09-02-2009 11:23 PM - edited 03-11-2019 09:12 AM
Hello,
we are trying to migrate from CBAC to ZBF to ease our firewall management. We translated all the ACLs to ZBF and it was a breeze. Everything went fine except one thing (the VPNs stopped working) which I'm hoping someone with more experience will help us figure out.
The network topology to illustrate the problem is as follows:
(the IPs slightly changed to protect the innocent)
[Internet]
.5 ^
|
192.168.0.4/30
|
| .6 F0/1
[ Cisco 2801] .17 Vlan 1<--- 192.168.63.16/29 --> [DMZ]
F0/0 ^ .1
|
192.168.1.0/24
|
v
[LAN]
(yes I know my ASCII drawing is bad)
We have three zones: Internet, DMZ and Lan. The VPNs terminate on the LNS at 192.168.63.17 (public IPs) and the VirtualTemplate2 is a member of the LAN zone to allow trusted traffic to flow between the LAN and the VPN clients. Unfortunately this doesn't seem to work... removing both i/faces F0/0 and VirtualTemplate2 from the LAN zone and the traffic flows as expected so this is clearly a ZBF problem. From the VPN client we can ping the LAN i/face of the router (192.168.1.1) but no other hosts (such as 192.168.1.2) unless we remove both interfaces from the LAN zone. Any ideas on how to solve this?
Bellow are the relevant parts of the configuration on 2801:
vpdn enable
!
vpdn-group PPTP
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 2
!
class-map type inspect match-any allow-cmap
match protocol tcp
match protocol udp
match protocol icmp
policy-map type inspect allow-pmap
class type inspect allow-cmap
inspect
class class-default
drop
zone security internet
description 'Internet zone'
zone security lan
description 'LAN zone'
zone security dmz
description 'DMZ zone'
zone-pair security lan-internet source lan destination internet
service-policy type inspect allow-pmap
zone-pair security lan-dmz source lan destination dmz
service-policy type inspect allow-pmap
zone-pair security dmz-lan source dmz destination lan
service-policy type inspect allow-pmap
zone-pair security dmz-internet source dmz destination internet
service-policy type inspect allow-pmap
zone-pair security internet-dmz source internet destination dmz
service-policy type inspect internet-dmz-pmap
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
no mop enabled
zone-member security lan
interface FastEthernet0/1
ip address 192.168.0.6 255.255.255.252
no ip redirects
ip mtu 1492
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
no mop enabled
zone-member security internet
interface Virtual-Template2
ip unnumbered FastEthernet0/0
no ip route-cache
no ip mroute-cache
peer default ip address pool VPN_POOL
no keepalive
ppp encrypt mppe 128 required
ppp authentication ms-chap-v2
zone-member security lan
interface Vlan1
ip address 192.168.63.17 255.255.255.248
no ip redirects
ip virtual-reassembly
no mop enabled
zone-member security dmz
ip local pool VPN_POOL 192.168.1.235 192.168.1.254
no ip cef
We 've already read "Using VPN with Zone-Based Policy Firewall" but didn't help us figure it out. We were expecting this "Traffic is implicitly allowed to flow by default among interfaces that are members of the same zone" to hold out.
Thanks in advance!
-fotos
09-04-2009 08:33 AM
Ok we figured this out. For some reason the above policy has been blocking GRE replies from the Vlan1 going out to the peer through F0/1 (consumed by Firewall as we noticed in the debug logs).
We did a couple of changes in the policy-maps and everything works as expected.
07-11-2010 09:18 AM
can you post your changes? I'm having a similar issue....Thanks
07-11-2010 03:16 PM
Well it's been some time (almost a year) and I don't remember the specific changes.
But something like this should do the trick:
ip access-list extended PPTP
permit tcp any host XXX.XXX.XXX.XXX eq 1723
permit gre any host XXX.XXX.XXX.XXX (same host as above)
ip access-list extended GRE
permit gre any any
zone security internet
description 'Internet zone'
zone security dmz
description 'DMZ zone'
zone-pair security internet-dmz source internet destination dmz
service-policy type inspect internet-dmz-pmap
policy-map type inspect internet-dmz-pmap
class type inspect dmz-other-services-cmap
inspect
class class-default
drop log
class-map type inspect match-all dmz-other-services-cmap
match class-map other-services-cmap
class-map type inspect match-any other-services-cmap
match protocol icmp
match access-group name GRE
Hope this helps and sorry I can't give more specific info,
-fotos
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide