Now that most connectivity has been configured the next step will be creating access rules to restrict access as needed, as well as grant access where needed. This is going to primarily apply to the branch routers, but the HQ routers can (and should) be configured similarly.
Before we get into what that means let’s cover how this is going to work.
Much to my chagrin, gone are the days of the “permit any any established” rules. Those have been replaced with packet inspection to perform the stateful firewall feature. What this means is that inbound packets are inspected to see if they match an existing outbound flow. If the traffic is part of an established flow then it is allowed. If not, then it’s dropped.
This gets a bit more complicated with the addition of the Zone-based Firewall (ZBF) in the ISR. Instead of applying rules to the interface they are applied to the zone pairs.
Here’s the high level flow.
- Class maps are created (and specify ACLs as needed)
- Policy maps are created (and specify class maps as needed)
- Security zones are created
- Zone pairs are created, with source and destination specified, then the policy map is applied
- Interfaces are assigned to security zones
- ACLs are created for traffic definitions
Maybe a diagram will help. This diagram shows the commands needed to allow traffic to flow from the inside IP range of 10.0.0.0/8 from the inside interface Gi0/0/0 to any IP on the outside interface Gi0/0/1. Lines in red are the commands.
Access Control |
For the ISR deployment there are a number of rules that we need to allow for the creation of VPN tunnels on the external interfaces. Now, let’s get to what the basic config will look like.
This is all CLI commands, so you will need to be at a config prompt. The first command is simply logging packets that are dropped by the policies.
parameter-map type inspect global
log dropped-packets
The next step will be class maps. There are five maps, inside to outisde, and then both pass and inspect traffic between the outside and the router.
class-map type inspect match-any Inside-Outside-Class
match protocol ftp
match protocol icmp
match protocol udp
match protocol tcp
class-map type inspect match-any Inspect-ACL-Out-Class
match access-group name ACL-RTR-Out
class-map type inspect match-any PASS-ACL-In-Class
match access-group name ESP-In
match access-group name GRE-In
class-map type inspect match-any PASS-ACL-Out-Class
match access-group name ESP-Out
class-map type inspect match-any Inspect-ACL-In-Class
match access-group name ACL-RTR-In
Next comes the policy maps. These are the policies that specify the classes that were just created.
Policy-map type inspect Inside-Outside-Policy
class type inspect Inside-Outside-Class
inspect
class class-default
drop
Policy-map type inspect ACL-In-Policy
class type inspect Inspect-ACL-In-Class
inspect
class type inspect PASS-ACL-In-Class
pass
class class-default
drop
Policy-map type inspect ACL-Out-Policy
class type inspect Inspect-ACL-Out-Class
inspect
class type inspect PASS-ACL-Out-Class
pass
class class-default
drop
By looking at the policies it’s easy to see that we will be passing inbound ESP and GRE traffic (the ACLs will follow), as well as outbound ESP traffic. Everything else that is allowed through the ACLs will be inspected.
The next step will be to create the security zones for the ZBF.
zone security Internet
zone security MPLS
zone security default
For now we are just creating a zone for each connection type. More zones will be added later as the config is built out.
Now that the zones are created we create zone pairs, which link a source and destination zone and apply one of the policies that were created to the traffic between those zones. One thing to be aware of is the router itself uses the “Self” zone. That means that traffic to the router will use the “Self” zone, so we can use that in the zone pairs.
zone-pair security Router-Internet source self destination Internet
service-Policy type inspect ACL-Out-Policy
zone-pair security Router-MPLS source self destination MPLS
service-Policy type inspect ACL-Out-Policy
zone-pair security Inside-Internet source default destination Internet
service-Policy type inspect Inside-Outside-Policy
zone-pair security Inside-MPLS source default destination MPLS
service-Policy type inspect Inside-Outside-Policy
zone-pair security Internet-Router source Internet destination self
service-Policy type inspect ACL-In-Policy
zone-pair security MPLS-Router source MPLS destination self
service-Policy type inspect ACL-In-Policy
The next step is to associate the interfaces with the corresponding security zones. Since there are only two actual zones (Internet and MPLS) this is pretty straightforward. All the other interfaces are using the default zone for now. Replace the interface in red with the correct interface for your deployment.
int gi0/0/1
zone-member security Internet
int gi0/0/2
zone-member security MPLS
Now the only thing left to do would be to create the ACLs. The ACLs here are based off a Cisco IWAN document. There are a number of areas where they can be tweaked. The obvious change would be disabling ICMP if that is a requirement for your environment. Another change would be to put in specific addresses instead of “any” for the VPN related rules. I would strongly recommend making at least the inbound rules more restrictive.
ip access-list extended ACL-RTR-In
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any ttl-exceeded
permit icmp any any port-unreachable
permit udp any any gt 1023 ttl eq 1
ip access-list extended ACL-RTR-Out
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit icmp any any
permit tcp any any eq 8080
permit udp any any eq domain
ip access-list extended ESP-In
permit esp any any
ip access-list extended ESP-Out
permit esp any any
ip access-list extended GRE-In
permit gre any any
Now that these rules are in place the routers should still establish the VPN tunnels, and traffic from the outside world should be restricted.