ZBFW i IPSEC VPN

Problemy z zakresu security (VPN, firewall, IDS/IPS itp.)
Wiadomość
Autor
DOOM
member
member
Posty: 22
Rejestracja: 24 lis 2015, 10:03
Lokalizacja: Legionowo

ZBFW i IPSEC VPN

#1

#1 Post autor: DOOM »

Witam,

Mam problem z puszczeniem ruchu do jednej ze zdalnych lokalizacji. Zmieniałem wczoraj główny router na ISR4321, konfigurowałem ZBFW i wszystkie tunele GRE+IPSEC. Dodałem do nich Inside zone i z nimi wszystko jest ok. Problem mam z tunelem policy based. Brak interface'u więc nie mam gdzie przypisać zone. Problem jest taki że ze strony LAN ISR4321 wszystko jest ok. ICMP na drugą stronę przechodzi i wraca. Ale z drugiej strony Ping dochodzi tylko do ISR4321 a z innymi hostami jest problem. Czyli zdalna lokalizacja widzi tylko bramę z drugiej strony tunelu.

Awatar użytkownika
zet69
wannabe
wannabe
Posty: 138
Rejestracja: 20 cze 2007, 08:53

Re: ZBFW i IPSEC VPN

#2

#2 Post autor: zet69 »

Czesc,
mozesz pokazac kawalek konfiga z interfejsami, zonami, GRE i IPsec?

DOOM
member
member
Posty: 22
Rejestracja: 24 lis 2015, 10:03
Lokalizacja: Legionowo

Re: ZBFW i IPSEC VPN

#3

#3 Post autor: DOOM »

Kod: Zaznacz cały

class-map type inspect match-all all-private
 match access-group 90
class-map type inspect match-all private-ftp
 match protocol ftp
 match access-group 90
class-map type inspect match-all private-ssh
 match protocol ssh
 match access-group 90
class-map type inspect match-any ipsec-class
 match access-group name IPSECtraffic
class-map type inspect match-all private-http
 match protocol http
 match protocol https
 match access-group 90
class-map type inspect match-any netbios
 match protocol msrpc
 match protocol netbios-dgm
 match protocol netbios-ns
 match protocol netbios-ssn
class-map type inspect match-all private-netbios
 match class-map netbios
 match access-group 90
!
policy-map type inspect priv-pub-pmap
 class type inspect private-http
  inspect
 class type inspect private-ftp
  inspect
 class type inspect private-ssh
  inspect
 class type inspect private-netbios
  inspect
 class type inspect all-private
  inspect
 class type inspect ipsec-class
  pass
 class class-default
!
zone security private
zone security public
zone-pair security priv-pub source private destination public
 service-policy type inspect priv-pub-pmap
!
crypto logging session
!
!
!
!
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp policy 3
 encr aes 256
 authentication pre-share
 group 5
!
crypto isakmp policy 4
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp policy 5
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key IPSecPSK address 123.456.789.013  no-xauth
crypto isakmp key IPSecPSK address 123.456.789.012  no-xauth
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set transformset-01 esp-aes 256 esp-sha-hmac
 mode tunnel
crypto ipsec transform-set myset esp-3des esp-md5-hmac
 mode tunnel
!
crypto dynamic-map DynMap 10
 set transform-set TransformSet
crypto dynamic-map DynMap 15
 set transform-set myset
 reverse-route
!
!
crypto map nolan03 client authentication list userauthen
crypto map nolan03 isakmp authorization list groupauthor
crypto map nolan03 client configuration address respond
crypto map nolan03 170 ipsec-isakmp
 set peer 123.123.123.013
 set peer 123.123.123.012
 set transform-set transformset-01
 match address 109
crypto map nolan03 65535 ipsec-isakmp dynamic DynMap
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 no ip address
!
interface GigabitEthernet0/0/0
 description Link to LAN
 ip address 10.0.0.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip flow monitor LAN input
 ip flow monitor LAN output
 ip access-group ToInternet in
 zone-member security private
 ip route-cache policy
 ip policy route-map serwer
 load-interval 30
 negotiation auto
 no cdp enable
 ip virtual-reassembly
!
interface GigabitEthernet0/0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 negotiation auto
!
interface GigabitEthernet0/0/1.99
 description *** VLAN 99 WAN ***
 encapsulation dot1Q 99
 ip address 123.123.123.014 255.255.255.224 secondary
 ip address 123.123.123.015 255.255.255.252
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip nbar protocol-discovery
 ip flow monitor Flowmon1 input
 ip flow monitor Flowmon input
 ip flow monitor Flowmon1 output
 ip flow monitor Flowmon output
 ip access-group FromInternet in
 zone-member security public
 ip tcp adjust-mss 1400
 ip policy route-map serwer
 crypto map nolan03
 ip virtual-reassembly
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 no ip address
 shutdown
 negotiation auto
!
interface Vlan1
 no ip address
 shutdown
!
!
router eigrp 100
 network 10.0.0.0 0.0.0.255
 network 10.0.2.0 0.0.0.255
 network 10.0.11.0 0.0.0.255
 network 10.0.12.0 0.0.0.255
 network 172.16.1.0 0.0.0.3
 network 172.16.1.4 0.0.0.3
 redistribute static route-map RedStatic
 passive-interface GigabitEthernet0/0/1
 passive-interface GigabitEthernet0/0/1.99
!
ip nat inside source list natACL interface GigabitEthernet0/0/1.99 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 123.123.123.016
ip ssh logging events
!
!
!
ip access-list extended FromInternet
 permit ip any any
ip access-list extended IPSEC
 permit ip 10.0.0.0 0.0.0.255 192.168.150.0 0.0.0.255
 permit ip 192.168.150.0 0.0.0.255 10.0.0.0 0.0.0.255
ip access-list extended IPSECtraffic
 permit esp any any
 permit udp any any eq isakmp
 permit ahp any any
 permit udp any any eq non500-isakmp
 permit ip 10.0.0.0 0.0.0.255 192.168.150.0 0.0.0.255
 permit ip 192.168.150.0 0.0.0.255 10.0.0.0 0.0.0.255
ip access-list extended ToInternet
 permit ip 10.0.0.0 0.0.0.255 any
 permit ip 192.168.103.0 0.0.0.255 any
 permit ip 10.0.11.0 0.0.0.255 any
 permit ip 10.0.12.0 0.0.0.255 any
 permit ip 10.0.13.0 0.0.0.255 any
 permit ip 192.168.150.0 0.0.0.255 any
 deny   ip any any
ip access-list extended natACL
 deny   ip 192.168.103.0 0.0.0.255 192.168.97.0 0.0.0.255
 deny   ip 192.168.103.0 0.0.0.255 192.168.99.0 0.0.0.255
 deny   ip 192.168.103.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip 192.168.103.0 0.0.0.255 any
 permit ip 10.0.13.0 0.0.0.255 any
 deny   ip 10.0.12.0 0.0.0.255 192.168.0.0 0.0.255.255
 deny   ip 10.0.12.0 0.0.0.255 172.0.0.0 0.240.255.255
 deny   ip 10.0.12.0 0.0.0.255 10.0.0.0 0.255.255.255
 permit ip 10.0.12.0 0.0.0.255 any
 permit ip 10.0.11.0 0.0.0.255 any
 deny   ip 10.250.0.0 0.0.255.255 10.0.0.0 0.255.255.255
 deny   ip 10.250.0.0 0.0.255.255 172.0.0.0 0.240.255.255
 deny   ip 10.250.0.0 0.0.255.255 192.168.0.0 0.0.255.255
 permit ip 10.250.0.0 0.0.255.255 any
 permit ip 10.0.2.0 0.0.0.255 any
 permit ip 192.168.70.0 0.0.0.255 192.168.2.0 0.0.0.255
 deny   ip 192.168.70.0 0.0.0.255 192.168.0.0 0.0.255.255
 deny   ip 10.0.0.0 0.0.0.255 10.0.0.0 0.255.255.255
 deny   ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.255.255
 deny   ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.255.255
 deny   ip 10.0.0.0 0.0.0.255 172.18.0.0 0.0.255.255
 deny   ip 10.0.0.0 0.0.0.255 host 172.168.1.1
 permit ip 10.0.0.0 0.0.0.255 any
 deny   ip 10.0.201.0 0.0.0.255 10.0.0.0 0.255.255.255
 deny   ip 10.0.201.0 0.0.0.255 172.0.0.0 0.240.255.255
 deny   ip 10.0.201.0 0.0.0.255 192.168.0.0 0.0.255.255
 permit ip 10.0.201.0 0.0.0.255 any
 permit ip 192.168.70.0 0.0.0.255 any
!
access-list 109 permit ip 10.0.0.0 0.0.0.255 192.168.150.0 0.0.0.255
!
!
route-map nonat permit 10
 match ip address nonat
!
Tunele GRE+IPSEC działają ok. Nie wrzucałem ich tu, problem jest tylko z Policy Based. Ruch z tej lokalizacji do drugiej działa czyli z 10.0.0.0/24 do 192.168.150.0/24. Problem jest w drugą stronę z podsieci 192.168.150.0/24 osiągam tylko 10.0.0.1 nic więcej. W chwili obecnej obszedłem problem przez puszczenie ruchu przez tunel gre do lokalizacji gdzie mam jeszcze ISR 2921 na którym nie mam problemu z tunelami ipsec. Więc ruch między tymi lokalizacjami leci przez: ISR4321 --> GRE + IPSEC ---> ISR 2921 ---> IPSEC ---> sieć docelowa. Ale jest to rozwiązanie tymczasowe które wolałbym zmienić.

Awatar użytkownika
zet69
wannabe
wannabe
Posty: 138
Rejestracja: 20 cze 2007, 08:53

Re: ZBFW i IPSEC VPN

#4

#4 Post autor: zet69 »

Czesc,
to pokaz jeszcze PBR bo tutaj nie ma w konfigu (serwer, potrzebna jest na obu interfejsach?).
Jesli chodzi o ZBFW to dodaj sobie

Kod: Zaznacz cały

 class class-default
  drop log

bedzie widac w logach co jest dropowane przez ZBFW. Wydaje mi sie ze powinienes jeszcze dodac ruch z zone public do self, cos jak:

Kod: Zaznacz cały

policy-map type inspect OutsideToRouter
 class type inspect ipsec-class
  pass
 class class-default
  drop
zone-pair security OutsideToRouter source public destination self
 service-policy type inspect OutsideToRouter
ale nie jestem pewien bo dawno sie tym bawilem.

ODPOWIEDZ