Hello!!!!

NIIICEEEEEEEEE, its been a while since I dont see a Beautiful Zone based not letting people to create the GRE over IPsec , whe need to know which Encapsulation protocol is he dropping.

Would you please put the command ip inspect log drop-pkt and do term mon on the global configuration mode and try to bring the tunnel up?

Let me know please !!!

Mike

I was also pinging the unit from the remote side when I brought it up.

rt-p196(config)#ip inspect log drop-pkt
rt-p196(config)#
*Oct 29 17:21:55.639: %FW-6-DROP_PKT: Dropping Unknown-l4 session XXX.remoteWAN.141
:0 XXX.LocalWAN.196:0 on zone-pair ccp-zp-out-self class class-default due to  DROP
action found in policy-map with ip ident 0
*Oct 29 17:22:14.187: %FW-6-LOG_SUMMARY: 19 packets were dropped from XXX.remoteWAN
.141:0 => XXX.LocalWAN.196:0 (target:class)-(ccp-zp-out-self:class-default)
*Oct 29 17:22:14.187: %FW-6-LOG_SUMMARY: 19 packets were dropped from XXX.remoteWAN
.141:8 => XXX.LocalWAN.196:0 (target:class)-(ccp-zp-out-self:class-default)
*Oct 29 17:22:25.647: %FW-6-DROP_PKT: Dropping Unknown-l4 session XXX.remoteWAN.141
:0 XXX.LocalWAN.196:0 on zone-pair ccp-zp-out-self class class-default due to  DROP
action found in policy-map with ip ident 0
*Oct 29 17:22:55.655: %FW-6-DROP_PKT: Dropping Unknown-l4 session XXX.remoteWAN.141
:0 XXX.LocalWAN.196:0 on zone-pair ccp-zp-out-self class class-default due to  DROP
action found in policy-map with ip ident 0
*Oct 29 17:23:14.187: %FW-6-LOG_SUMMARY: 59 packets were dropped from XXX.remoteWAN
.141:0 => XXX.LocalWAN.196:0 (target:class)-(ccp-zp-out-self:class-default)
*Oct 29 17:23:14.187: %FW-6-LOG_SUMMARY: 60 packets were dropped from XXX.remoteWAN
.141:8 => XXX.LocalWAN.196:0 (target:class)-(ccp-zp-out-self:class-default)

THANKS FOR HELPING!

Here it is agian without pinging the unit.

rt-p196(config)#ip inspect log drop-pkt
rt-p196(config)#
*Oct 29 17:37:56.519: %FW-6-DROP_PKT: Dropping icmp session XXX.remoteWAN.141:0
XXX.LocalWAN.196:0 on zone-pair ccp-zp-out-self class class-default due to  DROP actio
n found in policy-map with ip ident 0
*Oct 29 17:38:14.187: %FW-6-LOG_SUMMARY: 5 packets were dropped from XXX.remoteWAN
141:8 => XXX.LocalWAN.196:0 (target:class)-(ccp-zp-out-self:class-default)
*Oct 29 17:38:28.491: %FW-6-DROP_PKT: Dropping Unknown-l4 session XXX.remoteWAN.141
:0 XXX.LocalWAN.196:0 on zone-pair ccp-zp-out-self class class-default due to  DROP
action found in policy-map with ip ident 0
*Oct 29 17:38:59.207: %FW-6-DROP_PKT: Dropping Unknown-l4 session XXX.remoteWAN.141
:0 XXX.LocalWAN.196:0 on zone-pair ccp-zp-out-self class class-default due to  DROP
action found in policy-map with ip ident 0
*Oct 29 17:39:14.187: %FW-6-LOG_SUMMARY: 23 packets were dropped from XXX.remoteWAN
.141:8 => XXX.LocalWAN.196:0 (target:class)-(ccp-zp-out-self:class-default)

Hello,

The one that you mention on ACL 104, is that your Endpoint for the GRE? Can you show me the configuration for the Tunnel Interface?

Let me know.

Mike

!

!

class-map type inspect match-any SDM_HTTPS

match access-group name SDM_HTTPS

class-map type inspect match-any SDM_SSH

match access-group name SDM_SSH

class-map type inspect match-any SDM_SHELL

match access-group name SDM_SHELL

class-map type inspect match-any sdm-cls-access

match class-map SDM_HTTPS

match class-map SDM_SSH

match class-map SDM_SHELL

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_VPN_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_VPN_PT

match access-group 104

match class-map SDM_VPN_TRAFFIC

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any SDM_IP

match access-group name SDM_IP

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-all sdm-access

match class-map sdm-cls-access

match access-group 103

class-map type inspect match-all SDM_GRE

match access-group name SDM_GRE

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-invalid-src

match access-group 102

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect sdm-permit-gre

class type inspect SDM_GRE

  pass

class class-default

  drop log

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class type inspect ccp-sip-inspect

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h323annexe-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class type inspect ccp-h323nxg-inspect

  inspect

class type inspect ccp-skinny-inspect

  inspect

class class-default

  drop

policy-map type inspect ccp-permit

class type inspect SDM_VPN_PT

  pass

class type inspect sdm-access

  inspect

class class-default

  drop

policy-map type inspect sdm-permit-ip

class type inspect SDM_IP

  pass

class class-default

  drop log

!

zone security gre-zone

zone security out-zone

zone security in-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security sdm-zp-in-gre1 source in-zone destination gre-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-gre source out-zone destination gre-zone

service-policy type inspect sdm-permit-gre

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security sdm-zp-gre-in1 source gre-zone destination in-zone

service-policy type inspect sdm-permit-ip

zone-pair security ccp-zp-gre-out source gre-zone destination out-zone

service-policy type inspect sdm-permit-gre

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key **KEY** address XXX.remoteWAN.141

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel toXXX.remoteWAN.141

set peer XXX.remoteWAN.141

set transform-set ESP-3DES-SHA

match address 100

!

!

!

!

!

interface Tunnel0

ip address 10.254.254.196 255.255.255.0

ip mtu 1420

zone-member security gre-zone

tunnel source GigabitEthernet0/0

tunnel destination XXX.remoteWAN.141

tunnel path-mtu-discovery

crypto map SDM_CMAP_1

!

!

interface GigabitEthernet0/0

description WAN$FW_OUTSIDE$

ip address XXX.LocalWAN.196 255.255.255.192

ip nat outside

ip virtual-reassembly

zone-member security out-zone

duplex auto

speed auto

crypto map SDM_CMAP_1

!

!

interface GigabitEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

!

interface FastEthernet0/0/0

description 50 - Vlan50

switchport access vlan 50

!

!

interface FastEthernet0/0/1

description 50 - Vlan50

switchport access vlan 50

!

!

interface FastEthernet0/0/2

description 25 - Vlan25

switchport access vlan 25

!

!

interface FastEthernet0/0/3

description 25 - Vlan25

switchport access vlan 25

!

!

interface Vlan25

description Vlan25-Vlan$FW_INSIDE$

ip address 10.1.25.1 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security in-zone

no mop enabled

!

!

interface Vlan50

description Vlan50-Vlan$FW_INSIDE$

ip address 10.1.50.1 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security in-zone

!

!

ip forward-protocol nd

!

ip http server

ip http secure-server

!

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 XXX.NEXTHOP.193

ip route 10.0.25.0 255.255.255.0 Tunnel0

!

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

ip access-list extended SDM_GRE

remark CCP_ACL Category=1

permit gre any any

ip access-list extended SDM_HTTPS

remark CCP_ACL Category=1

permit tcp any any eq 443

ip access-list extended SDM_IP

remark CCP_ACL Category=0

permit ip any any

ip access-list extended SDM_SHELL

remark CCP_ACL Category=1

permit tcp any any eq cmd

ip access-list extended SDM_SSH

remark CCP_ACL Category=1

permit tcp any any eq 22

!

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.1.25.0 0.0.0.255

access-list 1 permit 10.1.50.0 0.0.0.255

access-list 100 remark CCP_ACL Category=4

access-list 100 permit gre host XXX.LocalWAN.196 host XXX.remoteWAN.141

access-list 101 remark CCP_ACL Category=2

access-list 101 deny   gre host XXX.LocalWAN.196 host XXX.remoteWAN.141

access-list 101 permit ip 10.1.50.0 0.0.0.255 any

access-list 101 permit ip 10.1.25.0 0.0.0.255 any

access-list 102 remark CCP_ACL Category=128

access-list 102 permit ip host 255.255.255.255 any

access-list 102 permit ip 127.0.0.0 0.255.255.255 any

access-list 102 permit ip XXX.LocalWAN.192 0.0.0.63 any

access-list 103 remark CCP_ACL Category=128

access-list 103 permit ip host XXX.remoteWAN.141 any

access-list 104 remark CCP_ACL Category=128

access-list 104 permit ip host XXX.remoteWAN.141 any

!

!

!

!

route-map SDM_RMAP_1 permit 1

match ip address 101

!

!

Are you able to see the IPsec Tunnel coming up?

Cheers

Mike

No not once the firewall is in place.

Hello,

Is the host on the ACL 104 the endpoint on the other side? Can you change this class map class-map type inspect match-all SDM_VPN_PT instead of match all to match any?

It would be like this

class-map type inspect match-any SDM_VPN_PT

Thanks!

Mike

Host on ACL 104 and endpoint are the same.

class-map type inspect match-any SDM_VPN_PT

yeilded nothing..

Hello,

Thanks. Would you please take out the new logs?

Let me know.

*Oct 29 22:44:44.226: %FW-6-DROP_PKT: Dropping icmp session XXX.LocalWAN.196:0

XXX.RemoteWAN.141:0 on zone-pair ccp-zp-self-out class ccp-icmp-access   with ip ident 0

Hi,

If your shift is not over please try this and let me know.

policy-map type inspect ccp-permit
  class class-default
    pass

policy-map type inspect ccp-icmp-access
  class ccp-permit-icmpreply
    no inspect
      pass

Cheers

Mike.

I get

% class map ccp-permit-icmpreply not configured