Cisco 2911 - VPN Passthrough help

Chris Gabel · ‎10-01-2012

Hi All,

I few employees within our network require access to an external network using a Nortel VPN client. I am fairly new to firewalls and have configured a simple zone based firewall using Cisco CCP firewall wizard, basic - low security.

The Nortel VPN connects successfully but fails at producing a popup that the user has to acknowledge in order for the connection to succeed.

I know the Nortel VPN uses UDP 500 (isakmp), and protocols AH, ESP

I have been able to connect successfully if i change:

class class-default - drop to

class class-default - allow

However this is not ideal, how can I allow this traffic without using an allow on unmatched traffic

Hope that makes sense.

Thanks,

Chris

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect sdm-nat-http-1

inspect

class class-default

drop

class-map type inspect match-all sdm-nat-http-1

match access-group 102

match protocol http

access-list 102 remark CCP_ACL Category=0

access-list 102 permit ip any host 192.168.0.1

Julio Carvajal · ‎10-01-2012

Hello Chris,

We need more information on this.

We need to know the zone-pairs you have set up and their respective policies.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Chris Gabel · ‎10-02-2012

Hi Julio, Thanks for looking at this. The information requested is below, I also have a cisco ipsec vpn client-server setup running that works perfectly, using ezvpn-zone.

class-map type inspect match-all sdm-nat-http-1

match access-group 102

match protocol http

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any CCP-Voice-permit

match protocol h323

match protocol skinny

match protocol sip

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any SDM_IP

match access-group name SDM_IP

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_EASY_VPN_SERVER_PT

match class-map SDM_EASY_VPN_SERVER_TRAFFIC

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-invalid-src

match access-group 101

class-map type inspect match-all ccp-protocol-http

match protocol http

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

inspect

class class-default

pass

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect sdm-nat-http-1

inspect

class class-default

drop

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

drop log

class type inspect ccp-protocol-http

inspect

class type inspect ccp-insp-traffic

inspect

class type inspect CCP-Voice-permit

inspect

class class-default

pass

policy-map type inspect ccp-permit

class type inspect SDM_EASY_VPN_SERVER_PT

pass

class class-default

drop

policy-map type inspect sdm-permit-ip

class type inspect SDM_IP

pass

class class-default

drop log

!

zone security ezvpn-zone

zone security out-zone

zone security in-zone

zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone

service-policy type inspect sdm-permit-ip

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone

service-policy type inspect sdm-permit-ip

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

interface GigabitEthernet0/1

description OUTSIDE WAN$FW_OUTSIDE$

ip address 184.X.X.X 255.255.255.252

no ip redirects

no ip unreachables

ip verify unicast reverse-path

ip flow ingress

ip nat outside

ip virtual-reassembly

zone-member security out-zone

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/2

description INSIDE LAN$FW_INSIDE$

ip address 192.168.0.1 255.255.255.0

no ip redirects

no ip unreachables

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

duplex auto

speed auto

no mop enabled

!

interface Virtual-Template1 type tunnel

description $FW_INSIDE$

ip unnumbered GigabitEthernet0/1

no ip redirects

no ip unreachables

ip flow ingress

zone-member security ezvpn-zone

tunnel mode ipsec ipv4

tunnel path-mtu-discovery

tunnel protection ipsec profile EZVPN_PROFILE

!

Julio Carvajal · ‎10-02-2012

Hello Chris,

Okay.. You have not provided any information related to witch is the IP of the external VPN server or if the connection is from inside zone to outside zone.

I am going to think that VPN connections are going to be innitiated from both sides of the tunnel.

So you should create the following:

ip access-list ext VPN_Outbound

permit ip internal_subnet host vpn_server_ip

class-map type inspect match-any ccp-protocol-http

match protocol http

match access-group VPN_Outbound

Then work from outside to inside

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

ip access-list ext vpn_inbound

permit ip vpn_server_ip internal_subnet

class-map type inspect match-any sdm-nat-http-1

match access-group name vpn_inbound

let me know how it goes.

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Chris Gabel · ‎10-05-2012

Hi Thanks for your help again. I added the above lines and it's still not working. I had issues adding the ext access-lists, your example did not work in that order so I tried to make it work.

P.S. VPN will be initiated only internally.

ip access-list extended VPN_Inbound_Nortel

permit ip 198.161.2.0 0.0.0.255 any

ip access-list extended VPN_Outbound_Nortel

permit ip any host 198.161.2.XXX

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

class-map type inspect match-any ccp-protocol-http

match protocol http

match access-group name VPN_Outbound_Nortel

class-map type inspect match-any sdm-nat-http-1

match access-group 102

match protocol http

match access-group name VPN_Inbound_Nortel

access-list 102 remark CCP_ACL Category=0

access-list 102 permit ip any host 192.168.0.1

Chris Gabel · ‎10-23-2012

Bump!