ā12-19-2016 02:26 PM - edited ā03-12-2019 01:40 AM
Hello, I've been working on implementing a Zone Based Firewall for our offsite users that utilize an 881 router with DMVPN tunnels to connect. Right now I have an outsize zone (WAN facing), inside zone (LAN) and the self zone. I have zone pairs for Inside to Outside and Outside to Self. The Outside to Self zone-pair has a policy that includes an ACL with the following:
remark Permits DHCP from ISP
permit udp any any eq bootpc
permit udp any any eq bootps
remark Permits DMVPN Tunnel Traffic
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
permit ahp any any
permit gre any any
remark Permits Management Access
permit tcp X.X.X.X 0.0.3.255 any eq 22
permit tcp X.X.X.X 0.0.3.255 any eq 443
permit tcp X.X.X.X 0.0.0.255 any eq 22
permit tcp X.X.X.X 0.0.0.255 any eq 443
permit tcp X.X.X.X 0.0.0.255 any eq cmd
permit tcp X.X.X.X 0.0.3.255 any eq cmd
permit icmp X.X.X.X 0.0.3.255 any
remark Permits Selected ICMP Traffic
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
remark Deny Traffic Sourced From Loopback Addresses
deny ip 127.0.0.0 0.255.255.255 any
remark Deny Traffic Sourced From Broadcast Address
deny ip host 255.255.255.255 any
remark Deny Traffic Sourced From Default
deny ip host 0.0.0.0 any
deny ip any any
And this is my zone policy configuration:
class-map type inspect match-any OUTSIDE-SELF
match access-group name INET_PROTECT
!
policy-map type inspect OUTSIDE-SELF
class type inspect OUTSIDE-SELF
pass
class class-default
drop
!
zone-pair security OUTSIDE-SELF source OUTSIDE destination self
service-policy type inspect OUTSIDE-SELF
My question is, when I have the policy map OUTSIDE-SELF set to "pass" traffic from the OUTSIDE-SELF class map, everything works fine and the tunnels come up and form EIGRP adjacencies. If I change this to "inspect", the tunnels are no longer able to form neighborships and I see blocks on the "deny ip 10.0.0.0 0.255.255.255 any" part of the ACL. Can someone help me understand why this happening?
Thanks!
ā12-19-2016 11:41 PM
If you want to "inspect" then you should configure this
Regards,
Deepak Kumar
ā12-20-2016 03:27 AM
can you try this ....
1. Define ACL and to allow udp port any any 500
2. Define the ACL into the Class-map
3.Define Class map with inspection of ipsec inside the policy-map
4.bring policy-map into the service-policy applied on outside and in .
----------------------------------------------------------------------------
or try below .
class-map match-any ISAKMP-IPSec-TRAFFIC
match protocol ipsec
match protocol isakmp
!
policy-map type inspect OUTSIDE-SELF
class type inspect ISAKMP-IPSec-TRAFFIC
inspect
class class-default
drop
!
service-policy OUTSIDE-SELF interface outside
Please rate my comments if this helps you .
thanks ,
Mani
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide