使用ZBF配置Cisco IOS路由器上的AnyConnect VPN客戶端
簡介
在Cisco IOS® 軟體版本12.4(20)T和更新版本中,為AnyConnect VPN使用者端連線引入了虛擬介面SSLVPN-VIF0。但是,此SSLVPN-VIF0介面是內部介面,不支援使用者配置。這導致AnyConnect VPN和基於區域的策略防火牆出現問題,因為對於防火牆,當兩個介面都屬於安全區域時,流量只能在兩個介面之間流動。由於使用者無法將SSLVPN-VIF0介面配置為區域成員,因此,解密後在Cisco IOS WebVPN網關上終止的VPN客戶端流量無法轉發到屬於安全區域的任何其他介面。通過防火牆報告的以下日誌消息可以看到此問題的症狀:
*Mar 4 16:43:18.251: %FW-6-DROP_PKT: Dropping icmp session 192.168.1.12:0 192.168.10.1:0 due to One of the interfaces not being cfged for zoning with ip ident 0
此問題後來在較新版本的Cisco IOS中解決。使用新代碼,使用者可以將安全區域分配給虛擬模板介面(在WebVPN上下文中引用),以便將安全區域與WebVPN上下文相關聯。
必要條件
需求
為了利用Cisco IOS中的新功能,您需要確保Cisco IOS WebVPN網關裝置運行的是Cisco IOS軟體版本12.4(20)T3、Cisco IOS軟體版本12.4(22)T2或Cisco IOS軟體版本12.4(24)T1及更高版本。
採用元件
本文中的資訊係根據以下軟體和硬體版本:
-
運行15.0(1)M1高級安全功能集的Cisco IOS 3845系列路由器
-
適用於Windows 2.4.1012的Cisco AnyConnect SSL VPN客戶端版本
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路正在作用,請確保您已瞭解任何指令可能造成的影響。
慣例
設定
本節提供用於設定本文件中所述功能的資訊。
註:使用Command Lookup Tool(僅供已註冊客戶使用)可獲取本節中使用的命令的詳細資訊。
網路圖表
本檔案會使用以下網路設定:
配置Cisco IOS AnyConnect伺服器
以下是在Cisco IOS AnyConnect伺服器上需要執行的高級配置步驟,以使其與基於區域的策略防火牆進行互操作。本文檔後面介紹的兩個典型部署方案的最終配置。
-
配置虛擬模板介面,並將其分配到安全區域中,用於通過AnyConnect連線解密的流量。
-
將之前配置的虛擬模板新增到AnyConnect配置的WebVPN上下文中。
-
完成其餘的WebVPN和基於區域的策略防火牆配置。
AnyConnect和ZBF有兩種典型方案,下面是每個方案的最終路由器配置。
部署方案1
VPN流量與內部網路屬於同一安全區域。
AnyConnect流量進入內部LAN介面所屬的安全區域進行解密。
注意:還定義了一個自區域,僅允許到路由器本身的http/https流量進行訪問限制。
| 路由器配置 |
|---|
Router#show run
Building configuration...
Current configuration : 5225 bytes
!
! Last configuration change at 16:25:30 UTC Thu Mar 4 2010 by cisco
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash:
boot-end-marker
!
aaa new-model
!
aaa authentication login default local
aaa authentication login webvpn local
!
aaa session-id common
!
!
ip cef
!
!
ip inspect log drop-pkt
no ip domain lookup
!
!
parameter-map type inspect audit-map
audit-trail on
tcp idle-time 20
!
parameter-map type inspect global
!
!
crypto pki trustpoint TP-self-signed-2692466680
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2692466680
revocation-check none
rsakeypair TP-self-signed-2692466680
!
!
crypto pki certificate chain TP-self-signed-2692466680
certificate self-signed 01
<actual certificate deleted here for brevity>
quit
!
!
username cisco password 0 cisco
!
!
class-map type inspect match-any test
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-all router-access
match access-group name router-access
!
!
policy-map type inspect firewall-policy
class type inspect test
inspect audit-map
class class-default
drop
policy-map type inspect out-to-self-policy
class type inspect router-access
inspect
class class-default
drop
policy-map type inspect self-to-out-policy
class type inspect test
inspect
class class-default
drop
!
zone security inside
zone security outside
zone-pair security in-out source inside destination outside
service-policy type inspect firewall-policy
zone-pair security out-self source outside destination self
service-policy type inspect out-to-self-policy
zone-pair security self-out source self destination outside
service-policy type inspect self-to-out-policy
!
!
interface Loopback0
ip address 172.16.1.1 255.255.255.255
!
interface GigabitEthernet0/0
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security inside
!
interface GigabitEthernet0/1
ip address 209.165.200.230 255.255.255.224
ip nat outside
ip virtual-reassembly
zone-member security outside
!
interface Virtual-Template1
ip unnumbered Loopback0
zone-member security inside
!
!
ip local pool test 192.168.1.1 192.168.1.100
ip forward-protocol nd
!
ip http server
ip http secure-server
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 209.165.200.225
!
ip access-list extended router-access
permit tcp any host 209.165.200.230 eq www
permit tcp any host 209.165.200.230 eq 443
!
access-list 1 permit 192.168.10.0 0.0.0.255
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
modem InOut
transport input all
line vty 0 4
transport input all
!
exception data-corruption buffer truncate
scheduler allocate 20000 1000
!
webvpn gateway webvpn_gateway
ip address 209.165.200.230 port 443
http-redirect port 80
ssl trustpoint TP-self-signed-2692466680
inservice
!
webvpn install svc flash:/webvpn/svc.pkg sequence 1
!
webvpn context test
secondary-color white
title-color #669999
text-color black
ssl authenticate verify all
!
!
policy group policy_1
functions svc-enabled
svc address-pool "test"
svc keep-client-installed
svc split include 192.168.10.0 255.255.255.0
virtual-template 1
default-group-policy policy_1
aaa authentication list webvpn
gateway webvpn_gateway
inservice
!
end
|
部署方案2
VPN流量屬於與內部網路不同的安全區域。
AnyConnect流量屬於單獨的VPN區域,並且存在控制哪些vpn流量可以流向內部區域的安全策略。在此特定範例中,允許從AnyConnect使用者端到內部LAN網路的telnet和http流量。
| 路由器配置 |
|---|
Router#show run
Building configuration...
Current configuration : 6029 bytes
!
! Last configuration change at 20:57:32 UTC Fri Mar 5 2010 by cisco
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash:
boot-end-marker
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login webvpn local
!
!
aaa session-id common
!
ip cef
!
!
ip inspect log drop-pkt
no ip domain lookup
!
multilink bundle-name authenticated
parameter-map type inspect global
parameter-map type inspect audit-map
audit-trail on
tcp idle-time 20
!
!
crypto pki trustpoint TP-self-signed-2692466680
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2692466680
revocation-check none
rsakeypair TP-self-signed-2692466680
!
!
crypto pki certificate chain TP-self-signed-2692466680
certificate self-signed 01
<actual certificate deleted for brevity>
quit
!
!
license udi pid CISCO3845-MB sn FOC09483Y8J
archive
log config
hidekeys
username cisco password 0 cisco
!
!
class-map type inspect match-any test
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-all router-access
match access-group name router-access
class-map type inspect match-any http-telnet-ftp
match protocol http
match protocol telnet
match protocol ftp
class-map type inspect match-all vpn-to-inside-cmap
match class-map http-telnet-ftp
match access-group name tunnel-traffic
!
!
policy-map type inspect firewall-policy
class type inspect test
inspect audit-map
class class-default
drop
policy-map type inspect out-to-self-policy
class type inspect router-access
inspect
class class-default
drop
policy-map type inspect self-to-out-policy
class type inspect test
inspect
class class-default
pass
policy-map type inspect vpn-to-in-policy
class type inspect vpn-to-inside-cmap
inspect
class class-default
drop
!
zone security inside
zone security outside
zone security vpn
zone-pair security in-out source inside destination outside
service-policy type inspect firewall-policy
zone-pair security out-self source outside destination self
service-policy type inspect out-to-self-policy
zone-pair security self-out source self destination outside
service-policy type inspect self-to-out-policy
zone-pair security in-vpn source inside destination vpn
service-policy type inspect firewall-policy
zone-pair security vpn-in source vpn destination inside
service-policy type inspect vpn-to-in-policy
!
!
interface Loopback0
ip address 172.16.1.1 255.255.255.255
!
!
interface GigabitEthernet0/0
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security inside
!
!
interface GigabitEthernet0/1
ip address 209.165.200.230 255.255.255.224
ip nat outside
ip virtual-reassembly
zone-member security outside
!
!
interface Virtual-Template1
ip unnumbered Loopback0
zone-member security vpn
!
!
ip local pool test 192.168.1.1 192.168.1.100
ip forward-protocol nd
!
!
ip http server
ip http secure-server
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 209.165.200.225
!
ip access-list extended broadcast
permit ip any host 255.255.255.255
ip access-list extended router-access
permit tcp any host 209.165.200.230 eq www
permit tcp any host 209.165.200.230 eq 443
ip access-list extended tunnel-traffic
permit ip any 192.168.1.0 0.0.0.255
!
access-list 1 permit 192.168.10.0 0.0.0.255
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
modem InOut
transport input all
line vty 0 4
transport input all
!
exception data-corruption buffer truncate
scheduler allocate 20000 1000
!
webvpn gateway webvpn_gateway
ip address 209.165.200.230 port 443
http-redirect port 80
ssl trustpoint TP-self-signed-2692466680
inservice
!
webvpn install svc flash:/webvpn/svc.pkg sequence 1
!
webvpn context test
secondary-color white
title-color #669999
text-color black
ssl authenticate verify all
!
!
policy group policy_1
functions svc-enabled
svc address-pool "test"
svc keep-client-installed
svc split include 192.168.10.0 255.255.255.0
virtual-template 1
default-group-policy policy_1
aaa authentication list webvpn
gateway webvpn_gateway
inservice
!
end
|
驗證
使用本節內容,確認您的組態是否正常運作。
輸出直譯器工具(僅供已註冊客戶使用)(OIT)支援某些show命令。使用OIT檢視show命令輸出的分析。
有幾個show命令與WebVPN關聯。您可以在命令列介面(CLI)上執行這些命令,以顯示statistics和其他資訊。有關show命令的詳細資訊,請參閱驗證WebVPN配置。有關用於驗證基於區域的策略防火牆配置的命令的詳細資訊,請參閱基於區域的策略防火牆配置指南。
疑難排解
本節提供的資訊可用於對組態進行疑難排解。
疑難排解指令
附註:使用 debug 指令之前,請先參閱有關 Debug 指令的重要資訊。
有幾個debug命令與WebVPN關聯。有關這些命令的詳細資訊,請參閱使用WebVPN Debug命令。有關基於區域的策略防火牆調試命令的詳細資訊,請參閱命令。
相關資訊
修訂記錄
| 修訂 | 發佈日期 | 意見 |
|---|---|---|
1.0 |
07-Apr-2010 |
初始版本 |
意見