topic Zone-Based Firewall on a site to site VPN in Network Security

Zone-Based Firewall on a site to site VPN

mpanganiban — Mon, 11 Mar 2019 17:45:19 GMT

We have a site to site VPN between an 800 series router and a VPN concentrator. I want to implement the Zone-based firewall on on the router.

On the 800 series router, once I apply the Zone on the outside interface which is the "Dialer 1" VPN connection is terminated. Based on the configuration below, what am I missing?

ip access-list extended county-out
permit ip any 192.168.60.0 0.0.0.255

ip access-list extended county-in
permit ip 192.168.60.0 0.0.0.255 any

ip access-list extended ICMPReply
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any ttl-exceeded
permit icmp any any packet-too-big

ip access-list extended esp-traffic
permit esp any any

class-map type inspect match-any IPSec
match protocol isakmp
match protocol ipsec-msft
match access-group name esp-traffic

class-map type inspect match-all ICMPReply
match access-group name ICMPReply

class-map type inspect match-any in-out
match access-group name county-in
match protocol icmp
match protocol dns
match protocol http
match protocol https
match protocol ftp

class-map type inspect match-any out-in
match access-group name county-out

policy-map type inspect OutToSelf
description Permitted traffic from Internet to Router
class type inspect ICMPReply
   pass
class type inspect IPSec
   pass
class class-default
   drop log
policy-map type inspect access-county
class type inspect in-out
inspect
class class-default
drop
policy-map type inspect county-out
class type inspect out-in
inspect
zone security in-zone
zone security out-zone

zone-pair security OutToSelf source out-zone destination self
service-policy type inspect OutToSelf

zone-pair security in-out source in-zone destination out-zone
service-policy type inspect access-county

zone-pair security county-in source out-zone destination in-zone
service-policy type inspect county-out

Re: Zone-Based Firewall on a site to site VPN

Diego Armando Cambronero Arias — Thu, 13 May 2010 19:21:23 GMT

I would try to configure a zone from the self to the out zone. permit all IP... If not just get the ... IP INSPECT LOG DROP-PKT

this will tell us why the traffic is being dropped. If you attach a diagram of the topology that will help us to understand why is't not working. Are you using NAT for any of the endpoints.?

Re: Zone-Based Firewall on a site to site VPN

mpanganiban — Thu, 13 May 2010 20:01:58 GMT

Thanks for the reply! It does work when I modify the self outzone with IP any any. However, I want to be more specific if possible. I am using NAT on each endpoint as well. Unfortunately I am not onsite, I have the configuration unsaved and I am having the router reload automatically to go back to it's original configuration. I will try the "ip inspect log drop-pkt"

I'll try to illustrate a quick topology:

192.168.60.x/24------871 router<-------Internet------->VPN Concentator------172.16.16.0/20

Re: Zone-Based Firewall on a site to site VPN

Diego Armando Cambronero Arias — Thu, 13 May 2010 20:15:48 GMT

Ok But you are not NATing the endpoint. they are using the public IPs right?

Re: Zone-Based Firewall on a site to site VPN

mpanganiban — Thu, 13 May 2010 20:31:55 GMT

Yes, they are using public IP's