Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1717
Views
5
Helpful
9
Replies

IOS ZONE based FW with gre

Go to solution
Namal Suranga
Level 1
Level 1

‎08-06-2012 04:04 AM - edited ‎03-11-2019 04:38 PM

I have configured a cisco 2911 router with security bundle, as a zone based firewall. 

Configurations,

Gi0/1 - Internet connection - (outside-zone)

Gi0/0 - Internal  users -(inside-zone)

Gi0/2 - ISA server - (ISA-zone) this is use for just connct to VPN from outside for just one user

I got an issue , when connection establish  From outsid zone to ISA-zone , configurations given bellow ,

ip access-list extenderd Outside-to-ISA

permit tcp any host 202.124.161.5 eq 1723

permit gre any host 202.124.161.5

class-map type inspect match-any Outside-to-ISA

match access-group name Outside-to-ISA

policy-map type inspect Outside-to-ISA

class type inspect Outside-to-ISA

inspect

then i have configurd zone-pair configs as perspective, But VPN connection has not established... :-(

then i have create another access-list, class-map , and policy-map as well as zone-pair to ISA-zone to outside-zone and


ip access-list extenderd ISA-to-Outside

permit tcp host 202.124.161.5 any

permit gre  host 202.124.161.5 any

class-map type inspect match-any ISA-to-Outside

match access-group name ISA-to-Outside

policy-map type inspect ISA-to-Outside

class type inspect ISA-to-Outside

inspect

Result is same But VPN connection has not established... :-( . :-(

Then i have configured  traffic to pass instead of inspect to both directions

eg.

policy-map type inspect ISA-to-Outside

class type inspect ISA-to-Outside

no inspect

pass

Then it worked, but this is no secure it's like trditional access-control, so please help me someone sortout this problem,

thanx,

namal.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Namal Suranga

‎08-07-2012 08:45 AM

You don't need the following as it also covers the GRE traffic which needs "pass" instead of "inspect":

policy-map type inspect ISA-SERVER-TO-OUTSIDE-PM

class type inspect ISA-SERVER-TO-OUTSIDE-ANY-CM

  inspect

All you need is the second class-map if the ISA server does not need to initiate any traffic outbound. If it does need to initiate traffic outbound then you should have the GRE class map on top and the ANY class map as the second class map as follows:

policy-map type inspect ISA-SERVER-TO-OUTSIDE-PM

class type inspect ISA-SERVER-TO-OUTSIDE-GRE-CM

  pass

class type inspect ISA-SERVER-TO-OUTSIDE-ANY-CM

  inspect

View solution in original post

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Namal Suranga

‎08-08-2012 01:40 AM

Can you share the whole policy again after the changes?

Also, if you just have the GRE class map with action "pass", does it work?

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎08-06-2012 04:32 AM

You would need to configure action as "pass" for the GRE traffic on both direction because GRE is a stateless protocol.

For TCP/1723 you can configure just in one direction, ie: outside to ISA zone, and with the action "inspect" because TCP is stateful protocol.

Go to solution
Namal Suranga
Level 1
Level 1
In response to Jennifer Halim

‎08-06-2012 04:40 AM

Thats very clear...

Thank you very much !!! 

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Namal Suranga

‎08-06-2012 04:50 AM

Great to hear it's clear. Pls kindly mark the post answered so others can learn from your question. Thank you.

0 Helpful

Go to solution
Namal Suranga
Level 1
Level 1
In response to Jennifer Halim

‎08-07-2012 08:01 AM

Hi,

I have configured as above, but it's no working properly, i can initiate tcp connection with port 1723 but i can't connect vpn .....

is there any more ...

Configs

ip access-list extended ISA-SERVER-TO-OUTSIDE-ANY

permit ip host 202.124.160.2 any

ip access-list extended ISA-SERVER-TO-OUTSIDE-GRE

permit gre host 202.124.160.2 any

class-map type inspect match-all ISA-SERVER-TO-OUTSIDE-GRE-CM

match access-group name ISA-SERVER-TO-OUTSIDE-GRE

class-map type inspect match-all ISA-SERVER-TO-OUTSIDE-ANY-CM

match access-group name ISA-SERVER-TO-OUTSIDE-ANY

policy-map type inspect ISA-SERVER-TO-OUTSIDE-PM

class type inspect ISA-SERVER-TO-OUTSIDE-ANY-CM

  inspect

class type inspect ISA-SERVER-TO-OUTSIDE-GRE-CM

  pass

class class-default

  drop

zone-pair security ISA-SERVER-TO-OUTSIDE source ISA-SERVER-ZONE destination OUTSIDE-ZONE

service-policy type inspect ISA-SERVER-TO-OUTSIDE-PM

***************************************************************************

ip access-list extended OUTSIDE-TO-ISA-SERVER-GRE

permit gre any host 220.247.219.38
ip access-list extended OUTSIDE-TO-ISA-SERVER-TCP

permit tcp any host 220.247.219.38 eq 1723

class-map type inspect match-any OUTSIDE-TO-ISA-SERVER-GRE-CM

match access-group name OUTSIDE-TO-ISA-SERVER-GRE

class-map type inspect match-any OUTSIDE-TO-ISA-SERVER-TCP-CM

match access-group name OUTSIDE-TO-ISA-SERVER-TCP

policy-map type inspect OUTSIDE-TO-ISA-SERVER-TCP-PM

class type inspect OUTSIDE-TO-ISA-SERVER-TCP-CM

  inspect

class type inspect OUTSIDE-TO-ISA-SERVER-GRE-CM

  pass

class class-default

  drop

zone-pair security OUTSIDE-TO-ISA-SERVER source OUTSIDE-ZONE destination ISA-SERVER-ZONE

service-policy type inspect OUTSIDE-TO-ISA-SERVER-TCP-PM

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Namal Suranga

‎08-07-2012 08:45 AM

You don't need the following as it also covers the GRE traffic which needs "pass" instead of "inspect":

policy-map type inspect ISA-SERVER-TO-OUTSIDE-PM

class type inspect ISA-SERVER-TO-OUTSIDE-ANY-CM

  inspect

All you need is the second class-map if the ISA server does not need to initiate any traffic outbound. If it does need to initiate traffic outbound then you should have the GRE class map on top and the ANY class map as the second class map as follows:

policy-map type inspect ISA-SERVER-TO-OUTSIDE-PM

class type inspect ISA-SERVER-TO-OUTSIDE-GRE-CM

  pass

class type inspect ISA-SERVER-TO-OUTSIDE-ANY-CM

  inspect

0 Helpful

Go to solution
Namal Suranga
Level 1
Level 1
In response to Jennifer Halim

‎08-07-2012 10:00 AM

thanks your update... i have change as above .. .but still not working ....

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Namal Suranga

‎08-08-2012 01:40 AM

Can you share the whole policy again after the changes?

Also, if you just have the GRE class map with action "pass", does it work?

0 Helpful

Go to solution
Namal Suranga
Level 1
Level 1
In response to Jennifer Halim

‎08-08-2012 09:15 PM

Hi Jennifer,

Thanks for comment, It's working now , not the issue with  router config , we found some problem with a smartphone, becoz we used a smart phone for checking VPN connection that the issue. as you told, GRE class-map must be top of the table and it's must be  " PASS " thats all. so thank you very much for ur support.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Namal Suranga

‎08-09-2012 05:55 AM

Great to hear, and thanks for the update and ratings.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card