ZBF - Return traffic categorized in wrong zone pair !

sylvain.munaut · ‎01-05-2012

Hi

I have a router serving as a PPTP server, assigning remote user a ip in the local lan range. From the lan zone (zone_A), I can access another zone directly attached to the router (zone_B). The PPTP server runs on the external wan interface (zone_C). I have a zone pair allowing all traffic from zone_A to zone_B. and it work fine for the local clients really on the lan. However for the clients in PPTP, I have to add another zone pair B to C allowing GRE traffic ... which doesn't make sense (the pptp client should be considered as part of zone A ! the gre encapsulation is from self to C and shouldn't matter).

Example config:

Router 1 (main PPTP server):

hostname r1

no ip domain-lookup

username user@TEST password 0 testpassword

vpdn enable

vpdn-group vpnin

accept-dialin

protocol pptp

virtual-template 1

zone security zone_A

zone security zone_B

zone security zone_C

ip local pool vpn_pool 10.1.0.64 10.1.0.95

interface Loopback 0

ip address 10.1.0.1 255.255.255.0

zone-member security zone_A

interface Virtual-Template1

ip unnumbered Loopback0

no ip route-cache

peer default ip address pool vpn_pool

ppp encrypt mppe 128 required

ppp authentication ms-chap-v2

zone-member security zone_A

interface FastEthernet 0/0

ip address 80.80.80.1 255.255.255.0

zone-member security zone_C

no shut

interface FastEthernet 0/1

ip address 10.2.0.1 255.255.255.0

zone-member security zone_B

no shut

ip access-list extended acl_gre

permit gre any any

class-map type inspect cm_gre

match access-group name acl_gre

class-map type inspect match-any cm_all

match protocol icmp

match protocol udp

match protocol tcp

policy-map type inspect pm_gre

class cm_gre

pass

policy-map type inspect pm_all

class cm_all

inspect

zone-pair security zp_A_to_B source zone_A destination zone_B

service-policy type inspect pm_all

zone-pair security zp_B_to_C source zone_B destination zone_C

service-policy type inspect pm_gre

Router 2 (PPTP client):

hostname r2

no ip domain-lookup

interface FastEthernet 0/0

ip address 80.80.80.2 255.255.255.0

no shut

vpdn enable

vpdn-group vpnout

request-dialin

protocol pptp

rotary-group 0

initiate-to ip 80.80.80.1

interface Dialer0

mtu 1450

ip address negotiated

encapsulation ppp

dialer in-band

dialer idle-timeout 0

dialer string 123

dialer vpdn

dialer-group 1

ppp pfc local request

ppp pfc remote apply

ppp encrypt mppe auto

ppp chap hostname user@TEST

ppp chap password 0 testpassword

dialer-list 1 protocol ip permit

Router 3 (Random machine in the zone_B to test ping):

hostname r3

no ip domain-lookup

interface FastEthernet 0/0

ip address 10.2.0.2 255.255.255.0

no shut

ip route 10.1.0.0 255.255.255.0 10.2.0.1

So ... why the hell do I need this B_to_C zone pair for it to work ????

Julio Carvajal · ‎01-06-2012

Hello,

As simple as the ZBFW will see that the connection is being innitiated from a host on zone B eventough he looks like a host from the A zone.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

sylvain.munaut · ‎01-06-2012

But why would ZBF see that ?

I'm trying to ping a host in zone B (10.2.0.2 = R3) from the PPTP client (R2) which has its Virtual Access in zone A.

(I'm typing 'ping 10.2.0.2' on a shell on R2)

When I do a "show policy-firewall sessions", I can see that the session is created under the right zone-pair ( A_to_B ).

And the forward packet (echo request from A to B) passes without problem. But the return packet (icmp reply from B to A), is actually somehow put into the B to C zone-pair as a GRE packet, which doesn't make sense to me since:

1) 'C' is the zone of neither the source or destination of that packet

2) The 'GRE' packet encapsulating the response is generated in the router itself and not coming from B and so should be classed as a "self to C" zone-pair packet.