FAQ- How to manage a remote Firewall through the IPSec tunnel

Publication Date:  2015-12-01 Views:  282 Downloads:  0
Issue Description

Scenario : IPSec tunnel between two sites ( Headquarters and branch ) where the branch firewall ( NGFW_B in the above topology) needs to be managed from the HQ through the IPSec tunnel.

To accomplish the above scenario we need to fulfill the following conditions on a traditional firewall:
- The management traffic should match the security ACL of the firewall which means that the firewall would need to be managed on the IP address configured on the LAN interface and not on the public IP address configured on the wan interface .As an example for the above topology, in the case where one user would have wanted to access the web interface of the firewall through the IPSec tunnel from the Branch, he would need to access the 10.1.1.1 IP address.
- The security policies between the local zone and the security zone to which the wan interface belongs should allow traffic forwarding


The NGFW also brings the new service management function which allows an administrator to manage a NGFW through a specified interface even if no security policy is enforced for traffic between the Local zone and the security zone to which the interface belong.
This function can be enabled by running the service-manage enable command under the interface .
After the management function is enabled, the firewall can be configured to allow or block HTTP, HTTPS, ping, SSH, SNMP, or Telnet access on the firewall on that specific interface with the service-manage { http | https | ping | ssh | snmp | telnet } { permit | deny } command.

What is interesting with this function is that the management packets can access a target local IP address only when the access management function is enabled on the inbound interface. For example, if the HQ users want to access the GigabitEthernet 1/0/1  interface of the branch site through the IPSec tunnel , and their packets enter the device through GigabitEthernet 1/0/2. The access management function must be enabled on GigabitEthernet 1/0/2. Otherwise, the access to GigabitEthernet 1/0/1 will be disabled.

This can be confusing in different scenarios as the IPSec one because we tend to enable the management function under the interface we want to manage. For instance if we want to manage the firewall on the IP address configured on the g1/0/1 interface of the branch firewall, so that the management traffic that comes through the tunel match the security ACL of the firewall, we can incorrectly assume that the function needs to be enabled under the g1/0/1 interface. However, this operation won’t help in this case.

Given this situation, the management function would need to actually be applied on the g1/0/2, the interface on which the packets are received by the device, which is also the WAN interface.

This configuration brings a major disadvantage because once the management configuration is enabled under the wan interface, the local IP address of the WAN interface will be reachable from every source, no matter the configured security policies.

Solution
To solve this problem and to permit the firewall management through the VPN tunnel without allowing other users from the internet to access it, we need the following configuraiton:

1.Disable the service management function under the wan interface :
Example :
Interface g1/0/2
undo service-manage enable

2.Configure security polcies to permit the management of the firewall just from the remote site.

Example :
#                                                                                                                                  
rule name ping_external_ip
  source-zone untrust                                                                                                                
  destination-zone local       
source-address xx.xx.xx.xx     //ip address of the admin                                                                                               
  destination-address xx.xx.xx.xx // ip address of the wan interface
action permit                                                                                                                    
#                  

END