Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
232
Views
0
Helpful
2
Replies

Question About Zone Based Firewall on IOS

jonathanw84
Level 1
Level 1

‎12-19-2016 02:26 PM - edited ‎03-12-2019 01:40 AM

Hello, I've been working on implementing a Zone Based Firewall for our offsite users that utilize an 881 router with DMVPN tunnels to connect. Right now I have an outsize zone (WAN facing), inside zone (LAN) and the self zone. I have zone pairs for Inside to Outside and Outside to Self. The Outside to Self zone-pair has a policy that includes an ACL with the following:

 remark Permits DHCP from ISP
 permit udp any any eq bootpc
 permit udp any any eq bootps
 remark Permits DMVPN Tunnel Traffic
 permit udp any any eq non500-isakmp
 permit udp any any eq isakmp
 permit esp any any
 permit ahp any any
 permit gre any any
 remark Permits Management Access
 permit tcp X.X.X.X 0.0.3.255 any eq 22
 permit tcp X.X.X.X 0.0.3.255 any eq 443
 permit tcp X.X.X.X 0.0.0.255 any eq 22
 permit tcp X.X.X.X 0.0.0.255 any eq 443
 permit tcp X.X.X.X 0.0.0.255 any eq cmd
 permit tcp X.X.X.X 0.0.3.255 any eq cmd
 permit icmp X.X.X.X 0.0.3.255 any
 remark Permits Selected ICMP Traffic
 permit icmp any any echo-reply
 permit icmp any any time-exceeded
 permit icmp any any unreachable
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 remark Deny Traffic Sourced From Loopback Addresses
 deny   ip 127.0.0.0 0.255.255.255 any
 remark Deny Traffic Sourced From Broadcast Address
 deny   ip host 255.255.255.255 any
 remark Deny Traffic Sourced From Default
 deny   ip host 0.0.0.0 any
 deny   ip any any

And this is my zone policy configuration:

class-map type inspect match-any OUTSIDE-SELF
 match access-group name INET_PROTECT
!
policy-map type inspect OUTSIDE-SELF
 class type inspect OUTSIDE-SELF
  pass
 class class-default
  drop
!
zone-pair security OUTSIDE-SELF source OUTSIDE destination self
 service-policy type inspect OUTSIDE-SELF

My question is, when I have the policy map OUTSIDE-SELF set to "pass" traffic from the OUTSIDE-SELF class map, everything works fine and the tunnels come up and form EIGRP adjacencies. If I change this to "inspect", the tunnels are no longer able to form neighborships and I see blocks on the "deny ip 10.0.0.0 0.255.255.255 any" part of the ACL. Can someone help me understand why this happening?

Thanks!

Labels:
0 Helpful
2 Replies 2

Deepak Kumar
VIP Alumni
VIP Alumni

‎12-19-2016 11:41 PM

If you want to "inspect" then you should configure this acl and allow VPN protocols  and port numbers also.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

MANI .P
Level 1
Level 1

‎12-20-2016 03:27 AM

can you try this ....

1. Define ACL and to allow udp port any any 500

2. Define the ACL into the Class-map 

3.Define Class map with inspection of ipsec inside the policy-map

4.bring policy-map into the service-policy applied on outside and in .

----------------------------------------------------------------------------

or try below .

class-map match-any ISAKMP-IPSec-TRAFFIC
 match protocol ipsec
 match protocol isakmp

!

policy-map type inspect OUTSIDE-SELF
 class type inspect ISAKMP-IPSec-TRAFFIC
  inspect
 class class-default
  drop

!

service-policy OUTSIDE-SELF interface outside

Please rate my comments if this helps you .

thanks ,

Mani

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card