Cisco VPN :: 2800 Zone-Based FW And L2L IPSec VPN

Jul 24, 2012

I have a 2800 router connecting a small office to the Internet.  I am using zone-based firewall to provide protection.  The small office also needs to connect to another office.  The 2800 is at the small office and an ASA at HQ.   I successfully established the VPN connection and have allowed Internet access for the small office.  The purpose of this post is my zone-base fw policy doesn't appear to be as secure as it could be.
 
2800 - I have defined two zones (inside and outside).  Traffic from the inside to the outside is inspected expect for the traffic to the other office.  I allow traffic to the other office to "pass" zbfw.  Because the traffic "passes" zbfw, I have to "pass" the same traffic for the outside to in policy.  The ASA has "sysopt" to allow VPN traffic to bypass the outside_acl.  Do routers and zone-based firewall have a similar feature?

View 1 Replies


ADVERTISEMENT

Cisco :: Zone Based Firewall Really Needed

Sep 18, 2012

I'm having a few problems at the moment with a zone based firewall setup. The more I looked into the problems the more I question whether I need the ZBF or not.My network is pretty simple. 1 Internet connection and 1 LAN interface and a few site to site vpns to the router.So what do people think to having this kind of set up and not using a ZBF?

View 11 Replies View Related

Cisco :: 3845 - Traditional ACL Vs Zone Based FW

Sep 28, 2011

I have a 3845 ISR that I have been managing for a couple years that has a traditional ACL based config.  We just purchased a new 3845 for redundancy and it arrived with the zone based config from Cisco.  Any opinions on whether I should take the existing router to a zone based config or should I configure the new router with traditional ACL config that I am more comforatable with? 

View 1 Replies View Related

Cisco :: 2900 - Implement Zone-Based Firewall?

Dec 25, 2012

I am looking to implement Zone-Based Firewall on some 2900 series routers (2911 and 2921.)  Based on some research I've done it looks like the cisco2911-sec/k9 and cisco2921-sec/k9 bundles should be all I need.  Is this correct, or is there some other licensing component that needs to be enabled for me to implement Zone-Based Firewall?

View 2 Replies View Related

Cisco Switching/Routing :: 881 - Zone Based Firewall (Can't Access Router With CCP)

Mar 3, 2013

I'm having an issue accessing a clients router on the WAN interface with Cisco config pro. I can get CLI access with SSH without any issue.  I have port 22 and 443 allowed as management access from my public IP - SSH working fine but config pro being refused connection, Possibly a certificate issue?

View 1 Replies View Related

Cisco WAN :: Zone Based Firewall On ASR1002 With Xconnect Encapsulation Mpls

Apr 3, 2013

we have an ASR1002 running zone-based-firewall with 2 zones:

zone_ouside
zone_ph
 
I have a common ZFW-configuration on that interfaces, e.g.
 
<code>
class-map type inspect match-any pass_cmap_in
match access-group name pass-ipv4-in
!
class-map type inspect match-any ph_cmap_in
match access-group name ph-ipv4-in

[code]....
 
There is some basic stuff in the Access-Lists; direction ph-ipv4-in contains basically "permit ip any any" and ph-ipv4-out contains some permits for certain services, but nothing else. The pass-ipv4-in/out ACL contains particularly the udp-500/4500-stuff as well as gre/esp/ah.
 
Here are the zone-pairs:

<code>
zone-pair security zone_ph-zone_outside source zone_ph destination zone_outside
service-policy type inspect ph_pmap_in
!
zone-pair security zone_outside-zone_ph source zone_outside destination zone_ph
service-policy type inspect ph_pmap_out
!
</code>

[code]...
 
The xconnect is only built up correctly when I configure the interface in the zone_outside. The destination for the xconnect is an ASR9k. If I do not configure the zone on the L2VPN-Interface, only arp-packet are allowed to tgo through the tunnel.
 
The L2VPN connects a branch office to the network of "PH". Now the trouble starts: when they are putting a host in the branch office, DHCP via the L2VPn works fine, they can ping anything from the branch office-PC in their local network and reach all internal servers etc.
 
BUT if they want to go to a destination outside their network, it will not work properly. For example, the branch-office-PC can ping 8.8.8.8 fine, but when they try to connect to a website, e.g. www.google.com, they run into a timeout. Netstat says, that the http-syn is sent, but no ack is received.

On the router, I see:

Session 1178BAE8 (x.y.225.250:2370)=>(173.194.35.151:80) http SIS_OPENING
 
whereas x.y.225.250 is the PC connected via L2VPN in the branch office to their local lan. When they put the same machine in their local lan directly behind the router (without l2vpn) everything works fine. When I switch off the firewall on the Gi0/0/0-Interface, the PC from the branch office also reaches its destination, so for me it looks like the firewall inspects the traffic going via Gi0/0/1 and L2VPN, what in my opinion, it should not do....

View 1 Replies View Related

Cisco Firewall :: 1811 / Zone Based FW With Non-standard HTTP Port

Apr 4, 2011

We are testing a Zone Based FW config since 1month, everything run smooth but we're having problem ( big slow speed access ) when a user try to reach a website on a non-standard port ( 8080 in that case ). All the trafic stay in our LAN, using a IPSEC/EZVPN connection between the 2 sites.As soon as I have disabled the Zone Based FW, the speed was much better.
 
I'm sure I'm missing a parameter to fix that problem but I tried many different options and I didn't find anything yet. All the routers are Cisco 1811 running adv IP Services 15.1.2.T1 IOS.A port-map has been created to map the port 8080 to the HTTP protocol for the inspection.The PC will have an IP address in the 10.2.2.x/24 and will access a server on 10.2.3.x/24, both devices are part of the zone private in each site/LAN.All the access between sites are managed by an ASA; the IPSEC/EZVPN peer.Little summary, it's gonna be something like : SiteA with a PC on private zone then on public zone for the EZVPN to SiteB on public zone and then private zone to access the server in the LAN.

View 6 Replies View Related

Cisco Routers :: SR520 Not Criterion In Zone-based Policy Firewall Class-maps

Jan 16, 2012

I'm trying to configure a zone-based firewall on an SR520 and am confused about the 'not' criterion. The 'zone-design-guide' says (my stress): Class- maps define the traffic that the firewall selects for policy application. Layer 4 class-maps sort the traffic based on these criteria listed here. These criteria are specified using the match.where my intention is to let only LAN hosts with IPs in the range 192.168.1.1 to 192.168.1.7 out through the firewall. There may be an easier way of doing this which I'd be pleased to hear about. But, even if there is, I'd also be interested to know what I'm doing wrong in the above.

View 0 Replies View Related

Cisco Firewall :: 2911 - Control Link In Zone-Based Policy High Availability

Jun 26, 2012

I have set up a zone-based policy firewall with HA on two 2911 routers as per the Cisco security configuration guide, for an active/passive LAN-LAN cluster. All works as expected, but there is one problem I find: when the control link between the two devices fails, they go into an active/active state as each member assumes it's the last surviving member. The ARP entries for the Virtual IPs on the neighboring devices point to the device that last claimed the active role (usually the standby device). This works in a way, just sessions don't get synched anymore (control link is the same as data link). Now when the link comes back up, the preemtion works and the active, former standby device goes back to standby. But the ARP entries on the neighboring devices still point to the standby device and nothing goes (also sessions established during the active/active state are lost due to resync with the now active member).
 
This is a single point of failure and what I need is a way to mitigate that. Under:

redundancy
application redundancy
group 1
control <interface> protocol 1

only one control interface is allowed. Other manufacturers with similar functionality provide for the possibilty of a backup control link, for example the internal LAN interface or a dedicated backup link.
 
How would I go about that? Maybe use a port-channel for the control/data link (but I'm out of interfaces)?

View 1 Replies View Related

Cisco Firewall :: 1921-SEC / Terminate Each IPSec Connection In Separated Zone

Apr 26, 2011

We are using a CISCO1921-SEC Router. On the "WAN" side we have 1 public IP Adress assigned by DHCP. At the moment we are using the WAN Interface with a crypto-map as endpoint of some IPSec connections. We set up a zone-based-firewall with "WAN" and "LAN" zone. In this setup all IPSec Endpoints are on one Interface - connections to the "LAN" zone can be managed by rulesets. What about connections between IPSec connections and the zone "self".We like to terminate each IPSec connection in a separated zone. How can this be configured ?Each one on a "tunnel inetface" with "tunnel source ..." binding ?

View 4 Replies View Related

Cisco Firewall :: 2901 - How To Avoid SMTP Inspection On Zone Based Firewall

Aug 2, 2011

We had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0). The original configuration.

View 2 Replies View Related

Cisco Firewall :: 2901 To Avoid SMTP Inspection On Zone Based Firewall

Jun 21, 2011

We had a problem with SMTP inspection dropping some regular emails (Cisco 2901 IOS 15.0).Incoming mails are going thru Spam and Virus Blocker so that bypassing SMTP inspection is not security issue in this case.

View 1 Replies View Related

Cisco Firewall :: IOS Zone Based Firewall Websense URL Filtering Feature On 881G

Jul 27, 2011

I've been trying to configured Websense urlfiltering using ZFW feature on my Cisco 881G router. The router is running on IOS 15.0(1)M with Advanced IP Services. And I have confirmed it supports urlfilter feature.
 
This is what I tried to accomplish but IOS version 15.0x seems to have different command set.
-----------------------
class-map type inspect httptraffic
match protocol http
parameter-map type urlfilter param
server vendor websense 10.20.30.40
[Code]...

View 2 Replies View Related

Cisco Firewall :: 1811 / Zone-Based Policy Firewall Configuration

May 16, 2011

I have two 1811's connected in a lab using a ipsec vpn tunnel (using a switch to simulate an internet connection between them).I am trying to configure one of the routers as a ZBPF just to allow a remote windows login (DC on the firewalled side, workstations on the other side).I'm trying to verify that the zbpf is working, but it doesn't seem to stop anything.  I had match icmp added to the class-map, but took it out to test if icmp would fail.  It didn't.  Basically, I don't think the firewall is working at all.  Any thoughts on how I can configure this so that the policies will work between zone-pairs?

Here's an quick drawing:

Here are the configurations:

 Local router:
 hostname sdc-1811-LocalLab
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
resource policy

[code]....

View 11 Replies View Related

Cisco Firewall :: 3945 / Zone Based Firewall And WAN Interface ACL?

Mar 16, 2011

I am getting ready to deploy a 3945 ISR to serve as an internet and core router for and remote site.  I will be terminating a site-to-site VPN tunnel on it and also configuring a zone based firewall config between my "outside" (internet link) and "inside" (all internal nets).  My question is about how to approach securing the WAN interface with the Zone based FW in place?what kind of ACL do I need beyond those allowing and restricting remote access to the outside ip? 

View 3 Replies View Related

Cisco Firewall :: 1841 - Which IOS Support Zone Based Firewall

Jan 3, 2013

I have a cisco 1841 router  , and i want to configure zone based firewall on it. But the document of zone based firewall only said that "after 12.4(6)T" can support zone based firewall. I use the ios  " c1841-ipbasek9-mz.124-15.T9.bin ", but it can't support ZFW. What kind of ios support ZFW. for example: ipbase, ent base, ip service ,advent etc.

View 2 Replies View Related

Cisco VPN :: 1841 / VPN Site-to-site With Zone Based Firewall

Jan 28, 2013

The problem I am having is very strange and I have tried to upgrade the IOS on the 1841 to solve the problem but no luck.  The issue is when I enable Zone Based firewall security on of the 1841 routers two VPN site-to-site tunnels stops working.  If I turn off CEF (no ip cef) then the traffic for both tunnels works.  Someone told me that the Zone Based firewall must have a match for the VPN traffic and I created that with ACL 160 and 161 but it did not solve the problem.
 
Current IOS is below.
 
Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 15.0(1)M9, RELEASE SOFTWARE (fc1)
Technical Support: [URL]
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 11-Sep-12 23:58 by prod_rel_team

[code]....

View 2 Replies View Related

Cisco Firewall :: Zone Based Firewall Performance On ASR 1004

Sep 11, 2011

we are experiencing performance issues on ASR 1004 with ZBF as our campus edge router.Symptoms:

- sending small packets from inside zone to outside zone, for example UDP packets without payload
- this way I can generate up to 150.000 pps traffic (testing with packeth software, but we have had a real example with some kind of worm/virus)
- CPU load is about 1% (yes one!) to 2% all time !! (weird)
- ASR response to pings rises very quickly up to 5 seconds which makes box unusable dropping everything what goes through ZBF (so internet connection is gone)
- if I do the ping directly from box, it seems to work fine (no rules from self to outside zone in ZBF)
- if I remove interfaces from inside and outside zone (so disabling ZBF) and do the test again, ASR response goes from normal (0.2ms) up to 2ms (still sending 150.000 pps) and everything seems to work fine)
 
According to Cisco Datasheets: routing, Qos, Zbf ... on ASR 1000 with RP1, ESP10 should be done in hardware with up to 17.000.000 pps performance.

View 5 Replies View Related

Cisco Firewall :: 2951 Zone Based Firewall

Feb 16, 2011

I am confiuring ZFW on a Cisco 2951 Router. The router has the following interfaces: [code]Port Channel 1, 1.5, 1.10, 1.15, 1.20 have been added to the zone called IN-OUT. All the subinterfaces correspond to an internal VLAN.The router is connected to a MPLS network and has a BGP peer on interface MPPP. Over the MPLS network, an ecrypted DMVPN tunnel to HQ has been built (tunnel 0). EIGRP is the routing protocol running over the tunnel.Traffic coming in from HQ has to be firewalled on this router (don't ask me why!!). As a result, I am configuring ZFW on this router.
 
1-The router itself does not need to be protected, only the servers in the remote offices. That being said, I am not planning to create any self zone on this router. I don't want to break BGP, therefore the MPPP interface will NOT belong to any zone. Is this the correct way to do it?
 
2-The tunnel 0 interface will belong to OUT-IN zone that will protect all incoming traffic into this site from HQ. So when writing class-maps for the traffic coming INTO this site, do I need to write any class-maps for EIGRP or ESP? My guess is no, since that traffic will not be coming into the site, but rather just terminating on the router.

View 5 Replies View Related

Cisco WAN :: 2800 Implement IPSec VPN Between Two Routers

Aug 20, 2009

We want to implement an IPSec VPN between two routers cisco 2800 IOS version of what we need.

View 4 Replies View Related

Cisco VPN :: HSRP IPSec Stateful Failover On 2800 Platform

Mar 26, 2012

I have 2 C2811 ISRs runnning c2800nm-advsecurityk9-mz.124-15.T17.bin and having on board: 1 Virtual Private Network (VPN) Module.is it possible to enable IPSec stateful failover (or switchover, SSO) between these boxes? I get different infos from Cisco sources. url...All commands were accepted, but failover doesn't seem to be statefull (I loose connection for few seconds and VPNs are reestabilishing)

View 5 Replies View Related

Cisco Firewall :: 2901 / ZBFW - DMZ-Zone To In-Zone Access

Jun 9, 2012

I have a Cisco 2901 which terminates a Class C address pool. I have split the Class C address pool into 3 sub-nets and 2 zones and created a non-addressable pool (private pool):
 
dmz-zone : x.x.x.0 TO x.x.x.127 (x.x.x.0/25)
in-zone: x.x.x.128 TO x.x.x.159 (x.x.x.128/27) & x.x.x.160 TO x.x.x.191 (x.x.x.160/27)
private-zone: 192.168.x.0 TO 192.168.x.255 (192.168.x.0/24)
 
I have configured private-zone NAT to use address pool x.x.x.161 TO x.x.x.189 within the in-zone.
 
Within the:
 
dmz-zone - are servers for : DNS, Syslog, SIP & HTTP/HTTPS in-zone - is a SMTP mail server which is behind VPN Gateway/NAT, TomCat (Application Server) and PostgreSQL Server private-zone - is where all standard users are operating from and they can access the SIP & HTTP/HTTPS servers within dmz-zone My problem is that I cannot seem to configure the ZBFW to allow the dmz-zone HTTP/HTTP server to redirect to in-zone TomCat server.
 
I do not want to make the TomCat server generally visible and am instead using the Apache proxy/ajp13 to connect from dmz-zone server to in-zone server.However I cannot seem to get anything (including icmp) to work from dmz-zone to in-zone.
 
I have Policy:

POLICY-DMZ-IN (dmz-zone to in-zone) which has:
any any udp/tcp inspect
any any icmp inspect
unmatched traffic DROP/LOG
 
But I still cannot get anything from dmz-zone to in-zone...Could the POLICY-DMZ-IN be being overridden by other dmz-zone to out-zone policies?

NOTE: I have routing rules for each of various sub-nets and all out-zone to dmz-zone, out-zone to in-zone and private-zone to out-zone, in-zone and dmz-zone routing works ok, so it appears problem is with ZBFW not routing table.

View 4 Replies View Related

Cisco VPN :: ASA 5520 / Domain Based IPSEC VPN

May 28, 2012

Currently we are having a 2 ISP for Internet. Need to achieve redundancy for IPSEC VPN using the domain.

Requirement :Will configure a domain and assign two public IP address from 2 service providers. Will set the priority for the public ip address and do the manual change during the ISP failure.We will provide the domain name to the clients to setup the IPSEC VPN.So incase of failure by one ISP, we will change the priority in the domain to point to the availble address.So that we can reduce the downtime and no need of configuring new IPSEC VPN tunnels.

Question :Whether we can achieve this in Cisco ASA 5520.Or do we have an alternate solution to overceome this solution.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ASA-5510 / IPSec Client Authentication Based On AD Group Membership?

Aug 26, 2009

Looking to fine tune Cisco IPSec client RA-VPN authentication on our ASA-5510.  Currently using NT Domain authentication.  It's been working fine for quite a while but is too broad a brush.  It authenticates anyone who is in the domain.  We need to only authenticate folks who are in a specific AD remote access security group.  I'm testing LDAP but am getting the same results.  I can get it to authenticate based on overall domain membership but can't seem to figure out how to check group membership. 
 
We've updated to ASA 8.2(1) and ASDM 6.2(1).  It seems to have more LDAP functionality but I'm not an LDAP expert.  I've posted an image of the LDAP server dialog from the ASDM.  I originally tried putting the Group DN in the Base DN field but kept getting a "can't find user" error when testing.  I also tried adding the group info in the "LDAP parameters for group search" field at the bottom.  But it doesn't seem to be looking there.  Note that the current value is the Group Base DN only.  I also tried putting "memberOf=" in front of that.  Still no luck.  The values shown in the image work for simple domain membership.

View 3 Replies View Related

Cisco WAN :: 2800 How Many Site-to-site Ipsec Tunnel Without Vpn Module

Sep 20, 2011

Can i know cisco 2800 router can support how many site-to-site ipsec tunnel without vpn module?

View 2 Replies View Related

Add A Dos Based Computer To A Windows Based Network?

Jan 18, 2012

How do I...add a dos based computer to a network running windows 2003

View 1 Replies View Related

Cisco Routers :: Can RV042G IPSec VPN Support Apple IOS IPSec VPN

Apr 29, 2013

I tried any type of combination and just couldn't make it works.  Only PPTP works well. Whether Apple iOS IPSec VPN is supported or not?

View 11 Replies View Related

D-Link DIR-655 :: Guest Zone Keeps On And Off

Nov 25, 2012

im having a problem on my DIR-655, i just recently updated my DIR 655 2.03NA(which is no problem at all) to 2.10NA, & im having problem on my GUEST ZONE wireless network everytime i connect my Iphone 4 to it every second 10 seconds it goes on & off & i try to connect to the main wireless network it was working fine any causes to this?

View 14 Replies View Related

Cisco :: IOS Zone - Firewall Stateful Failover?

Aug 3, 2011

I've seen you can configure stateful failover between two routers running ip inspect classic firewall: url...Can the same be done yet for zone-firewall? I cannot find any documentation on it.

View 1 Replies View Related

Cisco :: Can't Ping WebServer Of DMZ Zone Using Public IP

Feb 28, 2013

I have my webserver (30.30.30.50) located at DMZ zone. The public IP of my webserver is (119.2.116.191). From outside i can ping my webserver using public IP thats fine.The issue out here is, if i want to ping my webserver using public IP from Internal LAN then i cannot ping but i can ping my webserver using private IP.I am using ASA5520. [code]

View 2 Replies View Related

Cisco :: 3750 Switch Time Zone Off

Apr 28, 2013

some of my switches (3750s) are on the right time and some are not. i have them all pointed to the same DC for NTP and they all say they are synchronized. is it possible to have the switches pole the DC for the right time and update?

View 4 Replies View Related

Cisco WAN :: 2901 ISR - How To Do Zone Firewall Config

Sep 12, 2012

I'm sure this is simple to resolve.  I just bought a new Cisco 2901 ISR Router.  How do I configure the Cisco 2901 ISR Router for Zone Firewall?  The "zone" command is not recognized and does not show up in the "?" list in config or user modes -

View 4 Replies View Related

Cisco Firewall :: ASA5520 And Public IP Zone

Apr 5, 2011

I'm trying to setup a zone behind my firewall with complete publicly routeable IP addresses for 3 servers. The reason I'm doing this is I am in the network setup stage of an OCS implementation, and OCS connections don't behave well with NAT.
 
My device is a ASA5520. I have an internal zone, and a dmz zone. These are done via standard NAT configurations.
 
My question is this:
 
Is it possible to setup connectivity to the outside with internal servers that have Public IP's directly on their NIC's? Another little detail of interest is that this ip space is seperate than the one that's on current Outside interface facing our ISP. However we own both address space.

View 3 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved