Hello,

we are trying to migrate from CBAC to ZBF to ease our firewall management. We translated all the ACLs to ZBF and it was a breeze. Everything went fine except one thing (the VPNs stopped working) which I'm hoping someone with more experience will help us figure out.

The network topology to illustrate the problem is as follows:

(the IPs slightly changed to protect the innocent)

[Internet]

.5 ^

|

192.168.0.4/30

|

| .6 F0/1

[ Cisco 2801] .17 Vlan 1<--- 192.168.63.16/29 --> [DMZ]

F0/0 ^ .1

|

192.168.1.0/24

|

v

[LAN]

(yes I know my ASCII drawing is bad)

We have three zones: Internet, DMZ and Lan. The VPNs terminate on the LNS at 192.168.63.17 (public IPs) and the VirtualTemplate2 is a member of the LAN zone to allow trusted traffic to flow between the LAN and the VPN clients. Unfortunately this doesn't seem to work... removing both i/faces F0/0 and VirtualTemplate2 from the LAN zone and the traffic flows as expected so this is clearly a ZBF problem. From the VPN client we can ping the LAN i/face of the router (192.168.1.1) but no other hosts (such as 192.168.1.2) unless we remove both interfaces from the LAN zone. Any ideas on how to solve this?

Bellow are the relevant parts of the configuration on 2801:

vpdn enable

!

vpdn-group PPTP

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 2

!

class-map type inspect match-any allow-cmap

match protocol tcp

match protocol udp

match protocol icmp

policy-map type inspect allow-pmap

class type inspect allow-cmap

inspect

class class-default

drop

zone security internet

description 'Internet zone'

zone security lan

description 'LAN zone'

zone security dmz

description 'DMZ zone'

zone-pair security lan-internet source lan destination internet

service-policy type inspect allow-pmap

zone-pair security lan-dmz source lan destination dmz

service-policy type inspect allow-pmap

zone-pair security dmz-lan source dmz destination lan

service-policy type inspect allow-pmap

zone-pair security dmz-internet source dmz destination internet

service-policy type inspect allow-pmap

zone-pair security internet-dmz source internet destination dmz

service-policy type inspect internet-dmz-pmap

interface FastEthernet0/0

ip address 192.168.1.1 255.255.255.0

no ip redirects

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

no mop enabled

zone-member security lan

interface FastEthernet0/1

ip address 192.168.0.6 255.255.255.252

no ip redirects

ip mtu 1492

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

no mop enabled

zone-member security internet

interface Virtual-Template2

ip unnumbered FastEthernet0/0

no ip route-cache

no ip mroute-cache

peer default ip address pool VPN_POOL

no keepalive

ppp encrypt mppe 128 required

ppp authentication ms-chap-v2

zone-member security lan

interface Vlan1

ip address 192.168.63.17 255.255.255.248

no ip redirects

ip virtual-reassembly

no mop enabled

zone-member security dmz

ip local pool VPN_POOL 192.168.1.235 192.168.1.254

no ip cef

We 've already read "Using VPN with Zone-Based Policy Firewall" but didn't help us figure it out. We were expecting this "Traffic is implicitly allowed to flow by default among interfaces that are members of the same zone" to hold out.

Thanks in advance!

-fotos