Zone-Based Firewall with NAT and VPN

cisco_trooper · October 2012

So has anyone deployed a full implementation of the zone-based firewall with inside, dmz, and outside zones complete with NAT and VPN? The thing is a piece of cake without NAT and VPN. Once I introduce NAT things go downhill REAL quick. I will admit I've got this labbed up in GNS3 at the moment, a first. I really want to start using this for some of my customers but I haven't gotten it to the point where I'm willing to say it is ready for primetime. If I can't get this thing working COMPLETELY soon I'm just going to have to stick with ASAs. I want to be able to use the ISRs due to their ability to terminate GRE and also for some nice VPN functionality such as DMVPN and GETVPN.

Cisco IOS Software, 3700 Software (C3745-ADVIPSERVICESK9-M), Version 12.4(15)T14, RELEASE SOFTWARE (fc2)

phoeneous · October 2012

Which vpn? ipsec? anyconnect? I just setup a 2801 with zbf, ipsec remote vpn, and nat. I'll post the config tomorrow.

cisco_trooper · October 2012

IPSec, but I'm not even that far because my traffic flows with NAT alone aren't right. I've gone through several major configurations trying to keep an open mind and see if I just don't understand but not getting anywhere solid with it. I know how I think it should be, but no luck.

cisco_trooper · November 2012

Been a while since I tried to conquer this. Guess I'm going to try a different platform to see how I fare. It's starting to look like I'm going to have to fix my broken physical lab to try it out there as well. Ahh well. Such is life.

kalebksp · November 2012

Here's a simple working config. Obviously this site uses DHCP externally.

class-map type inspect match-all SELF_OUT
 match protocol icmp
class-map type inspect match-all DHCP
 match access-group name DHCP
class-map type inspect match-any ZBF_ALLOW_ALL
 match protocol dns
 match protocol icmp
 match protocol ftp
 match protocol telnet
 match protocol ssh
 match protocol tcp
 match protocol udp
class-map type inspect match-all SSH
 match protocol ssh
 match access-group name SSH
class-map type inspect match-all IPSEC
 match access-group name IPSEC
!
policy-map type inspect INSIDE-OUTSIDE
 class type inspect ZBF_ALLOW_ALL
  inspect
 class class-default
  pass
policy-map type inspect SELF-OUTSIDE
 class type inspect SELF_OUT
  inspect
 class class-default
  pass
policy-map type inspect OUTSIDE-SELF
 class type inspect IPSEC
  pass
 class type inspect DHCP
  pass
 class type inspect SSH
  pass
 class class-default
  drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security OUTSIDE-SELF source OUTSIDE destination self
 service-policy type inspect OUTSIDE-SELF
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
 service-policy type inspect INSIDE-OUTSIDE
zone-pair security SELF-OUTSIDE source self destination OUTSIDE
 service-policy type inspect SELF-OUTSIDE
!
interface GigabitEthernet0/0
 description INTERNET
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 zone-member security OUTSIDE
!
interface GigabitEthernet0/1
 description LAN
 ip address 172.30.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security INSIDE
!
ip nat inside source list NAT interface GigabitEthernet0/0 overload
!
ip access-list extended DHCP
 permit udp any any eq bootpc
ip access-list extended IPSEC
 permit esp any any
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
ip access-list extended NAT
 permit ip 172.30.10.0 0.0.0.255 any
ip access-list extended SSH
 permit tcp host X.X.X.X any eq 22
!

cisco_trooper · November 2012

You rock brother. Sometimes all you need is a solid example!

Zone-Based Firewall with NAT and VPN

Comments