ZBF VPN Good Config

markieparkie — Tue, 12 Mar 2019 03:44:04 GMT

After reading some info on Julio's website, I have come to think my VPN configs are a bit too fat and not very streamline. My configs are starting to hammer CPU on the routers now, especially as the remote offices are now starting to use VDSL speeds. What are you thoughts?

class-map type inspect match-all sdm-cls-VPNOutsideToInside-1

 match access-group 104

class-map type inspect match-any SDM_AH

 match access-group name SDM_AH

class-map type inspect match-any ccp-skinny-inspect

 match protocol skinny

class-map type inspect match-any ccp-h323nxg-inspect

 match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

 match protocol icmp

 match protocol tcp

 match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

 match protocol h225ras

class-map type inspect match-any SDM_ESP

 match access-group name SDM_ESP

class-map type inspect match-any ccp-h323annexe-inspect

 match protocol h323-annexe

class-map type inspect match-any ccp-cls-insp-traffic

 match protocol dns

 match protocol ftp

 match protocol https

 match protocol icmp

 match protocol imap

 match protocol pop3

 match protocol netshow

 match protocol shell

 match protocol realmedia

 match protocol rtsp

 match protocol smtp

 match protocol sql-net

 match protocol streamworks

 match protocol tftp

 match protocol vdolive

 match protocol tcp

 match protocol udp

class-map type inspect match-any PING_ACCESS

 match access-group name PING_ACCESS

class-map type inspect match-any SDM_SSH

 match access-group name SDM_SSH

class-map type inspect match-any SDM_HTTPS

 match access-group name SDM_HTTPS

class-map type inspect match-any SDM_SHELL

 match access-group name SDM_SHELL

class-map type inspect match-any SNMP_ACCESS

 match access-group name SNMP_ACCESS

class-map type inspect match-any ccp-h323-inspect

 match protocol h323

class-map type inspect match-all ccp-invalid-src

 match access-group 100

class-map type inspect match-any ccp-sip-inspect

 match protocol sip

class-map type inspect match-all ccp-protocol-http

 match protocol http

class-map type inspect match-any sdm-cls-access

 match class-map SDM_HTTPS

 match class-map SDM_SSH

 match class-map SDM_SHELL

 match class-map SNMP_ACCESS

 match class-map PING_ACCESS

class-map type inspect match-all ccp-insp-traffic

 match class-map ccp-cls-insp-traffic

class-map type inspect match-any SDM_VPN_TRAFFIC

 match protocol isakmp

 match protocol ipsec-msft

 match class-map SDM_AH

 match class-map SDM_ESP

class-map type inspect match-all ccp-icmp-access

 match class-map ccp-cls-icmp-access

class-map type inspect match-all SDM_VPN_PT

 match access-group 103

 match class-map SDM_VPN_TRAFFIC

class-map type inspect match-all sdm-access

 match class-map sdm-cls-access

 match access-group 102

policy-map type inspect sdm-pol-VPNOutsideToInside-1

 class type inspect sdm-cls-VPNOutsideToInside-1

  inspect

 class class-default

  drop

policy-map type inspect ccp-inspect

 class type inspect ccp-invalid-src

  drop log

 class type inspect ccp-protocol-http

  inspect

 class type inspect ccp-insp-traffic

  inspect

 class type inspect ccp-sip-inspect

  inspect

 class type inspect ccp-h323-inspect

  inspect

 class type inspect ccp-h323annexe-inspect

  inspect

 class type inspect ccp-h225ras-inspect

  inspect

 class type inspect ccp-h323nxg-inspect

  inspect

 class type inspect ccp-skinny-inspect

  inspect

 class class-default

  drop

policy-map type inspect ccp-permit

 class type inspect SDM_VPN_PT

  pass

 class type inspect sdm-access

  inspect

 class class-default

  drop

policy-map type inspect ccp-permit-icmpreply

 class type inspect ccp-icmp-access

  inspect

 class class-default

  pass

zone security in-zone

zone security out-zone

zone-pair security ccp-zp-out-self source out-zone destination self

 service-policy type inspect ccp-permit

zone-pair security ccp-zp-in-out source in-zone destination out-zone

 service-policy type inspect ccp-inspect

zone-pair security ccp-zp-self-out source self destination out-zone

 service-policy type inspect ccp-permit-icmpreply

zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone

 service-policy type inspect sdm-pol-VPNOutsideToInside-1

crypto isakmp policy 15

 encr 3des

 authentication pre-share

 group 2

 lifetime 28800

crypto isakmp key m0n5t3r address ***.***.***.***

crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac

 mode tunnel

crypto map ipsec-TEST 10 ipsec-isakmp

 set peer ***.***.***.***

 set transform-set aes-sha

 set pfs group2

 match address 101

ZBF VPN Good Config

Marius Gunnerud — Tue, 18 Feb 2014 14:02:22 GMT

What routers are you using?

--
Please remember to rate and select a correct answer

Hi Marius, The routers we are

markieparkie — Fri, 21 Mar 2014 17:22:58 GMT

Hi Marius,

The routers we are using are CISCO 887VA

Thanks.

Sorry for the late reply. I

Marius Gunnerud — Tue, 25 Mar 2014 15:02:11 GMT

Sorry for the late reply. I have not been getting any email notifications since the new support website was launched.

If that is all the ZBF config you have it is not much configured...relitively speaking. So that leads me to beleive that if you are experiencing performance issues it could be related to the amount of traffic that is traversing the 887 router, and its ability to handle that traffic.

You do have some redundant config in there but that should not affect performance in any significant way...just to point out an example:

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

inspect

class class-default

pass

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

This could have been done using just the ccp-cls-icmp-access class map. But as I said it should not affect performance.

Have you checked memory usage on the router and not just the CPU?

How many users are connecting through the router on a daily basis?

It could very well be that the amount of traffic passing through the router is becoming more than it can handle, and an upgrade to a more robust router is needed.

Please remember to rate and select a correct answer

topic ZBF VPN Good Config in Network Security

ZBF VPN Good Config

ZBF VPN Good Config

Hi Marius, The routers we are

Sorry for the late reply. I