Question About Zone Based Firewall on IOS

jonathanw84 — Tue, 12 Mar 2019 08:40:48 GMT

Hello, I've been working on implementing a Zone Based Firewall for our offsite users that utilize an 881 router with DMVPN tunnels to connect. Right now I have an outsize zone (WAN facing), inside zone (LAN) and the self zone. I have zone pairs for Inside to Outside and Outside to Self. The Outside to Self zone-pair has a policy that includes an ACL with the following:

remark Permits DHCP from ISP
permit udp any any eq bootpc
permit udp any any eq bootps
remark Permits DMVPN Tunnel Traffic
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
permit ahp any any
permit gre any any
remark Permits Management Access
permit tcp X.X.X.X 0.0.3.255 any eq 22
permit tcp X.X.X.X 0.0.3.255 any eq 443
permit tcp X.X.X.X 0.0.0.255 any eq 22
permit tcp X.X.X.X 0.0.0.255 any eq 443
permit tcp X.X.X.X 0.0.0.255 any eq cmd
permit tcp X.X.X.X 0.0.3.255 any eq cmd
permit icmp X.X.X.X 0.0.3.255 any
remark Permits Selected ICMP Traffic
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny   ip 10.0.0.0 0.255.255.255 any
deny   ip 172.16.0.0 0.15.255.255 any
deny   ip 192.168.0.0 0.0.255.255 any
remark Deny Traffic Sourced From Loopback Addresses
deny   ip 127.0.0.0 0.255.255.255 any
remark Deny Traffic Sourced From Broadcast Address
deny   ip host 255.255.255.255 any
remark Deny Traffic Sourced From Default
deny   ip host 0.0.0.0 any
deny   ip any any

And this is my zone policy configuration:

class-map type inspect match-any OUTSIDE-SELF
match access-group name INET_PROTECT
!
policy-map type inspect OUTSIDE-SELF
class type inspect OUTSIDE-SELF
pass
class class-default
drop
!
zone-pair security OUTSIDE-SELF source OUTSIDE destination self
service-policy type inspect OUTSIDE-SELF

My question is, when I have the policy map OUTSIDE-SELF set to "pass" traffic from the OUTSIDE-SELF class map, everything works fine and the tunnels come up and form EIGRP adjacencies. If I change this to "inspect", the tunnels are no longer able to form neighborships and I see blocks on the "deny ip 10.0.0.0 0.255.255.255 any" part of the ACL. Can someone help me understand why this happening?

Thanks!

If you want to "inspect" then

Deepak Kumar — Tue, 20 Dec 2016 07:41:13 GMT

If you want to "inspect" then you should configure this acl and allow VPN protocols and port numbers also.

Regards,

Deepak Kumar

can you try this ....

MANI .P — Tue, 20 Dec 2016 11:27:47 GMT

can you try this ....

1. Define ACL and to allow udp port any any 500

2. Define the ACL into the Class-map

3.Define Class map with inspection of ipsec inside the policy-map

4.bring policy-map into the service-policy applied on outside and in .

----------------------------------------------------------------------------

or try below .

class-map match-any ISAKMP-IPSec-TRAFFIC
match protocol ipsec
match protocol isakmp

policy-map type inspect OUTSIDE-SELF
class type inspect ISAKMP-IPSec-TRAFFIC
inspect
class class-default
drop

service-policy OUTSIDE-SELF interface outside

Please rate my comments if this helps you .

thanks ,

Mani

topic If you want to "inspect" then in Network Security

Question About Zone Based Firewall on IOS

If you want to "inspect" then

can you try this ....