Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1479
Views
0
Helpful
3
Replies

ZBF and VPN access

Antonio Macia
Level 3
Level 3

‎07-21-2011 03:06 AM - edited ‎03-11-2019 02:01 PM

Hi,

     After applying ZBF in a 891, users can not connect to internal resources after a successful VPN establishment. For testing purposes I've created only two zone-pair without using the self-zone, only LAN-to-WAN and WAN-to-LAN. In the last one I've permitted everything in the corresponding class-map. From the point of view of the router, traffic of vpn clients comes in the WAN interface to LAN, right?

Below is the current configuration.

VPN clients get address from the 172.16.73.0/24 pool and internal resources are in the 172.16.72.0/24. Ping from 172.16.73.x to 172.16.7.2 fails.

class-map type inspect match-any CM_LAN_TO_WAN

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any CM_WAN_TO_LAN

match access-group 102

access-list 102 permit ip 172.16.73.0 0.0.0.255 any

policy-map type inspect PM_LAN_TO_WAN

class type inspect CM_LAN_TO_WAN

  inspect

class class-default

  drop

policy-map type inspect PM_WAN_TO_LAN

class type inspect CM_WAN_TO_LAN

  pass

class class-default

  pass

zone-pair security ZP_LAN_TO_WAN source LAN destination WAN

service-policy type inspect PM_LAN_TO_WAN

zone-pair security ZP_WAN_TO_LAN source WAN destination LAN

service-policy type inspect PM_WAN_TO_LAN

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

zone-member security WAN

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp ipcp address accept

no cdp enable

crypto map mymap

interface Vlan72

ip address 172.16.72.1 255.255.255.0

no ip proxy-arp

ip nat inside

ip virtual-reassembly

zone-member security LAN

ip policy route-map PBR_WAN2

Thanks!

Labels:
0 Helpful
3 Replies 3

Loren Kolnes
Cisco Employee
Cisco Employee

‎07-21-2011 10:18 AM

Hi Antonio,

Here is a document that discusses using ZBF with VPN on the same router:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_white_paper0900aecd8062a909.html

See "Easy VPN with IPsec VTI" if you want to be able to put the decrypted traffic into it's own zone.

See "Zone-Based Policy Firewall with non-interface-based IPsec VPN" for traditional VPN wtih ZBF.

The trend is to move towards DVTI so you might want to move in that direction.

Let me know if you have any questions.

Thanks,

Loren

0 Helpful

Antonio Macia
Level 3
Level 3
In response to Loren Kolnes

‎07-21-2011 10:26 AM

Hi Loren,

If I'm right, the technote you provided is only for site-to-site VPNs not for remote user access via Cisco VPN Client as I need. The router is an endpoint for mobile users.

Thanks.

Antonio.

0 Helpful

Loren Kolnes
Cisco Employee
Cisco Employee
In response to Antonio Macia

‎07-21-2011 10:50 AM

Hi Antonio,

The example for Easy VPN VTI also applies to the VPN Client as it is a EasyVPN client.

Here is some additional information regarding DVTI (Dynamic Virtual Tunnel Interfaces):

15.1M&T - IPsec Virtual Tunnel Interface

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_ipsec_virt_tunnl_ps10592_TSD_Products_Configuration_Guide_Chapter.html

Dynamic Virtual Tunnel Interface Easy VPN Server: Example

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_ipsec_virt_tunnl_ps10592_TSD_Products_Configuration_Guide_Chapter.html#wp1083582

Let me know if you have any questions.

Thanks,

Loren

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card