Sunday, 18 August 2013

Zone Based Firewall Advanced Configuration

This post will take you through some advanced configuration scenarios of Cisco IOS Zone Based Firewall. This is a continuation of my previous blog entry Cisco IOS Zone-Based Firewall Step-by-step Configuration Guide.

Following are the features and scenarios we are going to see in this post.

1.)  Zone Based Firewall Layer 7 Application Inspection and Control

2.)  Traffic Policing in Zone-Based Policy Firewall

3.)  Session Control in Zone Based Firewall

4.)  Out-of-Order Packet Processing Support in the Zone-Based Firewall Application

5.)  Tuning Zone-Based Policy Firewall Denial-of-Service Protection

6.)  Content Filtering with IOS Zone Based Firewall

7.)  Self-Zone Configuration in Zone Based Firewall

8.)  Allow SSL WebVPN through Zone Based Firewall

9.)  Allow Cisco Configuration Professional through Zone Based Firewall

10.) Using IPSec VPN with Zone-Based Policy Firewall

1. Zone Based Firewall Layer 7 Application Inspection and Control

ZBFW is capable of doing a layer 7 application inspection for the below protocols:
Here we are going to discuss about the IM layer 7 inspection capability of a Zone Based Firewall.

IM application inspection and control

This feature is currently applicable for the following IM Services:
  • AOL Instant Messenger
  • MSN Messenger
  • Yahoo! Messenger
IM inspection and control offers both Layer 4 Stateful Inspection and Layer 7 Application Control.

Layer 4 inspection is configured similarly to other application services:

 class-map type inspect match-any IM-CLASS
   match protocol [aol | msnmsgr | ymsgr ]

 policy-map type inspect IN-TO-OUT-POLICY
   class type inspect IM-CLASS
      [drop | inspect | pass]

IM application have got the port hopping capability and it contact their servers on multiple port. In order to allow an IM service we need to simply apply a layer 4 inspect action but  if you want to deny a particular IM service you need to define server list so that ZBFW can identify the traffic associated with IM application.

First configure the server-list parameter-map:

    parameter-map type protocol-info
      server name
      server ip a.b.c.d
      server ip range a.b.c.d a.b.c.d

Parameter Map

For example, the AOL and Yahoo! IM server list is defined as such:

    parameter-map type protocol-info AOL-SERVERS
     server name
     server name
     server name
     server ip x.x.x.x
     server ip range x.x.x.x y.y.y.y

  parameter-map type protocol-info YAHOO-SERVERS
    server name
    server name
    server name

Class Map

You need to apply the server-list to the protocol definition:

    class-map type inspect match-any AOL-BLOCK-CLASS
     match protocol aol AOL-SERVERS
     match protocol ymsgr YAHOO-SERVERS

    class-map type inspect match-all IM-PROTOCOL-CLASS
      match class-map IM-BLOCK-CLASS

Policy Map

   policy-map type inspect IN-TO-OUT-POLICY
    class type inspect IM-PROTOCOL-CLASS
    drop log

You must configure the 'ip domain lookup' and 'ip name-server x.x.x.x' commands in order to enable name resolution.

IM server names are fairly dynamic. You will need to periodically check that your configured IM server lists are complete and correct. IM Application Inspection also offers the capability to differentiate between text-chat activity and all other application services such as selectively blocking or allowing text-chat capabilities, while denying other service capabilities.

2. Traffic Policing in Zone-Based Policy Firewall

Using a ZBFW we can limit the transmission rate of specific traffic. This will help us to limit lower priority traffic over business-essential traffic. ZBFW policing can only specify bandwidth use in bytes/second, packet/second and bandwidth percentage policing are not offered.

Configuring ZBFW Policing

ZBFW policing limits traffic in a policy-map’s class-map to a user-defined rate value between 8,000 and 2,000,000,000 bits per second, with a configurable burst value in the range of 1,000 to 512,000,000 bytes.

In this example I am policing HTTP traffic. The rate policing part is highlighted in bold text.ZFW policing is configured in the policy-map,which is applied after the policy action:

 class-map type inspect match-all HTTP-TRAFFIC
   match protocol http

    policy-map type inspect IN-TO-OUT-POLICY
     class type inspect http-class
      police rate [bps rate value {8000-2000000000}] burst [value in bytes {1000-512000000}]

3. Session Control in Zone Based Firewall

ZBFW adds the functionality to limit the session where it allows granular control on the number of sessions matching any given class-map that cross a zone-pair.

In order to configure session control you have to define a parameter map that contain the session limit and attach that to the class-map which is attached with the policy-map.

parameter-map type inspect HTTP-SESSION-CONTROL
 sessions maximum [1-2147483647]

policy-map type inspect IN-TO-OUT-POLICY
 class type inspect HTTP-TRAFFIC

4. Out-of-Order Packet Processing Support in the Zone-Based Firewall Application

Out-of-Order (OoO) packet processing support for Common Classification Engine (CCE) firewall application and CCE adoptions of the Intrusion Prevention System (IPS) allows packets that arrive out of order to be copied and reassembled in the correct order. The OoO packet processing reduces the need to retransmit dropped packets and reduces the bandwidth needed for the transmission of traffic on a network. To configure OoO support, use the parameter-map type ooo global command.

 parameter-map type ooo global
   tcp reassembly timeout 5
   tcp reassembly queue length 16
   tcp reassembly memory limit 1024
   tcp reassembly alarm off

5.  Tuning Zone-Based Policy Firewall Denial-of-Service Protection

Refer Tuning Zone-Based Policy Firewall Denial-of-Service Protection

6. Content Filtering with IOS Zone Based Firewall

Refer Cisco IOS Local Content Filtering

7. Self-Zone Configuration in Zone Based Firewall

For self-zone configuration refer ZBFW Self-Zone Integration

8. Allow SSL WebVPN through Zone Based Firewall 

[ Cisco IOS SSL VPN Configuration Guide : ]


ip access-list extended SSL_WEBVPN_ACL
 permit tcp any any eq 443 *

access-list 104 permit ip any host

Class Map

class-map type inspect match-any SSL_CLASS
 match access-group name SSL_WEBVPN_ACL
class-map type inspect match-all SSL_WEBVPN_TRAFFIC
 match class-map SSL_CLASS
 match access-group 104

Policy Map

policy-map type inspect OUT-TO-SELF
 class type inspect SDM_WEBVPN_TRAFFIC
  no drop

Zone Pair

zone-pair security OUT-TO-SELF source OUTSIDE destination self
 service-policy type inspect OUT-TO-SELF

* By default port 443 is being used by Cisco SSL VPN.

9. Allow Cisco Configuration Professional through Zone Based Firewall


ip access-list extended CCP_SSH
 permit tcp any any eq 22

ip access-list extended CCP_HTTPS
 permit tcp any any eq 443

ip access-list extended CCP_SHELL
 permit tcp any any eq cmd

access-list 102 permit ip any any

Class Map

class-map type inspect match-any CCP_SSH_CLASS
 match access-group name CCP_SSH

class-map type inspect match-any CCP_HTTPS_CLASS
 match access-group name CCP_HTTPS

class-map type inspect match-any CCP_SHELL_CLASS
 match access-group name CCP_SHELL

class-map type inspect match-any CCP-ACCESS_CLASS
 match class-map CCP_SSH_CLASS
 match class-map CCP_HTTPS_CLASS
 match class-map CCP_SHELL_CLASS

class-map type inspect match-all CCP-ACCESS
 match class-map CCP-ACCESS_CLASS
 match access-group 102

Policy Map

policy-map type inspect OUTSIDE-TO-SELF
 class type inspect CCP-ACCESS
  no drop

Zone Pair

zone-pair security OUT-TO-SELF source OUTSIDE destination self
 service-policy type inspect OUTSIDE-TO-SELF

10. Using IPSec VPN with Zone-Based Policy Firewall

Refer Using VPN with Zone-Based Policy Firewall

Useful Links

Friday, 7 June 2013

Cisco IOS SSL VPN Configuration Guide


The Cisco SSL VPN (also known as WebVPN) is a remote access solution which enables a remote user to access his corporate network from anywhere on the Internet. Remote access is provided through a Secure Socket Layer (SSL) enabled SSL VPN gateway. The SSL VPN gateway allow remote users to establish a secure Virtual Private Network (VPN) tunnel using a web browser.

SSL VPN provides the following three mode of access:

1. Clientless  - Clientless mode provides secure access to private web resources. You can access all the resources in your company which uses a web interface.

2. Thin-client - Thin-client mode extend the capability by enabling us to access TCP-based applications such as POP3, SMTP, IMAP, SSH.

3. Full-tunnel - Full-tunnel mode provide access to virtually any application inside your company. Here the remote user will download a Cisco AnyConnect VPN client (next-generation VPN client) from the IOS router to use SSL.

Clientless SSL VPN Vs Easy VPN

Clientless SSL VPNEasy VPN
Doesn't require any client software on end user but a web browser.Require VPN client software to be installed on client machine.
Users doesn't have access to all network resources.Full access to all network resources.
Support mostly web based services.Support virtually all services.
It can transverse firewall and NAT configuration.Require to change firewall and NAT configuration.
It won't support low-latency application.Support low-latency application.

SSL VPN Session Establishment

Step-by-step IOS SSL VPN Configuration

This document will show you how to configure a SSL VPN in full tunnel and clientless mode on an IOS device. Configuration is based on a Cisco 2900 Integrated Service Router running with 15.0(1)M3 code.

Network Diagram

Configuration Tasks

1. Enable and configure AAA.

2. Generate RSA Keypair and Configure Trustpoint.

3. Configure SSL VPN IP pool.

4. Setup SSL VPN Gateway.

5. Upload & Install AnyConnect VPN Software (SVC) on Router.

6. Setup SSL VPN Context and Configure Group policy

1. Configuring AAA for SSL VPN authentication

Enable AAA in router for client authentication. VPN users have to be authenticated with either a local database or an authentication server like RADIUS  or TACACS+. In this example I used local database to authenticate VPN users.

CORPORATE(config)#aaa new-model
CORPORATE(config)#aaa authentication login SSL_AUTHEN local

Create  username and password in local database:

CORPORATE(config)#username administrator privilege 15 password mypassword
CORPORATE(config)#username tony  password cisco123

2. Generating RSA Keypair and Configuring Trustpoint.

We have to create a RSA keypair using the crypto key generate rsa command. Before that you have to make sure that you have set a host name and domain name on your router.

CORPORATE(config)#crypto key generate rsa general-keys label RSA-KEY mod 4096
The name for the keys will be: RSA-KEY

% The key modulus size is 4096 bits
% Generating 4096 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 71 seconds)

Configuring the Trustpoint:

Now we have to declare the trust point that the router should use. To do so type the below commands in global configuration mode.

CORPORATE(config)#crypto pki trustpoint MY-TRUSTPOINT
CORPORATE(ca-trustpoint)#enrollment selfsigned
CORPORATE(ca-trustpoint)#subject-name CN=my-certificate
CORPORATE(ca-trustpoint)#rsakeypair RSA-KEY

Enrolling Certificate:

The next step is to enroll the self signed certificate that you have just created. If you have already created a certificate you can either use that or overwrite it by typing yes.

CORPORATE(config)#crypto pki enroll MY-TRUSTPOINT
% Include the router serial number in the subject name? [yes/no]: y
% Include an IP address in the subject name? [no]: n
Generate Self Signed Router Certificate? [yes/no]: y

Router Self Signed Certificate successfully created

3. Configuring SSL VPN pool IP address

CORPORATE(config)#ip local pool SSL-POOL

4. Setting up SSL VPN Gateway

The WebVPN Gateway is used to terminate the SSL connection from the user. The basic configuration requires an IP address on the same subnet as one of the public network interfaces; this could be the same address used on the public network interface, or another address in the same subnet. Alternately, you can define a loopback interface, and use an address in that subnet, just as long as the address is reachable on the public network.

CORPORATE(config)#webvpn gateway SSLVPNGW
Activation  of the  software command line interface will be evidence of
your acceptance of this agreement.

ACCEPT? [yes/no]: yes
CORPORATE(config-webvpn-gateway)#ip address port 443
CORPORATE(config-webvpn-gateway)#ssl trustpoint MY-TRUSTPOINT

5. Upload & Install AnyConnect VPN Software (SVC) on Router

Now upload the Cisco AnyConnect VPN client to the router's flash memory. You can use a TFTP server to do this. In this example we are uploading 'anyconnect-win-3.1.00495-k9.pkg' to router's flash using a TFTP server.

CORPORATE(config)#copy tftp flash:
Address or name of remote host []?
Source filename []? anyconnect-win-3.1.00495-k9.pkg
Destination filename [anyconnect-win-3.1.00495-k9.pkg]?
Accessing tftp://
Loading anyconnect-win-3.1.00495-k9.pkg from (via GigabitEthernet0/0): !!!!!!!!!!!!!!!!!!!!!

[OK - 29806775 bytes]

29806775 bytes copied in 50.70 secs (587858 bytes/sec)

Verify the upload using 'show flash' in global configuration command.

Installing SVC (AnyConnect) package:

Install the SSL VPN Client (SVC) on your router. To do so type the below command in global configuration mode.

CORPORATE(config)#webvpn install svc flash://anyconnect-win-3.1.00495-k9.pkg
SSLVPN Package SSL-VPN-Client (seq:1): installed successfully

6. Setup SSL VPN Context and Configure Group policy

The WebVPN context is where the SSL VPN is terminated, and the user's VPN session is established. The context also contains all of the policies that can be applied to a user, including authentication, authorization, and accounting (AAA), virtual routing and forwarding instances (VRFs), and group policies. This is where the user authentication takes place, and group policies are applied to the user session.

Furthermore, the context can define the way the SSL VPN Web portal will appear to the user by specifying the colors and the images. The context is basically a container for user sessions. The WebVPN context uses a WebVPN gateway for the SSL session termination endpoint IP address. Multiple contexts can use one WebVPN gateway by using the domain keyword, and specifying a label.

Type the below commands to setup a context named 'VPN1' and a group policy called 'MYPOLICY'.

CORPORATE(config)#webvpn context VPN1
CORPORATE(config-webvpn-context)#ssl authenticate verify all
CORPORATE(config-webvpn-context)#url-list "WebServers"
CORPORATE(config-webvpn-url)#heading "Intranet Websites"
CORPORATE(config-webvpn-url)#url-text "FTPServer" url-value ""
CORPORATE(config-webvpn-url)#url-text "AbcServer" url-value ""
CORPORATE(config-webvpn-context)#policy group MYPOLICY
CORPORATE(config-webvpn-group)#banner "Welcome to Tony's SSL VPN Services"
CORPORATE(config-webvpn-group)#functions svc-enabled
CORPORATE(config-webvpn-group)#url-list "WebServers"
CORPORATE(config-webvpn-group)#svc address-pool "SSL-POOL" netmask
CORPORATE(config-webvpn-group)#svc keep-client-installed
CORPORATE(config-webvpn-group)#svc dns-server primary
CORPORATE(config-webvpn-context)#default-group-policy MYPOLICY
CORPORATE(config-webvpn-context)#aaa authentication list SSL_AUTHEN
CORPORATE(config-webvpn-context)#gateway SSLVPNGW
CORPORATE(config-webvpn-context)#max-users 20

There we finish the configuration of Cisco SSL VPN on an IOS Router.

Now enter the address of your WebVPN gateway '' on a SSL enabled web browser and you will be presented with a SSL VPN login page.

Login with your credentials that you have created in the local database.

Now you will be presented with your home page.This is the SSL VPN clientless mode from which the user can launch any web services from the WebVPN portal.

SSL VPN Full Tunnel Mode

Click the 'Start' tab, which you find on the right pane of your home page, to start downloading AnyConnect secure mobility client on your PC. The below screenshot shows the AnyConnect client installation process.

After the installation you will get the Cisco AnyConnect Secure Mobility Client on your PC and you can click 'Connect' to establish the secure VPN connection using full tunnel. In full tunnel mode you can access virtually any application in your corporate network.

IOS SSL VPN Portal Customization (Optional)

You can customize the SSL VPN portal by changing the color, banner, adding your company logo etc.

Example of Portal customization :

webvpn context VPN1
title "The Diary of a Networker SSL VPN Services"
logo file flash:/networker.gif
title-color 255,0,255
secondary-color 222,184,135
title-color 205,41,144
ssl authenticate verify all

 policy group MYPOLICY
 banner "Welcome to Tony's SSL VPN Services"

Below screenshot shows a customized portal of SSL Clientless VPN.

For more info about customization visit SSL VPN Portal Customization.

Allow SSL VPN through Zone Based Firewall

Refer Allow SSL WebVPN through Zone Based Firewall for more information and configuration.

Verification and Troubleshooting

Verification Command List :
  • show webvpn gateway 
  • show webvpn context
  • show webvpn install package svc
  • show webvpn install status svc
  • show webvpn policy group MYPOLICY context
  • show webvpn session context all
  • show webvpn stats detail context all
Troubleshooting Command List :
      SSL VPN Clear Commands :
  • clear webvpn nbns - Clears the NBNS cache on an SSL VPN gateway.
  • clear webvpn session - Clears SSL VPN remote user sessions.
  • clear webvpn stats - Clears SSL VPN application and access counters.
      SSL VPN Debug Commands :
  •  debug webvpn [verbose] [aaa | acl | cifs | citrix [verbose] | cookie [verbose] | count | csd | data | dns | emweb [state] | entry context-name [source ip [network-mask] | user username] | http [authentication | trace | verbose] | package | sdps [level number] | sock [flow] | sso | timer | trie | tunnel [traffic acl-number | verbose] | url-disp | webservice [verbose]]
         Example : debug webvpn

Useful Links

Friday, 19 April 2013

How to Publish Application in Citrix XenApp 6

In the previous post we saw the Installation and configuration of XenApp Fundamentals 6. This step-by-step guide will show you how to publish an application in XenApp 6.

In this example we are publishing Adobe Reader 10.0.

1.Go to Start > All programs > Citrix > Management Consoles > Citrix Delivery Services Console.

On the left pane expand XenApp and click Applications.

2. In the right action pane click Publish application.

3. Welcome screen will appear and click Next.

4. Enter a Display name for your application and click Next.

5. Choose the type of application to publish as Application and Application type as Accessed from a server and click Next.

6. Now browse the application location. You have to choose the exact '.exe' file of the installed application.

7. Now choose the server by clicking Add and choose the server (XENAPPSERVER) from the Servers and click Add.

8. Below you can see that the server got added. Click Next.

9. Here you want to configure the users who may access the application. Click Add and select users from user Active directory.

10.Click Next.

11. Click Finish to publish the application immediately.

12. Now go to a client computer (Windows 7) and install Citrix Receiver. You can download it from . After the installation open a web browser (eg: Firefox) and type the IP address of your Citrix XenApp Server.

 Log on with your domain credentials and you will see the published applications as below.

Installation and configuration of XenApp Fundamentals 6

Citrix XenApp Fundamentals is a remote access solution that enables small to medium-sized business users to securely access their corporate windows applications and files from anywhere, either on LAN or at home, with an internet connection. The applications are securely stored on a central server and delivered to users, ensuring the utmost security of sensitive business data and reducing management costs. The seamless user experience and fast access make this product a complete app virtualization solution for business. For more info visit

This guide is divided into two parts:
  • Step-by-step installation of XenApp Fundamentals 6 on Server 2008R2.
  • Basic configuration of Citrix XenApp Fundamentals.
System Requirements

1. XenApp 6 Fundamentals Edition must be installed on Windows Server 2008 R2 SP1. (Update your server with latest patches).

2. Enable Microsoft .NET 3.5 SP1 on Server 2008 R2.

3. Install Remote Desktop Services (Remote Desktop Session Host and Remote Desktop Licensing components) on Server 2008R2.

[ Note: Do not install XenApp Fundamentals on a Domain Controller ]

Step-by-step installation of XenApp Fundamentals 6 on Server 2008R2

Note: If you are using Active Directory, add the computer running XenApp Fundamentals to the directory before installation. XenApp Fundamentals can be part of a Windows workgroup or domain. [In this example the computer running XenApp Fundamentals is a part of domain]

1. Log on to the server as a domain administrator.

2. Insert the installation media and click 'Install or run program from your media'

3. On the welcome screen click 'Install'

4. Accept the license agreement and click Next.

5. On the Installation type page select "Application Server" and click Next.

6. Now if you want to view and interact with xenapp users do not select 'Disable shadowing' and click Next.

7. Provide the domain administrator username and password for the SQL database installation and latter management.

8. Now wait for the Citrix components to be installed.

9. The setup will prompt you to restart the computer to continue with the installation. Click 'Yes'

10. After the restart you will get 'XenApp Server Role Manager' console which says XenApp and Web Interface got successfully installed on your server. There we finish the installation of XenApp Fundamentals 6 on Server 2008R2.

Basic Configuration of XenApp Fundamentals 6

1. Go to Start > All Programs > Citrix > Management Consoles > Citrix Delivery Services Console.

Click 'Disable authenticode signature checking'

2. On the 'Select product and component' page select 'XenApp' and click Next.

3. Select the server by clicking 'Add Local Computer' and click Next.

4. Now check the summary and click Next.

5. Once the discovery has completed  click 'Finish'.

6. As soon as you click finish you will get a Citrix Delivery Service Console as below. This is the management console for Hotfix, XenApp Fundamentals etc.

Configuring Quick Start Options

7. Now go to Start > All Programs > Citrix > Quick Start. You will get a welcome page and click Next.

8. On the server configuration wizard select 'New Single Server' and click Next.

9. Now click 'Finish'.

10. As soon as you click finish you will get a console like below. Here we need to configure the Citrix license. Follow the below link to configure Citrix licensing :
Here you can also activate the Remote Desktop License Server by clicking the Remote Desktop License Server option at the bottom of the console.

From the same page we can add XenApp Administrators and also configure Email alerting by clicking Administrators option on Setup pane.

To know how to publish an application and server desktop in XenApp server read How to Publish Application and Server Desktop in Citrix XenApp 6

Monday, 11 February 2013

Configuring Cisco Router with ADSL Modem (PPPoA / PPPoE) and NAT

This quick guide will show you how to configure a Cisco Router with external ADSL Modem using PPPoA or PPPoE.

Following is the sample configuration using Cisco 2900 with IOS image version 15.0(1r). Even though the example uses 2900 router, the configuration applies to 800, 1900, & 3900 Router.

Network Diagram


LAN interface:

Configure your LAN interface with a static IP address.

int gi0/0
 description ADSL-LAN Interface
 ip address
 ip nat inside
 no shutdown

WAN interface:

Configure PPPoE client on your WAN Interface:

int gi0/1
 description ADSL-WAN Interface
 pppoe-client dial-pool-number 1
 no shutdown

Dialer interface:

Configure a dialer interface as follows:

int Dialer0
 encapsulation ppp
 dialer pool 1
 ip address negotiated
 ppp chap hostname YOUR_CHAP_LOGIN
 ppp chap password YOUR_CHAP_PASSWORD
 ip mtu 1492
 ip tcp adjust-mss 1452
 ip nat outside

NAT Configuration:

access-list 10 permit
ip nat inside source list 10 int dialer0 overload

Routing Configuration:

Put a static route for internet:

ip route dialer0