topic IOS ZONE based FW with gre in Network Security

IOS ZONE based FW with gre

Namal Suranga — Mon, 11 Mar 2019 23:38:40 GMT

I have configured a cisco 2911 router with security bundle, as a zone based firewall.

Configurations,

Gi0/1 - Internet connection - (outside-zone)

Gi0/0 - Internal users -(inside-zone)

Gi0/2 - ISA server - (ISA-zone) this is use for just connct to VPN from outside for just one user

I got an issue , when connection establish From outsid zone to ISA-zone , configurations given bellow ,

ip access-list extenderd Outside-to-ISA

permit tcp any host 202.124.161.5 eq 1723

permit gre any host 202.124.161.5

class-map type inspect match-any Outside-to-ISA

match access-group name Outside-to-ISA

policy-map type inspect Outside-to-ISA

class type inspect Outside-to-ISA

inspect

then i have configurd zone-pair configs as perspective, But VPN connection has not established... 😞

then i have create another access-list, class-map , and policy-map as well as zone-pair to ISA-zone to outside-zone and

ip access-list extenderd ISA-to-Outside

permit tcp host 202.124.161.5 any

permit gre host 202.124.161.5 any

class-map type inspect match-any ISA-to-Outside

match access-group name ISA-to-Outside

policy-map type inspect ISA-to-Outside

class type inspect ISA-to-Outside

inspect

Result is same But VPN connection has not established... 😞 . 😞

Then i have configured traffic to pass instead of inspect to both directions

eg.

policy-map type inspect ISA-to-Outside

class type inspect ISA-to-Outside

no inspect

pass

Then it worked, but this is no secure it's like trditional access-control, so please help me someone sortout this problem,

thanx,

namal.

IOS ZONE based FW with gre

Jennifer Halim — Mon, 06 Aug 2012 11:32:40 GMT

You would need to configure action as "pass" for the GRE traffic on both direction because GRE is a stateless protocol.

For TCP/1723 you can configure just in one direction, ie: outside to ISA zone, and with the action "inspect" because TCP is stateful protocol.

IOS ZONE based FW with gre

Namal Suranga — Mon, 06 Aug 2012 11:40:31 GMT

Thats very clear...

Thank you very much !!!

IOS ZONE based FW with gre

Jennifer Halim — Mon, 06 Aug 2012 11:50:46 GMT

Great to hear it's clear. Pls kindly mark the post answered so others can learn from your question. Thank you.

IOS ZONE based FW with gre

Namal Suranga — Tue, 07 Aug 2012 15:01:34 GMT

Hi,

I have configured as above, but it's no working properly, i can initiate tcp connection with port 1723 but i can't connect vpn .....

is there any more ...

Configs

ip access-list extended ISA-SERVER-TO-OUTSIDE-ANY

permit ip host 202.124.160.2 any

ip access-list extended ISA-SERVER-TO-OUTSIDE-GRE

permit gre host 202.124.160.2 any

class-map type inspect match-all ISA-SERVER-TO-OUTSIDE-GRE-CM

match access-group name ISA-SERVER-TO-OUTSIDE-GRE

class-map type inspect match-all ISA-SERVER-TO-OUTSIDE-ANY-CM

match access-group name ISA-SERVER-TO-OUTSIDE-ANY

policy-map type inspect ISA-SERVER-TO-OUTSIDE-PM

class type inspect ISA-SERVER-TO-OUTSIDE-ANY-CM

inspect

class type inspect ISA-SERVER-TO-OUTSIDE-GRE-CM

pass

class class-default

drop

zone-pair security ISA-SERVER-TO-OUTSIDE source ISA-SERVER-ZONE destination OUTSIDE-ZONE

service-policy type inspect ISA-SERVER-TO-OUTSIDE-PM

***************************************************************************

ip access-list extended OUTSIDE-TO-ISA-SERVER-GRE

permit gre any host 220.247.219.38
ip access-list extended OUTSIDE-TO-ISA-SERVER-TCP

permit tcp any host 220.247.219.38 eq 1723

class-map type inspect match-any OUTSIDE-TO-ISA-SERVER-GRE-CM

match access-group name OUTSIDE-TO-ISA-SERVER-GRE

class-map type inspect match-any OUTSIDE-TO-ISA-SERVER-TCP-CM

match access-group name OUTSIDE-TO-ISA-SERVER-TCP

policy-map type inspect OUTSIDE-TO-ISA-SERVER-TCP-PM

class type inspect OUTSIDE-TO-ISA-SERVER-TCP-CM

inspect

class type inspect OUTSIDE-TO-ISA-SERVER-GRE-CM

pass

class class-default

drop

zone-pair security OUTSIDE-TO-ISA-SERVER source OUTSIDE-ZONE destination ISA-SERVER-ZONE

service-policy type inspect OUTSIDE-TO-ISA-SERVER-TCP-PM

IOS ZONE based FW with gre

Jennifer Halim — Tue, 07 Aug 2012 15:45:31 GMT

You don't need the following as it also covers the GRE traffic which needs "pass" instead of "inspect":

policy-map type inspect ISA-SERVER-TO-OUTSIDE-PM

class type inspect ISA-SERVER-TO-OUTSIDE-ANY-CM

inspect

All you need is the second class-map if the ISA server does not need to initiate any traffic outbound. If it does need to initiate traffic outbound then you should have the GRE class map on top and the ANY class map as the second class map as follows:

policy-map type inspect ISA-SERVER-TO-OUTSIDE-PM

class type inspect ISA-SERVER-TO-OUTSIDE-GRE-CM

pass

class type inspect ISA-SERVER-TO-OUTSIDE-ANY-CM

inspect

IOS ZONE based FW with gre

Namal Suranga — Tue, 07 Aug 2012 17:00:24 GMT

thanks your update... i have change as above .. .but still not working ....

IOS ZONE based FW with gre

Jennifer Halim — Wed, 08 Aug 2012 08:40:57 GMT

Can you share the whole policy again after the changes?

Also, if you just have the GRE class map with action "pass", does it work?

IOS ZONE based FW with gre

Namal Suranga — Thu, 09 Aug 2012 04:15:50 GMT

Hi Jennifer,

Thanks for comment, It's working now , not the issue with router config , we found some problem with a smartphone, becoz we used a smart phone for checking VPN connection that the issue. as you told, GRE class-map must be top of the table and it's must be " PASS " thats all. so thank you very much for ur support.

IOS ZONE based FW with gre

Jennifer Halim — Thu, 09 Aug 2012 12:55:11 GMT

Great to hear, and thanks for the update and ratings.