Cisco IOS vpn-filter

In the previous article I talked about Cisco ASA vpn-filter functionality. I said that ASAs implementation of vpn-filter is weird and I tried to explain why and how to cope with it. Then I came up with the new way of showing it’s weird: IOS vpn-filter.

Since the 12.3(something) version of IOS, router does not check for the traffic that is coming out the VPN tunnel by the means of interface ACL. It did prior that version. Nowdays, we do that by writting separate ACL for each tunnel we want to filter traffic for. Pretty much like the ASAs vpn-filter with some differences.

Let’s modify our ASA example this way: we will use the same topology, but make VPN tunnel between two IOS routers R1 and R2. ASAs are only going to pass traffic and do basic NAT. We are going to add some loopbacks on both routers so we have networks we are going to make the tunnel for. So, it looks like this:

Now if you rember the requirements from the ASA vpn-filter we will stick to them:
– allow telnet traffic from 1.1.1.0/24 to 2.2.2.0/24
– allow web traffic from 2.2.2.0/24 to 1.1.1.0/24
– allow ICMP both ways
– drop and log anything else

In IOS it’s pretty easy and logical. We look at the VPN tunnel as ordinary interface. We create one ACL for controlling the traffic going out through the tunnel and one ACL for the traffic coming from the tunnel. So we have “in” and “out” ways on the “interface”. The only difference is that there is no “interface”! We apply these ACLs under appropriate crypto map. For the sake of this demo, we are in charge of R1.

R1
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$9H3Q$5X7UplPohadNhLTYg1Xj10
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
no ip domain lookup
ip domain name popravak.com
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 2
!
crypto isakmp key spop123 address 10.0.2.2
!
!
crypto ipsec transform-set TS1 esp-aes 256 esp-sha-hmac
!
crypto map F0-0 100 ipsec-isakmp
set peer 10.0.2.2
set ip access-group VPNFILTER21 in
set ip access-group VPNFILTER12 out

set transform-set TS1
match address CRYPTO12
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 10.0.1.1 255.255.255.0
duplex auto
speed auto
crypto map F0-0
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.0.1.254
!
!
ip http server
no ip http secure-server
!
ip access-list extended CRYPTO12
permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
!
ip access-list extended VPNFILTER12
permit tcp 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255 eq telnet
permit tcp 1.1.1.0 0.0.0.255 eq www 2.2.2.0 0.0.0.255
permit icmp any any
deny ip any any log

!
ip access-list extended VPNFILTER21
permit tcp 2.2.2.0 0.0.0.255 eq telnet 1.1.1.0 0.0.0.255
permit tcp 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255 eq www
permit icmp any any
deny ip any any log

!
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
password spop123
login
!
!
end

In red color you can see how we apply ACLs under the crypto map. You can treat crypto map for this peer almost as ordinary interface. We have one ACL for every direction.

In blue color is “out” ACL VPNFILTER12 (12 is for “router one to router two”). And in green color is “in” ACL VPNFILTER21 (21 is for “router two to router one”).

I feel there is some clarification to be done on these ACLs. In VPNFILTER12 we need to meet our first requirement, which is passing telnet traffic from 1.1.1.0/24 to 2.2.2.0/24, hence the line:

permit tcp 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255 eq telnet

Then let’s think about second requirement which is allowing web traffic from 2.2.2.0/24 to 1.1.1.0/24. At this point we need to allow returning web traffic:

permit tcp 1.1.1.0 0.0.0.255 eq www 2.2.2.0 0.0.0.255

The remaining lines:

permit icmp any any
deny ip any any log

are just satisfying reqs three and four.

Almost the same thing is going on with the traffic coming from the tunnel: we need to allow web traffic to meet req two, but also we need to allow returning telnet traffic that was originated from 1.1.1.0/24 network.

So it’s very easy to meet stated requirements! Cool 🙂

For the sake of being able to copy and paste configs in your own lab, I provide R2 config as well. ASAs don’t do much. Just the basic routing and NATing. Don’t forget to allow UDP/500 and ESP on both ASAs for IPSec tunnel purposes.

R2
!
hostname R2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$wA5W$npAYlixZZIq3aQ3X.oaCe0
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
no ip domain lookup
ip domain name popravak.com
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 2
!
crypto isakmp key spop123 address 10.0.1.1
!
!
crypto ipsec transform-set TS1 esp-aes 256 esp-sha-hmac
!
crypto map F0-0 100 ipsec-isakmp
set peer 10.0.1.1
set transform-set TS1
match address CRYPTO21
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface FastEthernet0/0
ip address 10.0.2.2 255.255.255.0
duplex auto
speed auto
crypto map F0-0
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.0.2.254
!
!
ip http server
no ip http secure-server
!
ip access-list extended CRYPTO21
permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
password spop123
login
!
!
end

Ok, guys, this is it for now. Hope to see you soon!

Advertisements
This entry was posted in Cisco, IOS, VPN and tagged , , , , , . Bookmark the permalink.

8 Responses to Cisco IOS vpn-filter

  1. Hans says:

    Excellent explanation! Thanks!
    1 more question… It´s not necessary allow UDP/500 and ESP traffic in vpn filter ACL as well?
    Regards,

  2. Pascal says:

    Excellent article. Thanks for sharing this info.
    I was looking for filtering traffic for VPN clients, do you have any experience?

  3. Wilson says:

    Worked great on Cisco ASA 9.1. The backwards part was tough to see, but thanks to this great article it worked great for a site to site that we had to create. THANKS a million!!!!

  4. Pingback: IKEv2 between IOS routers (SVTI – Static Virtual Tunnel Interface) | popravak

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s