Re: HELP with 887VA Zone based firewall with site to site VPN

rakeshlalwani · ‎02-22-2018

Hi All

I have a 998VA router and I need to access the internet from the inside network as well as provide a site to site tunnel to the office.

LAN side subnet is 192.168.1.0/24

Remote office subnet is 192.168.2.0/24

I need a site to site vpn to flow between these 2 sites allowing all traffic.

Has anyone got an example of a Zone based firewall config for this?

Do you apply a zone to the crypto map of inside?

cheers

Georg Pauwen · ‎02-22-2018

Hello,

basically, you create a VPN zone and apply that to the tunnel interface. Below is a sample config:

class-map type inspect match-any INSIDE_OUT_CLASS
match protocol https
match protocol http
match protocol dns
match protocol icmp
match protocol tcp
match protocol udp
!
class-map type inspect match-any OUTSIDE_SELF_CLASS
match access-group name ICMP_REPLY_ACL
match access-group name ISAKMP_ACL
!
class-map type inspect match-any VPN_INSIDE_CLASS
match protocol icmp
match protocol tcp
match protocol udp
match protocol http
match protocol ssh
match protocol https
match protocol sip
!
class-map type inspect match-any INSIDE_VPN_CLASS
match protocol icmp
match protocol tcp
match protocol udp
match protocol http
match protocol https
match protocol ssh
match protocol sip
!
policy-map type inspect INSIDE_OUTSIDE_POLICY
class type inspect INSIDE_OUT_CLASS
inspect
class class-default
!
policy-map type inspect VPN_INSIDE_POLICY
class type inspect VPN_INSIDE_CLASS
inspect
class class-default
!
policy-map type inspect INSIDE_VPN_POLICY
class type inspect INSIDE_VPN_CLASS
inspect
class class-default
!
policy-map type inspect OUTSIDE_SELF_POLICY
class type inspect OUTSIDE_SELF_CLASS
pass
class class-default
!
zone security INSIDE_ZONE
zone security OUTSIDE_ZONE
zone security VPN_ZONE
!
zone-pair security in-out source INSIDE_ZONE destination OUTSIDE_ZONE
service-policy type inspect INSIDE_OUTSIDE_POLICY
zone-pair security VPN-In source VPN_ZONE destination INSIDE_ZONE
service-policy type inspect VPN_INSIDE_POLICY
zone-pair security In-VPN source INSIDE_ZONE destination VPN_ZONE
service-policy type inspect INSIDE_VPN_POLICY
zone-pair security Out-Self source OUTSIDE_ZONE destination self
service-policy type inspect OUTSIDE_SELF_POLICY
!
interface Tunnel1
zone-member security VPN_ZONE
tunnel source Dialer0
!
interface Dialer0
zone-member security OUTSIDE_ZONE
!
interface Vlan1
zone-member security INSIDE_ZONE
!
ip access-list extended ISAKMP_ACL
permit udp any any eq isakmp
permit ahp any any
permit esp any any
permit udp any any eq non500-isakmp
!
ip access-list extended ICMP_REPLY_ACL
permit icmp any any host-unreachable

rakeshlalwani · ‎02-23-2018

Hi

we do not have a tunnel on this router, its a crypto map tied to the dialler interface

how do we do this ?

cheers

Georg Pauwen · ‎02-23-2018

Hello,

I don't think it is possible without a tunnel interface, since you need an interface terminating on the router that is part of the self zone, and you cannot 'split' the dialer interface. That said, why not set your VPN up with VTIs ?

rakeshlalwani · ‎02-23-2018

Hi

Our 887VA Router has a VPN back to our ASA, Hence we cannot do VTI

So is there no way to support ZBFW over a vpn using crypto maps only ?