cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1079
Views
0
Helpful
5
Replies

Cisco 2911 - VPN Passthrough help

Chris Gabel
Beginner
Beginner

Hi All,

I few employees within our network require access to an external network using a Nortel VPN client. I am fairly new to firewalls and have configured a simple zone based firewall using Cisco CCP firewall wizard, basic - low security.

The Nortel VPN connects successfully but fails at producing a popup that the user has to acknowledge in order for the connection to succeed.

I know the Nortel VPN uses UDP 500 (isakmp), and protocols AH, ESP

I have been able to connect successfully if i change:

class class-default - drop to

class class-default - allow

However this is not ideal, how can I allow this traffic without using an allow on unmatched traffic

Hope that makes sense.

Thanks,

Chris

policy-map type inspect sdm-pol-NATOutsideToInside-1

  class type inspect sdm-nat-http-1

   inspect

  class class-default

   drop

class-map type inspect match-all sdm-nat-http-1

match access-group 102

match protocol http

access-list 102 remark CCP_ACL Category=0

access-list 102 permit ip any host 192.168.0.1

5 Replies 5

Julio Carvajal
Advisor
Advisor

Hello Chris,

We need more information on this.

We need to know the zone-pairs you have set up and their respective policies.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio, Thanks for looking at this. The information requested is below, I also have a cisco ipsec vpn client-server setup running that works perfectly, using ezvpn-zone.

class-map type inspect match-all sdm-nat-http-1

match access-group 102

match protocol http

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any CCP-Voice-permit

match protocol h323

match protocol skinny

match protocol sip

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

  match class-map ccp-cls-insp-traffic

class-map type inspect match-any SDM_IP

  match access-group name SDM_IP

class-map type inspect match-any SDM_ESP

  match access-group name SDM_ESP

class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC

  match protocol isakmp

  match protocol ipsec-msft

  match class-map SDM_AH

  match class-map SDM_ESP

class-map type inspect match-all SDM_EASY_VPN_SERVER_PT

  match class-map SDM_EASY_VPN_SERVER_TRAFFIC

class-map type inspect match-any ccp-cls-icmp-access

  match protocol icmp

  match protocol tcp

  match protocol udp

class-map type inspect match-all ccp-icmp-access

  match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-invalid-src

  match access-group 101

class-map type inspect match-all ccp-protocol-http

  match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

  class type inspect ccp-icmp-access

   inspect

  class class-default

   pass

policy-map type inspect sdm-pol-NATOutsideToInside-1

  class type inspect sdm-nat-http-1

   inspect

  class class-default

   drop

policy-map type inspect ccp-inspect

  class type inspect ccp-invalid-src

   drop log

  class type inspect ccp-protocol-http

   inspect

  class type inspect ccp-insp-traffic

   inspect

  class type inspect CCP-Voice-permit

   inspect

  class class-default

   pass

policy-map type inspect ccp-permit

  class type inspect SDM_EASY_VPN_SERVER_PT

   pass

  class class-default

   drop

policy-map type inspect sdm-permit-ip

  class type inspect SDM_IP

   pass

  class class-default

   drop log

!

zone security ezvpn-zone

zone security out-zone

zone security in-zone

zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone

service-policy type inspect sdm-permit-ip

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone

service-policy type inspect sdm-permit-ip

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

interface GigabitEthernet0/1

  description OUTSIDE WAN$FW_OUTSIDE$

   ip address 184.X.X.X 255.255.255.252

  no ip redirects

  no ip unreachables

  ip verify unicast reverse-path

  ip flow ingress

  ip nat outside

  ip virtual-reassembly

  zone-member security out-zone

  duplex auto

  speed auto

  no mop enabled

  !

!

interface GigabitEthernet0/2

  description INSIDE LAN$FW_INSIDE$

  ip address 192.168.0.1 255.255.255.0

  no ip redirects

  no ip unreachables

  ip flow ingress

  ip nat inside

  ip virtual-reassembly

  zone-member security in-zone

  duplex auto

  speed auto

  no mop enabled

  !

!

interface Virtual-Template1 type tunnel

  description $FW_INSIDE$

  ip unnumbered GigabitEthernet0/1

  no ip redirects

  no ip unreachables

  ip flow ingress

  zone-member security ezvpn-zone

  tunnel mode ipsec ipv4

  tunnel path-mtu-discovery

  tunnel protection ipsec profile EZVPN_PROFILE

  !

Hello Chris,

Okay.. You have not provided any information related to witch is the IP of the external VPN server or if the connection is from inside zone to outside zone.

I am going to think that VPN connections are going to be innitiated from both sides of the tunnel.

So you should create the following:

ip access-list ext VPN_Outbound

permit ip internal_subnet host vpn_server_ip

class-map type inspect match-any ccp-protocol-http

  match protocol http

  match access-group  VPN_Outbound

Then work from outside to inside

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

ip access-list ext vpn_inbound

permit ip vpn_server_ip internal_subnet

class-map type inspect match-any sdm-nat-http-1

match access-group name  vpn_inbound

let me know how it goes.

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Thanks for your help again. I added the above lines and it's still not working. I had issues adding the ext access-lists, your example did not work in that order so I tried to make it work.

P.S. VPN will be initiated only internally.

ip access-list extended VPN_Inbound_Nortel

permit ip 198.161.2.0 0.0.0.255 any

ip access-list extended VPN_Outbound_Nortel

permit ip any host 198.161.2.XXX

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

class-map type inspect match-any ccp-protocol-http

match protocol http

match access-group name VPN_Outbound_Nortel

class-map type inspect match-any sdm-nat-http-1

match access-group 102

match protocol http

match access-group name VPN_Inbound_Nortel

access-list 102 remark CCP_ACL Category=0

access-list 102 permit ip any host 192.168.0.1

Bump!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers