$ bandwidth receive 17800 ip address <my external ip address> <my external mask> ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip accounting access-violations ip mtu 1500 ip nbar protocol-discovery ip flow ingress ip flow egress ip nat outside ip virtual-reassembly zone-member security Outside ip tcp adjust-mss 1460 no snmp trap link-status atm route-bridged ip pvc BeUnlimited 0/101 oam-pvc manage encapsulation aal5snap ! crypto map IPSec-Policy ! interface FastEthernet0 description Switch ! interface FastEthernet1 description titan ! interface FastEthernet2 description Yellow ! interface FastEthernet3 description phone ! interface Virtual-Template1 description L2TP$FW_OUTSIDE$ ip unnumbered BVI1 ip verify unicast reverse-path no ip redirects ip accounting access-violations ip nbar protocol-discovery ip flow ingress ip flow egress ip nat inside ip virtual-reassembly zone-member security Inside ip route-cache flow ip tcp adjust-mss 1360 peer default ip address dhcp no keepalive ppp mtu adaptive ppp authentication eap ms-chap-v2 ppp ipcp header-compression ack ppp ipcp username unique ! interface Dot11Radio0 description Wireless no ip address ip accounting access-violations ! encryption mode ciphers tkip ! ssid Wireless authentication open authentication key-management wpa accounting radius guest-mode wpa-psk ascii 7 <removed> ! world-mode dot11d country GB indoor speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 station-role root bridge-group 1 bridge-group 1 spanning-disabled ! interface Vlan1 description LAN$FW_INSIDE$$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$ no ip address ip accounting access-violations ip tcp adjust-mss 1460 bridge-group 1 ! interface BVI1 description LAN Wireless bridge$ES_LAN$$FW_INSIDE$ ip address <router ip address> 255.255.255.0 no ip redirects no ip proxy-arp ip accounting access-violations ip nbar protocol-discovery ip flow ingress ip flow egress ip nat inside ip virtual-reassembly zone-member security Inside ip route-cache flow ! router bgp <removed> no synchronization bgp log-neighbor-changes neighbor 195.66.241.98 remote-as <removed> neighbor 195.66.241.98 description cymru neighbor 195.66.241.98 password 7 <removed> neighbor 195.66.241.98 ebgp-multihop 255 neighbor 195.66.241.98 prefix-list cymru-out out neighbor 195.66.241.98 route-map CYMRUBOGONS in neighbor 195.66.241.98 maximum-prefix 100 90 no auto-summary ! ip route 0.0.0.0 0.0.0.0 <remote gateway ip address> ip route 192.0.2.1 255.255.255.255 Null0 ip route <cymru ip address> 255.255.255.255 <remote gateway ip address> ! ip bgp-community new-format ip community-list 10 permit <removed> ip flow-cache timeout active 1 ip flow-export version 9 ip flow-export destination <netflow monitor ip> 9996 ip flow-top-talkers top 50 sort-by bytes cache-timeout 3600000 ! ip http server ip http access-class 2 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source static tcp <lan server ip> 80 interface ATM0.1 80 ip nat inside source static tcp <lan server ip> 25 interface ATM0.1 25 ip nat inside source static tcp <lan server ip> 443 interface ATM0.1 443 ip nat inside source static tcp <lan server ip> 444 interface ATM0.1 444 ip nat inside source static tcp <lan server ip> 4125 interface ATM0.1 4125 ip nat inside source static tcp <lan server ip> 1723 interface ATM0.1 1723 ip nat inside source static tcp <lan server ip> 3389 interface ATM0.1 3389 ip nat inside source static tcp <lan server ip> 554 interface ATM0.1 554 ip nat inside source static tcp <lan server ip> 1755 interface ATM0.1 1755 ip nat inside source static udp <lan server ip> 1755 interface ATM0.1 1755 ip nat inside source static udp <lan server ip> 5005 interface ATM0.1 5005 ip nat inside source list 1 interface ATM0.1 overload ! ip access-list extended ICMPReply permit icmp any any host-unreachable permit icmp any any port-unreachable permit icmp any any ttl-exceeded permit icmp any any packet-too-big ip access-list extended InternalServer remark Traffic to server remark SDM_ACL Category=128 permit ip any host <lan server ip> ip access-list extended InvalidSource remark Invalid Source Address on LAN remark SDM_ACL Category=128 permit ip host 255.255.255.255 any permit ip <gateway network> <inverse gateway mask> any permit ip 127.0.0.0 0.255.255.255 any ip access-list extended SDM_ESP remark SDM_ACL Category=0 permit esp any any ip access-list extended SDM_GRE remark SDM_ACL Category=0 permit gre any any ! ! ip prefix-list cymru-out seq 5 deny 0.0.0.0/0 le 32 ip radius source-interface BVI1 logging trap debugging logging <lan server ip> access-list 1 remark INSIDE_IF=BVI1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit <lan network> <lan network mask> access-list 2 remark HTTP Access-class list access-list 2 remark SDM_ACL Category=1 access-list 2 permit <lan network> <lan network mask> access-list 2 deny any access-list 112 remark VTY Access-class list access-list 112 remark SDM_ACL Category=1 access-list 112 permit ip <lan network> <lan network mask> any access-list 112 deny ip any any snmp-server community <removed> RW snmp-server community <removed> RO snmp-server ifindex persist no cdp run ! ! ! route-map CYMRUBOGONS permit 10 description Filter bogons learned from cymru.com bogon route-servers match community 10 set ip next-hop 192.0.2.1 ! radius-server host <lan server ip> auth-port 1645 acct-port 1646 key 7 <removed> ! control-plane ! bridge 1 protocol ieee bridge 1 route ip banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user! ^C alias exec ru sh run alias exec ri sh run \| i alias exec rb sh run \| b ! line con 0 login authentication local_authen no modem enable transport output telnet speed 115200 line aux 0 login authentication local_authen transport output telnet line vty 0 4 access-class 112 in authorization exec local_author login authentication local_authen transport input telnet ssh ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 ntp clock-period 17175104 ntp server 193.190.230.66 source ATM0.1 ntp server 213.2.4.80 source ATM0.1 end feedback form by aryoba last modified: 2008-02-10 08:12:51
Internet access restriction without a proxy server/websense solution? (#14018)
A solution which uses the router to filter Internet access (web traffic), allowing what is defined to go through and deny all others. Option 1: Using CBAC feature This "work around" is the use of Cisco's Web Filtering functionality which goes hand in hand with the Websense products. This FAQ will utilise the current functionality of the Websense solution without a server by deviating from the original design of this suite of technologies by Cisco. Note that this is only supported in IOS that have the CBAC functionality. First off, create an ACL which will be used in the Java filter statement that allows everything through which will not trigger the Java applet scanner which can be CPU intensive. If not, degraded performance can occur. access-list 10 permit any Define the IP INSPECT statements as below and then add what URLs are allowed to be accessed such as www.google.com and www.froogle.com in the example below: ip inspect name inspect-out http urlfilter audit-trail off ip inspect name inspect-out http java-list 10 ip urlfilter exclusive-domain permit www.google.com ip urlfilter exclusive-domain permit www.froogle.com The statement "ip urlfilter exclusive-domain www.xxxx.com" adds a domain name to or from the exclusive domain list so that the firewall does not have to send look-up requests to the Websense server. So, regardless of the Websense server being available or not, which in this case does not exist, the router will allow all HTTP requests to the above domains through. There is a setting which is defined by the statement "ip urlfilter allow-mode on/off" where if the router can't talk to the Websense server, it will allow web traffic through or deny it depending on this setting. There is no Websense server defined at all but what we will do is turn off the allow-mode so all traffic will be denied bar the ones defined in the exclusive-domain statement. ip urlfilter allow-mode off Now the configuration has been setup, it then has to be applied to the interface like a normal ip inspect statement, for example: interface Dialer1 description PPPoX dialer to ISP ip inspect inspect-out out or interface FastEthernet4 description Interface to Cable modem ip inspect inspect-out out Option 2: Using QoS CBWFQ feature Using the same previous situation, the permitted web sites are only www.google.com and www.froogle.com; while traffic to other sites are blocked. This time the filtering technique is utilising CBWFQ which is also applied to the WAN interface. access-list 100 remark DNS traffic access-list 100 permit tcp any any eq 53 access-list 100 permit udp any any eq 53 ! class-map match-any Internet_Sites match protocol http host "www.google.com" match protocol http host "www.froogle.com" match access-group 100 ! policy-map Restricted_Internet_Access class Internet_Sites bandwidth percent 20 class class-default police cir 8000 conform-action drop exceed-action drop ! interface Dialer1 description PPPoX dialer to ISP service-policy output Restricted_Internet_Access CBWFQ (Class Based Weighted Fair Queue) is Cisco QoS (Quality of Service) feature that can be used to shape or to drop certain traffic. In this sample configuration, outbound traffic to www.google.com, to www.froogle.com, and to ISP DNS servers are set to guarantee 20% bandwidth during congestion. Other traffic will be dropped even when there is no congestion. Let's review another illustration. Some organizations prevent their employee to access public social sites such as www.myspace.com and adult (porn) sites such as www.playboy.com; while still permit access to other Internet sites. Using the CBWFQ, following is blocked-access sample configuration. class-map match-any Internet_Sites match protocol http host ".myspace.com" match protocol http host ".playboy.com" ! policy-map Restricted_Internet_Access class Internet_Sites drop ! interface Dialer1 description PPPoX dialer to ISP service-policy output Restricted_Internet_Access More illustration on CBWFQ technique to restrict/maintain website access »[Config] QoS with CBWFQ to prioritize a website Option 3: Using ACL IP Address-Based The downside of the two previous sample configurations is that your router may not support such feature. A good side is that most router support access block by IP addresses or subnets. Following is illustration on how to block access by the site's IP addresses, which the filter is applied to the LAN interface. Let's revisit the www.myspace.com access block. Using DNS A record and WHOIS checks, it is revealed that currently myspace.com subnet is 216.178.32.0/20 (from 216.178.32.0 to 216.178.47.255). Following is the sample configuration of block access to myspace.com based on its IP addresses. access-list 100 remark Restricted Internet Access access-list 100 deny ip any 216.178.32.0 0.0.15.255 access-list 100 permit ip any any ! interface FastEthernet1 description Interface to LAN ip access-group 100 in Side Note: You can use following site for public DNS A record and WHOIS checking http://www.iptools.com/ Note that this block access method only works when myspace.com still occupies the 216.178.32.0/20 subnet. It was known that originally myspace.com did not occupy this subnet. When the blocked site IP addresses are moved to different subnet, then there will be a need to adjust the blocked IP subnet to the new one. This adjustment is not needed when one of the two previous options is deployed. This FAQ was inspired by the following post: »How to Configure Internet Access restrictions ? feedback form by Covenant edited by aryoba last modified: 2007-12-26 13:05:27
Various Site-to-Site IPSec VPN: Cisco, Juniper, Checkpoint, Sonicwall, Zywall (#14243)
Suggested prerequisite reading »Cisco Forum FAQ »Setting Up Private Site-To-Site Connections Introduction Setting up site-to-site IPSec VPN connection in general involves two phases. Phase 1 is called ISAKMP SA (Security Association) establishment and Phase 2 is called IPSec SA establishment. Phase 1 In general, Phase 1 deals with confirmation among sites that are about to establish secure connection across unsecure network. This process is to verify that each site is authorized to establish such connection. Following is further description. Phase 1 is to establish the ISAKMP key matching with remote site. One popular technique of this ISAKMP key matching is to use preshared key. This key is basically a string (combination of alphabets, numbers, and characters) that both sites agree to use. The key is then stored (and encrypted) within each VPN device configuration. Phase 1 in IPSec VPN connection establishment is also involving the remote VPN device IP address (peer). A popular technique is to specifically set the remote peer IP address (for security purposes); known as static configuration. With this specific static configuration, both preshared key and remote IP address are statically configured into the VPN device. During the Phase 1 VPN tunnel establishment using the static configuration of both preshared key and remote IP address, the two VPN peer IP addresses (the local and the remote) must match. If the two VPN peer IP addresses match, then the next step is to match the preshared key between the two VPN devices. This preshared key matching process is done within an encapsulated secure (encrypted) tunnel. The encapsulation type and method used is the encryption specified for the Phase 1. In other word, Phase 1 VPN tunnel establishment in this case involves matching process of three factors where all the three are statically configured into both VPN devices. If there is a change needed to the either one of the three, manual adjustment is needed. The three factors are VPN peer IP addresses, preshared key, and encryption type and method. In this specific example, those three factors are the key of how Phase 1 process take place to verify security association establishment between sites that are about to setup secure connection over untrusted network. Phase 2 Once Phase 1 is passed successfully, then the setup process moves to the Phase 2. In general, Phase 2 deals with traffic management of the actual data communication between sites. There will be mechanism to determine which data goes where, encrypted or not. In Cisco security device, one mechanism factor is to use access list. An access list is used to specify or regulate which data (source and destination IP addresses or subnets) need to be encrypted or decrypted (going through the VPN tunnel). Similar to the Phase 1, there is also specific remote VPN peer IP addresses and IPSec VPN tunnel type and method only for the Phase 2. All the access list, remote VPN peer IP addresses, and the Phase 2 IPSec VPN tunnel type and method are statically configured into both VPN devices. The actual data passing (that are encrypted before leaving local VPN device to go to the remote VPN device; and are decrypted when arriving at local VPN device from the remote VPN device) are encapsulated within the Phase 2 IPSec VPN tunnel. In other word, the access list, VPN peer IP addresses, and IPSec VPN tunnel type and method are the key to establish the Phase 2. Once Phase 2 is established, the actual data between sites will be passing. Between Phase 1 and Phase 2 Note that only the Phase 2 involves the IPSec protocol, either ESP (Protocol 50) or AH (Protocol 51). Both Phase 1 (ISAKMP) and Phase 2 (IPSec) use specific encryption type (i.e. AES, 3DES, DES) and hash (MD5 or SHA). Specifically for Phase 1, there is the Diffie-Hellman group type (Group 1, 2, or 5) and the ISAKMP SA (Security Association) timeout or lifetime. Cisco Configuration Guide An Introduction to IP Security (IPSec) Encryption Virtual Private Networks with the Cisco PIX Firewall - Introduction and Implementation Illustration Let's review the following PIX IPSec VPN tunnel configuration PIX Version 6.1(2) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pix_1 fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 names ! !--- These are the access list that regulate the actual data passing within Phase 2 IPSec VPN tunnel ! !--- The IPSec VPN tunnel between PIX 1 and PIX 2: !--- The 10.1.1.0/24 is local subnet to this PIX 1 VPN device as the source subnet !--- The 10.2.2.0/24 is remote subnet reside at the PIX 2 remote VPN device as the destination subnet access-list 120 permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0 ! !--- The IPSec VPN tunnel between PIX 1 and PIX 3: !--- The 10.1.1.0/24 is local subnet to this PIX 1 VPN device as the source subnet !--- The 10.3.3.0/24 is remote subnet reside at the PIX 3 remote VPN device as the destination subnet access-list 130 permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0 ! !--- No NAT in place for traffic to other PIX Firewall private networks !--- This access list associates with the nat 0 (inside) command access-list 100 permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0 access-list 100 permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0 ! pager lines 24 logging on logging facility 20 logging queue 512 mtu outside 1500 mtu inside 1500 ! !--- The outside interface IP address will be used as the local VPN peer IP address ip address outside 172.18.124.153 255.255.255.0 ! ip address inside 10.1.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 arp timeout 14400 ! !--- Do not perform NAT for traffic to other PIX Firewalls !--- This assumes that there is no overlapping subnet within your network nat (inside) 0 access-list 100 ! !--- Note that the following static route also cover IP reachability to the remote subnets route outside 0.0.0.0 0.0.0.0 172.18.124.1 1 ! timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community public snmp-server enable traps floodguard enable ! !--- This is to permit data passing (regulated by the Phase 2 access list) between sites !--- without applying specific inbound access list into the local IPSec VPN tunnel interface sysopt connection permit-ipsec ! no sysopt route dnat ! !--- The Phase 2 IPSec VPN type and method used !--- In this illustration, Protocol 50 (ESP) with DES encryption and MD5 hash is used crypto ipsec transform-set myset esp-des esp-md5-hmac ! !--- The "crypto map" command specify the access list that regulate data passing between !--- local and remote VPN devices; !--- specify the remote VPN peer IP address; !--- and specify the Phase 2 IPSec VPN tunnel type and method used ! !--- IPsec configuration for the Phase 2 IPSec VPN tunnel to PIX 2: ! crypto map newmap 20 ipsec-isakmp crypto map newmap 20 match address 120 crypto map newmap 20 set peer 172.18.124.154 crypto map newmap 20 set transform-set myset ! !--- IPsec configuration for the Phase 2 IPSec VPN tunnel to PIX 3: ! crypto map newmap 30 ipsec-isakmp crypto map newmap 30 match address 130 crypto map newmap 30 set peer 172.18.124.157 crypto map newmap 30 set transform-set myset ! !--- This is to specify that outside interface is to be used as the local VPN peer interface crypto map newmap interface outside ! !--- This is to enable ISAKMP key exchanging on the outside interface as the local VPN peer interface isakmp enable outside ! !--- The "isakmp key" command specify the preshared key and remote VPN peer IP addresses !--- of each Phase 1 VPN tunnel isakmp key ****** address 172.18.124.154 netmask 255.255.255.255 no-xauth no-config-mode isakmp key ****** address 172.18.124.157 netmask 255.255.255.255 no-xauth no-config-mode ! !--- This is to use the local VPN peer IP address for Phase 1 VPN peer IP address matching process isakmp identity address ! !--- The Phase 1 VPN tunnel type and method used ! !--- The lowest number of ISAKMP policy will be used to see if it is working. !--- If the policy number does not work, then !--- proceed to the next bigger policy number to see if that works isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 1000 ! isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 1 isakmp policy 20 lifetime 1000 ! telnet timeout 5 ssh timeout 5 terminal width 80 Cryptochecksum:436c96500052d0276324b9ef33221b2d : end To understand the complete picture, please review the PIX-to-PIX IPSec Fully Meshed Sample Configuration. Side Note: Further understanding regarding each PIX command and technology behind it, check out the following Cisco link: Cisco PIX Firewall Command Reference Version 6.3 Note that from VPN connection perspective, the actual data can only be passing between two sites when followings are met (in addition of other basic interconnectivity requirement) * Phase 1 is established: matching VPN peer IP address, preshared key, Phase 1 encryption type and method * Phase 2 is established: matching VPN peer IP address, access list, Phase 2 IPSec type and method * Proper IP Routing is in place: either by static routes or by dynamic routing protocol In other words, configuration between two VPN devices must match. Sample Configurations Following is sample configuration of site-to-site IPSec VPN tunnel between two sites. As to full mesh (or partially mesh) site-to-site VPN involving three or more sites, it is basically similar setup as the single site-to-site VPN between two sites. You just need to setup the tunnel one by one; between 1st and 2nd sites, between 1st and 3rd sites, between 2nd and 3rd sites, and so on. Specifically in setting up IPSec tunnel on Cisco router, PIX, or ASA in hub and spoke, partially mesh, or fully mesh setup that involve three or more sites; you need to use different sequence number of "crypto map" command for each remote VPN IP address and specific access list that regulate the encrypted traffic. The PIX-to-PIX sample configuration illustrates that. PIX to PIX Configuring PIX to PIX to PIX IPSec Fully Meshed Router to Router 1. Basic Configuration Configuring Router-to-Router IPSec Using AES Encryption Configuring IPSec Between Three Routers Using Split Tunneling Configuring IPSec Router-to-Router Hub and Spoke Configuring IPSec Router-to-Router Hub and Spoke with Communication Between the Spokes Configuring IPSec Router-to-Router Fully Meshed 2. Extended Configuration Configuring an IPSec Tunnel through a Firewall with NAT Configuring a Router IPsec Tunnel Private-to-Private Network with NAT and a Static Configuring an IPSec Tunnel Between Routers with Duplicate LAN Subnets Configuring IPSec Router-to-Router, Pre-shared, NAT Overload Between a Private and a Public Network Configuring a Router-to-Router LAN-to-LAN Tunnel with a Router Initiating IKE Aggressive Mode Configuring an IPsec Router Dynamic LAN-to-LAN Peer and VPN Clients Router to VPN 3000 Concentrator Configuring the Cisco VPN 3000 Concentrator to a Cisco Router EZ VPN PIX to Router http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml PIX to VPN 3000 Concentrator http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949d2.shtml PIX to Checkpoint 4.1 Firewall http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008009420f.shtml PIX to Checkpoint NG Firewall http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800ef796.shtml PIX to Juniper Netscreen Firewall http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801c4445.shtml PIX to Sonicwall http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml PIX to Zywall »Cisco Forum FAQ »How do I configure a Zywall/Pix ipsec VPN Various Cisco Devices to Microsoft Windows server http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b12b5.shtml Some discussions »[Config] Configuring More Than 1 VPN Tunnel (871w) Basic Troubleshooting 1. Phase 2 (IPSec - the actual data passing) * Make sure the data source and destination IP addresses or subnets match the regulating access list * Check the data passing process between the two sites. In Cisco equipment, you can issue the show crypto ipsec sa command or feature which will show the SA (Security Association) between encrypted traffic (outgoing data) and decrypted traffic (incoming data) 2. Phase 1 (ISAKMP - the key) * Assuming you use preshared key, make sure the remote VPN peer IP address and key match between two VPN device configuration * Check the Phase 1 VPN tunnel up/down status between two sites. In Cisco equipment, you can issue the show crypto isakmp sa command or feature which will show the up/down tunnel status between local VPN peer IP address and remote VPN peer IP address. * Issue simple connection test to the remote site (the remote VPN peer IP address) such as ICMP ping and traceroute (whenever possible) * Reboot one or both VPN devices sometime might solve VPN connectivity issue Further Reading: VPN Tunnel To Support Non-IP traffic and/or Dynamic Routing Protocols: GRE over IPSec »Cisco Forum FAQ »Private Routing over VPN: GRE over IP Sec feedback form by aryoba last modified: 2008-07-07 13:58:15
How do I configure a Zywall/Pix ipsec VPN (#8377)
The network layout that this configuration works for is 192.168.0.0 /24 -> Zywall 2x -> Speedstream 5100(PPOE)->internet ->Cisco 1720 -> x.x.x.192 /26 public ip pool -> Pix 501 -> 192.168.1.0 /24 The outside interface of the Pix is x.x.x.194 Pix config MYCOFW# write t PIX Version 6.1(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname MYCOFW domain-name MYCOMPANY.com access-list To-Internet permit ip 192.168.1.0 255.255.255.0 any access-list To-Internet permit ip 192.168.2.0 255.255.255.0 any access-list To-Internet permit icmp any any access-list From-Internet permit tcp any host x.x.x.196 eq smtp access-list From-Internet permit icmp any x.x.x.192 255.255.255.192 echo access-list From-Internet permit icmp any x.x.x.192 255.255.255.192 echo-reply access-list From-Internet permit icmp any x.x.x.192 255.255.255.192 unreachable access-list From-Internet permit icmp any x.x.x.192 255.255.255.192 time-exceeded access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list NoNAT permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list to-internet permit icmp any any interface ethernet0 10baset interface ethernet1 10full mtu outside 1500 mtu inside 1500 ip address outside x.x.x.194 255.255.255.192 ip address inside 192.168.1.25 255.255.255.0 ip local pool MYCOippool 192.168.2.1-192.168.2.254 global (outside) 1 x.x.x.200-x.x.x.250 netmask 255.255.255.192 global (outside) 1 x.x.x.251 nat (inside) 0 access-list NoNAT nat (inside) 1 192.168.1.0 255.255.255.0 0 0 access-group From-Internet in interface outside access-group To-Internet in interface inside route outside 0.0.0.0 0.0.0.0 x.x.x.193 1 http 192.168.1.0 255.255.255.0 inside sysopt connection permit-ipsec sysopt connection permit-pptp no sysopt route dnat crypto ipsec transform-set MyCOTransf esp-3des esp-md5-hmac crypto dynamic-map MYCOdynmap 10 set transform-set MYCOTransf crypto map MYCOmap 10 ipsec-isakmp dynamic MYCOdynmap crypto map MYCOmap client configuration address initiate crypto map MYCOmap client configuration address respond crypto map MYCOmap interface outside isakmp enable outside isakmp key ****** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode isakmp identity address isakmp client configuration address-pool local MYCOippool outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 28800 vpngroup MYCOvpn address-pool NONATippool vpngroup MYCOvpn dns-server 205.171.3.65 vpngroup MYCOvpn wins-server 192.168.1.1 vpngroup MYCOvpn default-domain MYCOMPANY.com vpngroup MYCOvpn idle-time 1800 vpngroup MYCOvpn password **** vpngroup MYCO address-pool NONATippool vpngroup MYCO dns-server 192.168.1.1 205.171.3.65 vpngroup MYCO wins-server 192.168.1.1 vpngroup MYCO default-domain MYCO.com vpngroup MYCO idle-time 1800 vpngroup MYCO password **** vpdn group 1 accept dialin pptp vpdn group 1 ppp authentication pap vpdn group 1 ppp authentication chap vpdn group 1 ppp authentication mschap vpdn group 1 client configuration address local NONATippool vpdn group 1 pptp echo 60 vpdn group 1 client authentication local vpdn username xxxx password xxxx vpdn username yyyy password yyyyy vpdn username zzzz password zzzzz vpdn enable outside Zywall Config: Menu 27.1.1 - IPSec Setup Index #= 1 Name= Work Active= Yes Keep Alive= Yes Nat Traversal= No Local ID type= IP Content= My IP Addr= 0.0.0.0 Peer ID type= IP Content= x.x.x.194 Secure Gateway Address= x.x.x.194 Protocol= 17 Local: Addr Type= SUBNET IP Addr Start= 192.168.0.0 End/Subnet Mask= 255.255.255.0 Port Start= 0 End= N/A Remote: Addr Type= SUBNET IP Addr Start= 192.168.1.0 End/Subnet Mask= 255.255.255.0 Port Start= 0 End= N/A Enable Replay Detection= Yes Key Management= IKE Menu 27.1.1.1 - IKE Setup Phase 1 Negotiation Mode= Main PSK= ****** Encryption Algorithm= 3DES Authentication Algorithm= MD5 SA Life Time (Seconds)= 28800 Key Group= DH2 Phase 2 Active Protocol= ESP Encryption Algorithm= 3DES Authentication Algorithm= MD5 SA Life Time (Seconds)= 28800 Encapsulation= Tunnel Perfect Forward Secrecy (PFS)= None In addition I had to enable 2 firewall rules on the Zywall Wan/WanZywall interface. 1) Source address (x.x.x.192 255.255.255.192) Destination (Any) forward Any Tcp Any Udp 2) source address (Any) Destination (Any) forward (ike,gre,ah,esp) I also include icmp & auth, though I don't think these are necessary for the vpn, they help with dslr line monitoring & my mail server. feedback form by TerryMiller edited by aryoba last modified: 2006-09-12 05:57:47
PAT/NAT Router/PIX passing through VPN tunnel (#14239)
PIX passing IPSec tunnel Configuring an IPSec Tunnel through a PIX Firewall with NAT GRE passing over PIX-to-PIX IPSec tunnel to support OSPF Configuring a GRE Tunnel over IPSec with OSPF IPSec tunnel passthrough on NAT/PAT Device and Utilize Single Public IP Address For Both Internet and IPSec Tunnel 1. Router as the NAT/PAT Device IOS Router to Pass a LAN-to-LAN IPSec Tunnel via PAT 2. PIX Firewall as the NAT/PAT Device »www.cisco.com/en/US/tech/tk583/t···6e.shtml feedback form by aryoba last modified: 2008-01-23 16:09:19
Private Routing over VPN: GRE over IP Sec (#14240)
Suggested prerequisite reading: »Cisco Forum FAQ »Setting Up Private Site-To-Site Connections »Cisco Forum FAQ »Between GRE/IPSEC and IPSEC VPN tunnels When you need to broadcast private routing (dynamic routing protocols) over VPN, then in general you need to run GRE over IP Sec. Followings are the sample configurations. Running OSPF Configuring a GRE Tunnel over IPSec with OSPF Running EIGRP GRE over IPSec with EIGRP to Route Through a Hub and Multiple Remote Sites IPX Routing over GRE/IPSec Configuring GRE and IPSec with IPX Routing Configuring IPSec with EIGRP and IPX Using GRE Tunneling Note: The previous sample configurations assume both the GRE and IPSec VPN terminate at a router. When somehow the router IOS image feature only supports GRE tunnel and there will be a PIX Firewall in front of the router to establish the IPSec tunnel, then you can check out the following FAQ for illustrations. »Cisco Forum FAQ »PAT/NAT Router/PIX passing through VPN tunnel For full mesh site-to-site VPN with the above GRE over IPSec approach involving three sites or more, it is basically similar setup as the single site-to-site VPN between two sites. You just need to setup the tunnel one by one; between 1st and 2nd sites, between 1st and 3rd sites, between 2nd and 3rd sites, and so on. DMVPN When Cisco routers act as the VPN device at all sites, it is simpler and scalable to run DMVPN between routers instead the previous GRE over IPSec approach. With DMVPN, there will be no need to manually setup each tunnel for each connection between two sites. DMVPN will be "dynamically" setting up necessary tunnels. Should you decide to run DMVPN, verify your router IOS image version support it. IOS image version with Advanced Enterprise (or probably Advanced IP Services) feature should support DMVPN. Check out following links for more info on DMVPN. Dynamic Multipoint IPsec VPNs (Using Multipoint GRE/NHRP to Scale IPsec VPNs) Configuring DMVPN Spoke Router in Full Mesh IPsec VPN Using SDM Configuring Dynamic Multipoint VPN Using GRE Over IPsec With OSPF, NAT, and Cisco IOS Firewall New Feature on ASA or PIX Firewall running OS version 7.x or later With new OS version, it is no longer requirement to encapsulate OSPF into GRE tunnel in order to pass it through IPSec VPN tunnel. By running OS version 7.x or later, ASA or PIX Firewall is now able to pass OSPF through IPSec VPN tunnel just like pass through GRE or any IP traffic. Check out the following link for sample configuration. PIX/ASA 7.x and later: VPN/IPsec with OSPF Configuration Example feedback form by aryoba last modified: 2008-07-14 11:11:33
VPN: Static mappings with overloaded NAT and VPN (#10380)

All FAQs » Cisco Forum FAQ » 40.2 Security Sample Configurations

40.2 Security Sample Configurations

Basic Internet Firewall ACL for Routers without IOS image Firewall feature (#14453)

Configure DMZ on routers (#15913)

Sample IOS Firewall (CBAC) router configuration (#13435)

Sample Configuration of ACL-CBAC-IDS/IPS-IPSec VPN on router (#14762)

Zone-Based Firewall Sample Configuration (#15839)

Internet access restriction without a proxy server/websense solution? (#14018)

Various Site-to-Site IPSec VPN: Cisco, Juniper, Checkpoint, Sonicwall, Zywall (#14243)

How do I configure a Zywall/Pix ipsec VPN (#8377)

PAT/NAT Router/PIX passing through VPN tunnel (#14239)

Private Routing over VPN: GRE over IP Sec (#14240)

VPN: Static mappings with overloaded NAT and VPN (#10380)