Zone-Based Firewall with NAT and VPN

cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
So has anyone deployed a full implementation of the zone-based firewall with inside, dmz, and outside zones complete with NAT and VPN? The thing is a piece of cake without NAT and VPN. Once I introduce NAT things go downhill REAL quick. I will admit I've got this labbed up in GNS3 at the moment, a first. I really want to start using this for some of my customers but I haven't gotten it to the point where I'm willing to say it is ready for primetime. If I can't get this thing working COMPLETELY soon I'm just going to have to stick with ASAs. I want to be able to use the ISRs due to their ability to terminate GRE and also for some nice VPN functionality such as DMVPN and GETVPN.

Cisco IOS Software, 3700 Software (C3745-ADVIPSERVICESK9-M), Version 12.4(15)T14, RELEASE SOFTWARE (fc2)


  • phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
    Which vpn? ipsec? anyconnect? I just setup a 2801 with zbf, ipsec remote vpn, and nat. I'll post the config tomorrow.
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    IPSec, but I'm not even that far because my traffic flows with NAT alone aren't right. I've gone through several major configurations trying to keep an open mind and see if I just don't understand but not getting anywhere solid with it. I know how I think it should be, but no luck.
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    Been a while since I tried to conquer this. Guess I'm going to try a different platform to see how I fare. It's starting to look like I'm going to have to fix my broken physical lab to try it out there as well. Ahh well. Such is life.
  • kalebkspkalebksp Member Posts: 1,033 ■■■■■□□□□□
    Here's a simple working config. Obviously this site uses DHCP externally.
    class-map type inspect match-all SELF_OUT
     match protocol icmp
    class-map type inspect match-all DHCP
     match access-group name DHCP
    class-map type inspect match-any ZBF_ALLOW_ALL
     match protocol dns
     match protocol icmp
     match protocol ftp
     match protocol telnet
     match protocol ssh
     match protocol tcp
     match protocol udp
    class-map type inspect match-all SSH
     match protocol ssh
     match access-group name SSH
    class-map type inspect match-all IPSEC
     match access-group name IPSEC
    policy-map type inspect INSIDE-OUTSIDE
     class type inspect ZBF_ALLOW_ALL
     class class-default
    policy-map type inspect SELF-OUTSIDE
     class type inspect SELF_OUT
     class class-default
    policy-map type inspect OUTSIDE-SELF
     class type inspect IPSEC
     class type inspect DHCP
     class type inspect SSH
     class class-default
    zone security INSIDE
    zone security OUTSIDE
    zone-pair security OUTSIDE-SELF source OUTSIDE destination self
     service-policy type inspect OUTSIDE-SELF
    zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
     service-policy type inspect INSIDE-OUTSIDE
    zone-pair security SELF-OUTSIDE source self destination OUTSIDE
     service-policy type inspect SELF-OUTSIDE
    interface GigabitEthernet0/0
     description INTERNET
     ip address dhcp
     ip nat outside
     ip virtual-reassembly in
     zone-member security OUTSIDE
    interface GigabitEthernet0/1
     description LAN
     ip address
     ip nat inside
     ip virtual-reassembly in
     zone-member security INSIDE
    ip nat inside source list NAT interface GigabitEthernet0/0 overload
    ip access-list extended DHCP
     permit udp any any eq bootpc
    ip access-list extended IPSEC
     permit esp any any
     permit udp any any eq isakmp
     permit udp any any eq non500-isakmp
    ip access-list extended NAT
     permit ip any
    ip access-list extended SSH
     permit tcp host X.X.X.X any eq 22
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    icon_cheers.gif You rock brother. Sometimes all you need is a solid example!
Sign In or Register to comment.