Getting SSL VPN and ZBF to Play Nice on a Cisco 2811 Router
A few weeks ago, I started a project at work that I'm really enjoying working on. That project is setting up a Cisco 2811 router for our network, replacing a SonicWall 4060 Pro firewall that no longer servers our purposes as well as we'd like. While working late-nights with very particular windows of time to work in to do the testing and configuring while the designers and developers aren't working isn't always easy, I'm really having fun setting a router up from scratch. Come to think of it, I've never actually configured a Cisco router from a blank config to fully functional in a production environment before, everything I've done up this point has been either on lab-equipment as part of my studies or on existing networks with routers that just need a little tweak here and there.
Now, for the problem. My coworker in the IT department had previously been working on this project on and off for a while, attempting to set us up with a router that does all the basic functions of an internet router, (NAT, proper 802.1Q VLAN tagging, etc.,) as well as setting up the Zone-Based Firewall (ZBF) and SSL VPN using SDM for almost the entire process. Suffice it to say, he wasn't able to finish up the project and now it's my turn to take a crack at it. I've just gotten to the point where he hit a wall and wasn't able to continue, so I thought I'd get some advice as to what I need to do next.
I've got NAT working properly, I've got ZBF doing it's voodoo without any problems whatsoever, but I'm unsure of how to get SSL VPN to play nice with the firewall. From my understanding, I need to configure VPN Routing and Forwarding (VRF) in order for ZBF to properly handle VPN traffic. However, I keep searching through Cisco's documentation and I don't really get any documentation discussing VRF outside the context of MPLS and BGP.
Before I really dig in and attempt to set up SSL VPN on the router, (this'll be my first dance with SDM as well,) I just wanted to get some advice from people who know better than I do as to how I proceed from here. I don't necessarily need hand-holding (yet), but if anyone can point me to howto docs, articles, or just give me a breakdown of what I'm doing next, I'd be eternally grateful.
It's an odd feeling, looking at ZBF and SSL VPN like such a noob. At the same time, I can't help feeling all giddy and excited because it's brand-new to me and I honestly get to ask "what now" type of questions.
Now, for the problem. My coworker in the IT department had previously been working on this project on and off for a while, attempting to set us up with a router that does all the basic functions of an internet router, (NAT, proper 802.1Q VLAN tagging, etc.,) as well as setting up the Zone-Based Firewall (ZBF) and SSL VPN using SDM for almost the entire process. Suffice it to say, he wasn't able to finish up the project and now it's my turn to take a crack at it. I've just gotten to the point where he hit a wall and wasn't able to continue, so I thought I'd get some advice as to what I need to do next.
I've got NAT working properly, I've got ZBF doing it's voodoo without any problems whatsoever, but I'm unsure of how to get SSL VPN to play nice with the firewall. From my understanding, I need to configure VPN Routing and Forwarding (VRF) in order for ZBF to properly handle VPN traffic. However, I keep searching through Cisco's documentation and I don't really get any documentation discussing VRF outside the context of MPLS and BGP.
Before I really dig in and attempt to set up SSL VPN on the router, (this'll be my first dance with SDM as well,) I just wanted to get some advice from people who know better than I do as to how I proceed from here. I don't necessarily need hand-holding (yet), but if anyone can point me to howto docs, articles, or just give me a breakdown of what I'm doing next, I'd be eternally grateful.
It's an odd feeling, looking at ZBF and SSL VPN like such a noob. At the same time, I can't help feeling all giddy and excited because it's brand-new to me and I honestly get to ask "what now" type of questions.
Free Microsoft Training: Microsoft Learn
Free PowerShell Resources: Top PowerShell Blogs
Free DevOps/Azure Resources: Visual Studio Dev Essentials
Let it never be said that I didn't do the very least I could do.
Comments
-
Turgon Banned Posts: 6,308 ■■■■■■■■■□Cisco IOS hints and tricks: Deploying Zone-Based Firewalls
Ivan might help you on his blog if you get stuck. -
Slowhand Mod Posts: 5,161 ModCisco IOS hints and tricks: Deploying Zone-Based Firewalls
Ivan might help you on his blog if you get stuck.
Free Microsoft Training: Microsoft Learn
Free PowerShell Resources: Top PowerShell Blogs
Free DevOps/Azure Resources: Visual Studio Dev Essentials
Let it never be said that I didn't do the very least I could do. -
Turgon Banned Posts: 6,308 ■■■■■■■■■□No worries. Ivan's experience and knowledge is immense. One of the first 150 CCIE's.
Cisco IOS hints and tricks: Why I'm no longer an active CCIE
NIL - NIL CCIE Experts