Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1244
Views
0
Helpful
3
Replies

2951 problem with WAAS Module, IOS Firewall and L3VPNoMGRE

klauritzen
Level 1
Level 1

‎02-10-2011 02:29 PM

First of all by “L3VPNoMGRE” I mean  “Dynamic Layer-3 VPNs (L3VPNs) (RFC 2547 based) with Multipoint GRE (mGRE) Tunnel Support”

I have a 2951 router with SM-SRE-900 module running WAAS, i`m running ip inspection on my LAN interface because L3VPNoMGRE does not have a dedicated WAN interface for the VRF. I found this tread https://supportforums.cisco.com/thread/20497063945 Router Issue between WAAS Module and IOS Firewall that had almost the same issue but that solution is not working for me because of the L3VPNoMGRE.

  Now I`m wondering if anybody has the same problem or know of any workaround
Here is a summary of my configuration:

ip vrf BLUE  rd 10:10

!
ip inspect name INSPECT_VRF-BLUE tcp

ip inspect name INSPECT_VRF-BLUE udp

ip inspect name INSPECT_VRF-BLUE cifs
ip wccp check services all

ip wccp vrf BLUE 61 redirect-list ACL-WAAS-EXCL-REDIRECT password xxx

ip wccp vrf BLUE 62 redirect-list ACL-WAAS-EXCL-REDIRECT password xxx
!
interface Loopback1

ip address 192.168.255.4 255.255.255.255

!

interface GigabitEthernet0/0 (WAN interface)

ip address 192.168.0.30 255.255.255.252

!
interface SM1/0

ip vrf forwarding BLUE

ip address 10.0.50.49 255.255.255.248

ip wccp redirect exclude in

service-module fail-open

service-module ip address 10.0.50.54 255.255.255.248

service-module ip default-gateway 182.23.50.49
!
interface GigabitEthernet2/0.1401

encapsulation dot1Q 1401

ip vrf forwarding BLUE

ip address 10.0.22.33 255.255.255.224

ip access-group IN-LAN in

ip access-group OUT-WAN out

ip wccp vrf BLUE 61 redirect in

ip wccp vrf BLUE 62 redirect out
ip inspect INSPECT_VRF-BLUE in

ip inspect INSPECT_VRF-BLUE out
!
l3vpn encapsulation ip ENCAP-VPNv4

transport ipv4 source Loopback1
!

Thanks for any tips and help.

0 Helpful
3 Replies 3

pevaneyn
Cisco Employee
Cisco Employee

‎02-21-2011 03:51 AM

Hi,

I fear that WCCP and ZBFW integration is rather version specific. Which version are you running?

Peter

0 Helpful

klauritzen
Level 1
Level 1
In response to pevaneyn

‎02-22-2011 10:17 AM

Hi,

I`m not running ZBFW but CBAC.
We tried running ZBFW but got into problems because of the L3VPNoMGRE

It is WCCP v2 on IOS c2951-universalk9-mz.SPA.151-3.T.bin

Regards
Kristian
0 Helpful

pevaneyn
Cisco Employee
Cisco Employee
In response to klauritzen

‎02-22-2011 11:57 PM

Hello Kristian,

I think I have seen the problem: with more recent versions of IOS (like the one you are using) you do not need to put the WAAS in the 'internal' zone, but in a seperate waas zone.

For an example with WAAS see the ZBFW documentation, in summary you need to have something like:

ip wccp 61 

ip wccp 62 
ip inspect waas enable 
! on by defaultip wccp notify
zone security zone-inside  
zone security zone-outside 

zone security zone-waas

 


zone—pair security inside—outside source zone-inside destination zone-outside  
     service—policy type inspect ...

zone—pair security outside—inside source zone-outside destination zone-inside  
     service—policy type inspect ...


interface GigabitEthernet0/0       description Trusted interface       ip wccp 61 redirect in       zone—member security zone-inside     ...
interface GigabitEthernet0/1  
     description Untrusted interface       ip wccp 62 redirect in       zone—member security zone-outside      ...

interface Integrated-Service-Enginel/0  
     ip wccp redirect exclude in       zone—member security zone-waas 
     ...


Could you try this?

Best regards, Peter
 

					
				
			
			
				
			
			
				
			
			
			
			
			
			
		

		
		
	

	
	


	
				
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					
		
	
				
		
			
					
		
			
		
	
				
		
			
					
		
	
				
		
			
					
				
		
			
		
			
					
			
		
				
		
	
	


		

	

		

			

	
		
			
					

	
			

				
		
			
		
			
				

					
						
	
			0
		

	Helpful

					
				

			
			
		

	
		
    	
		

			
				
					
				
				
			
		

	
    
			

		

	

	

	

    

	

	


				
		
	
	


		

			

	
		
			
					
				
		
			
		
			
		
	
	


		

	

		

			

	
		
			
					
				
		
			
					
				
		
			
					
		
	
				
		
			
					
		
	
				
		
	
	


		

	



		

	

	

	




			
		
    
            

                

            

        

	
		

		
	

	

	



	
                

                
				
            
        
    

    
        


	
			
				

					
						

							
		

			

	
			
				
					
				
				
			
		


		

	
							

								
								
							

							

								

	
									
								


							

						

					
				

			
		
	


    
    
        
        
            
        
        
	
    

	

	

	

	

	



				
			
		
		
	
	


		

			

	
		
			        

		
				

        

	


		
			
 
 

		
			
		
			

		
			



  

    

      

        

          
Customers Also Viewed These Support Documents

        

        

          

            

              

                

                  
                

              

            

          

        

      

    

    

      
 

    

  




		
			
		
			    

Review Cisco Networking for a $25 gift card