08-06-2012 04:04 AM - edited 03-11-2019 04:38 PM
I have configured a cisco 2911 router with security bundle, as a zone based firewall.
Configurations,
Gi0/1 - Internet connection - (outside-zone)
Gi0/0 - Internal users -(inside-zone)
Gi0/2 - ISA server - (ISA-zone) this is use for just connct to VPN from outside for just one user
I got an issue , when connection establish From outsid zone to ISA-zone , configurations given bellow ,
ip access-list extenderd Outside-to-ISA
permit tcp any host 202.124.161.5 eq 1723
permit gre any host 202.124.161.5
class-map type inspect match-any Outside-to-ISA
match access-group name Outside-to-ISA
policy-map type inspect Outside-to-ISA
class type inspect Outside-to-ISA
inspect
then i have configurd zone-pair configs as perspective, But VPN connection has not established... :-(
then i have create another access-list, class-map , and policy-map as well as zone-pair to ISA-zone to outside-zone and
ip access-list extenderd ISA-to-Outside
permit tcp host 202.124.161.5 any
permit gre host 202.124.161.5 any
class-map type inspect match-any ISA-to-Outside
match access-group name ISA-to-Outside
policy-map type inspect ISA-to-Outside
class type inspect ISA-to-Outside
inspect
Result is same But VPN connection has not established... :-( . :-(
Then i have configured traffic to pass instead of inspect to both directions
eg.
policy-map type inspect ISA-to-Outside
class type inspect ISA-to-Outside
no inspect
pass
Then it worked, but this is no secure it's like trditional access-control, so please help me someone sortout this problem,
thanx,
namal.
Solved! Go to Solution.
08-07-2012 08:45 AM
You don't need the following as it also covers the GRE traffic which needs "pass" instead of "inspect":
policy-map type inspect ISA-SERVER-TO-OUTSIDE-PM
class type inspect ISA-SERVER-TO-OUTSIDE-ANY-CM
inspect
All you need is the second class-map if the ISA server does not need to initiate any traffic outbound. If it does need to initiate traffic outbound then you should have the GRE class map on top and the ANY class map as the second class map as follows:
policy-map type inspect ISA-SERVER-TO-OUTSIDE-PM
class type inspect ISA-SERVER-TO-OUTSIDE-GRE-CM
pass
class type inspect ISA-SERVER-TO-OUTSIDE-ANY-CM
inspect
08-08-2012 01:40 AM
Can you share the whole policy again after the changes?
Also, if you just have the GRE class map with action "pass", does it work?
08-06-2012 04:32 AM
You would need to configure action as "pass" for the GRE traffic on both direction because GRE is a stateless protocol.
For TCP/1723 you can configure just in one direction, ie: outside to ISA zone, and with the action "inspect" because TCP is stateful protocol.
08-06-2012 04:40 AM
Thats very clear...
Thank you very much !!!
08-06-2012 04:50 AM
Great to hear it's clear. Pls kindly mark the post answered so others can learn from your question. Thank you.
08-07-2012 08:01 AM
Hi,
I have configured as above, but it's no working properly, i can initiate tcp connection with port 1723 but i can't connect vpn .....
is there any more ...
Configs
ip access-list extended ISA-SERVER-TO-OUTSIDE-ANY
permit ip host 202.124.160.2 any
ip access-list extended ISA-SERVER-TO-OUTSIDE-GRE
permit gre host 202.124.160.2 any
class-map type inspect match-all ISA-SERVER-TO-OUTSIDE-GRE-CM
match access-group name ISA-SERVER-TO-OUTSIDE-GRE
class-map type inspect match-all ISA-SERVER-TO-OUTSIDE-ANY-CM
match access-group name ISA-SERVER-TO-OUTSIDE-ANY
policy-map type inspect ISA-SERVER-TO-OUTSIDE-PM
class type inspect ISA-SERVER-TO-OUTSIDE-ANY-CM
inspect
class type inspect ISA-SERVER-TO-OUTSIDE-GRE-CM
pass
class class-default
drop
zone-pair security ISA-SERVER-TO-OUTSIDE source ISA-SERVER-ZONE destination OUTSIDE-ZONE
service-policy type inspect ISA-SERVER-TO-OUTSIDE-PM
***************************************************************************
ip access-list extended OUTSIDE-TO-ISA-SERVER-GRE
permit gre any host 220.247.219.38
ip access-list extended OUTSIDE-TO-ISA-SERVER-TCP
permit tcp any host 220.247.219.38 eq 1723
class-map type inspect match-any OUTSIDE-TO-ISA-SERVER-GRE-CM
match access-group name OUTSIDE-TO-ISA-SERVER-GRE
class-map type inspect match-any OUTSIDE-TO-ISA-SERVER-TCP-CM
match access-group name OUTSIDE-TO-ISA-SERVER-TCP
policy-map type inspect OUTSIDE-TO-ISA-SERVER-TCP-PM
class type inspect OUTSIDE-TO-ISA-SERVER-TCP-CM
inspect
class type inspect OUTSIDE-TO-ISA-SERVER-GRE-CM
pass
class class-default
drop
zone-pair security OUTSIDE-TO-ISA-SERVER source OUTSIDE-ZONE destination ISA-SERVER-ZONE
service-policy type inspect OUTSIDE-TO-ISA-SERVER-TCP-PM
08-07-2012 08:45 AM
You don't need the following as it also covers the GRE traffic which needs "pass" instead of "inspect":
policy-map type inspect ISA-SERVER-TO-OUTSIDE-PM
class type inspect ISA-SERVER-TO-OUTSIDE-ANY-CM
inspect
All you need is the second class-map if the ISA server does not need to initiate any traffic outbound. If it does need to initiate traffic outbound then you should have the GRE class map on top and the ANY class map as the second class map as follows:
policy-map type inspect ISA-SERVER-TO-OUTSIDE-PM
class type inspect ISA-SERVER-TO-OUTSIDE-GRE-CM
pass
class type inspect ISA-SERVER-TO-OUTSIDE-ANY-CM
inspect
08-07-2012 10:00 AM
thanks your update... i have change as above .. .but still not working ....
08-08-2012 01:40 AM
Can you share the whole policy again after the changes?
Also, if you just have the GRE class map with action "pass", does it work?
08-08-2012 09:15 PM
Hi Jennifer,
Thanks for comment, It's working now , not the issue with router config , we found some problem with a smartphone, becoz we used a smart phone for checking VPN connection that the issue. as you told, GRE class-map must be top of the table and it's must be " PASS " thats all. so thank you very much for ur support.
08-09-2012 05:55 AM
Great to hear, and thanks for the update and ratings.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide