Hi I’m having some difficulty in understanding the behaviour of zone based firewalls on a 887va router, I do not understand the implications of including the self zone in a zone-pair. It seems that if you include the self zone in a pair with any other zone, the self zone becomes restrictive between all zones whether paired or not. For example if I include the self zone in a pair with the OUTSIDE zone, pinging the router from a host from the INSIDE zone no longer works…..

Secondly we operate a DMVPN  (this is a spoke router) and the tunnel will successfully establish with the following traffic configured to PASS

Tcp 4500

Tcp 500

ESP

GRE

However traffic through the tunnel will fail (including rip).

If however I modify the firewall policy to permit all traffic to and from the Self and OUTSIDE zones, tunnel traffic seems to work successfully between the SELF and VPN zones and the VPN and internal zones.

However given that all traffic destined for the tunnel would be encapsulated in a GRE header and GRE is permitted between the SELF and OUTSIDE Zones, I cannot see what other ports would need opening?

I’ve included some config below, any help would be greatly appreciated.

Access Lists

Extended IP access list OUTSIDE>INSIDE

    10 permit ip any any

Extended IP access list OUTSIDE>SELF

(   if this entry is included tunnel traffic works   permit ip object-group DMVPNIPGROUP object-group SELF (818 matches))

    10 permit gre object-group DMVPNIPGROUP object-group SELF

    20 permit tcp object-group DMVPNIPGROUP object-group SELF eq 4500

    30 permit tcp host HO host SELF eq 22 (18589 matches)

    40 permit tcp object-group DMVPNIPGROUP object-group SELF eq 500

    50 permit esp object-group DMVPNIPGROUP object-group SELF (424 matches)

    70 deny ip any any (7570 matches)

Extended IP access list SELF>OUTSIDE

(   if this entry is included tunnel traffic works       8 permit ip object-group SELF object-group DMVPNIPGROUP (1013 matches))

    10 permit gre object-group SELF any

    20 permit tcp object-group SELF any eq 4500

    30 permit tcp object-group SELF eq 22 host HO (12899 matches)

    40 permit tcp object-group SELF any eq 500

    50 permit esp object-group SELF any

Extended IP access list SELF>OUTSIDE_Insp

    10 permit tcp any any eq domain

    20 permit udp any any eq domain (86 matches)

Extended IP access list SELF>VPN

    10 permit ip any any (31 matches)

Extended IP access list SSH_Allow

    20 permit tcp network_obj HO any eq 22 log (22 matches)

    70 permit tcp LocalSubnet any eq 22

    80 deny ip any any log (8 matches)

Extended IP access list VPN>INSIDE

    10 permit ip any any (568 matches)

Extended IP access list VPN>SELF

    10 permit ip any any (15 matches)

Zone: self

  Description: System defined zone

Zone: OUTSIDE

  Member Interfaces:

    Dialer1

Zone: INSIDE

  Member Interfaces:

    Vlan1

Zone: VPN

  Member Interfaces:

    Tunnel0

Zone-pair              : OUTSIDE>SELF

Source Zone            : OUTSIDE

Destination Zone       : self

Service-policy inspect : PM-OUTSIDE>SELF

  Class-map : CM-OUTSIDE>SELF(match-any)

  Action : pass log

  Class-map : class-default(match-any)

  Action : drop log

Zone-pair              : INSIDE>OUTSIDE

Source Zone            : INSIDE

Destination Zone       : OUTSIDE

Service-policy inspect : PM-INSIDE>OUTSIDE

  Class-map : CM-INSIDE>OUTSIDE(match-any)

  Action : inspect

   Service Policy: http PM-DPI_HTTP_OUT

  Class-map : CM-INSIDE>OUTSIDE2(match-any)

  Action : inspect

  Class-map : class-default(match-any)

  Action : drop log

Zone-pair              : SELF>OUTSIDE

Source Zone            : self

Destination Zone       : OUTSIDE

Service-policy inspect : PM-SELF>OUTSIDE

  Class-map : CM-SELF>OUTSIDE(match-any)

  Action : pass log

  Class-map : CM-SELF>OUTSIDE_Insp(match-any)

  Action : inspect

  Class-map : class-default(match-any)

  Action : drop log

Zone-pair              : VPN>INSIDE

Source Zone            : VPN

Destination Zone       : INSIDE

Service-policy inspect : PM-VPN>INSIDE

  Class-map : CM-VPN>INSIDE(match-any)

  Action : pass log

  Class-map : class-default(match-any)

  Action : drop log

Zone-pair              : INSIDE>VPN

Source Zone            : INSIDE

Destination Zone       : VPN

Service-policy inspect : PM-INSIDE>VPN

  Class-map : CM-INSIDE>VPN(match-any)

  Action : pass log

  Class-map : class-default(match-any)

  Action : drop log

Zone-pair              : SELF>VPN

Source Zone            : self

Destination Zone       : VPN

Service-policy inspect : PM-SELF>VPN

  Class-map : CM-SELF>VPN(match-any)

  Action : pass log

  Class-map : class-default(match-any)

  Action : drop log

Zone-pair              : VPN>SELF

Source Zone            : VPN

Destination Zone       : self

Service-policy inspect : PM-VPN>SELF

  Class-map : CM-VPN>SELF(match-any)

  Action : pass log

  Class-map : class-default(match-any)

  Action : drop log

 Class Map type inspect match-any CM-SELF>OUTSIDE_Insp (id 33)

   Match access-group name SELF>OUTSIDE_Insp

 Class Map type inspect match-any CM-VPN>INSIDE (id 29)

   Match access-group name VPN>INSIDE

 Class Map type inspect match-any CM-INSIDE>VPN (id 30)

   Match access-group name INSIDE>VPN

 Class Map type inspect match-any CM-SELF>VPN (id 47)

   Match access-group name SELF>VPN

 Class Map type inspect match-any CM-VPN>SELF (id 48)

   Match access-group name VPN>SELF

 Class Map type inspect match-any CM-OUTSIDE>SELF (id 4)

   Match access-group name OUTSIDE>SELF

 Class Map type inspect match-any CM-OUTSIDE>INSIDE (id 5)

   Match access-group name OUTSIDE>INSIDE

 Class Map type inspect match-any CM-INSIDE>OUTSIDE (id 6)

   Match protocol http

 Class Map type inspect match-any CM-SELF>OUTSIDE (id 7)

   Match access-group name SELF>OUTSIDE

 Class Map type inspect match-any CM-INSIDE>OUTSIDE2 (id 10)

   Match protocol https

   Match protocol smtp