Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
844
Views
0
Helpful
0
Replies

IPSec VPN Inbound - Zone-Based Firewall Issues

satnikn0036
Level 1
Level 1

‎10-15-2016 01:23 PM - edited ‎03-05-2019 07:16 AM

Hello guys / gals,

I have been struggling with this issue for a few weeks now. I have single 3845 router at the internet edge, with clients directly behind it. The goal is that I have a working L2TP (IPSec) VPN concentrator on the LAN (inside security zone). Because I have to use PAT on the outside interface, technically the traffic flows from the OUTSIDE to the SELF zone, instead of outside-inside (I have to point the clients at my public IP address).

With this, I had been using pass to allow UDP 500, 4500, and ESP traffic). This was not allowing return traffic, so I have edited it to inspect from outside to self. The problem is that the return traffic is going over the Inside-Outside table.

I have already created static NAT entries and I have verified that they work by temporarily removing the firewall. In that case, I noticed that the VPN works. Filtered NAT Table is below (not during removal of firewall).

Family-Router#sh ip nat translations
esp 66.188.238.17:0 10.0.1.254:0 --- ---
udp 66.188.238.17:500 10.0.1.254:500 --- -- 
udp 66.188.238.17:500 10.0.1.254:500 --- ---
udp 66.188.238.17:4500 10.0.1.254:4500 --- --

Is anyone able to point me in the right direction in regards to allowing the UDP 500, 4500 and ESP traffic inside and back out?

The whole topology is below, showing the router and the Z1 VPN Concentrator behind it on the INSIDE.

When I first created this, i had set it up with CCP. Since then, I have made changes via the CLI since I have learned this feature. Hence the weird naming scheme.

I almost think it is time to scrap the entire firewall config from CCP and rebuild it. I would like to see if we can fix it. I think understanding what needs to be done here might help me understand the concept I am missing here.

I have already researched with this link ZBF Link, but I am still missing something here. Any help is greatly appreciated.

Zone-pair setup:

Family-Router#sh zone-pair security
Zone-pair name ccp-zp-self-out
 Source-Zone self Destination-Zone out-zone
 service-policy ccp-permit-icmpreply
Zone-pair name ccp-zp-in-out
 Source-Zone in-zone Destination-Zone out-zone
 service-policy ccp-inspect
Zone-pair name ccp-zp-out-self
 Source-Zone out-zone Destination-Zone self
 service-policy ccp-permit

Firewall config:

!
class-map type inspect match-any SDM_DHCP_CLIENT_PT
class-map type inspect match-any ccp-skinny-inspect
 match protocol skinny
class-map type inspect match-any sdm-cls-bootps
 match protocol bootps
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol dns
 match protocol ftp
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-all VPNInbound
 description allow VPN traffic from inet inbound
 match access-group name VPNAllow
class-map type inspect match-any DHCP
 match protocol bootps
 match protocol bootpc
class-map type inspect match-any ccp-h323nxg-inspect
 match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
class-map type inspect match-any ccp-h225ras-inspect
 match protocol h225ras
class-map type inspect match-any LOGIN
 match protocol radius
 match protocol ssh
 match protocol telnet
class-map type inspect match-any ccp-h323annexe-inspect
 match protocol h323-annexe
class-map type inspect match-any VPN
 description VPN
 match access-group name VPNAllow
class-map type inspect match-any NTP
 match protocol ntp
class-map type inspect match-all ccp-cls-ccp-permit-2
 match class-map NTP
 match access-group name NTP
class-map type inspect match-all ccp-cls-ccp-permit-1
 match class-map DHCP
 match access-group name DHCP
class-map type inspect match-any ccp-h323-inspect
 match protocol h323
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-any https
 match protocol https
class-map type inspect match-any ccp-sip-inspect
 match protocol sip
class-map type inspect match-any dns
 match protocol dns
 match protocol dnsix
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect sdm-cls-bootps
 pass
 class type inspect ccp-icmp-access
 inspect
 class type inspect VPN
 inspect
 class class-default
 pass
policy-map type inspect ccp-inspect
 class type inspect dns
 inspect
 class type inspect VPN
 pass
 class type inspect LOGIN
 inspect
 class type inspect ccp-protocol-http
 inspect
 class type inspect https
 inspect
 class type inspect ccp-insp-traffic
 inspect
 class type inspect ccp-sip-inspect
 inspect
 class type inspect ccp-h323-inspect
 inspect
 class type inspect ccp-h323annexe-inspect
 inspect
 class type inspect ccp-h225ras-inspect
 inspect
 class type inspect ccp-h323nxg-inspect
 inspect
 class type inspect ccp-skinny-inspect
 inspect
 class type inspect VPNInbound
 pass
 class class-default
 drop
policy-map type inspect VPN
policy-map type inspect ccp-permit
 description WAN to self-router
 class type inspect ccp-cls-ccp-permit-1
 pass
 class type inspect ccp-cls-ccp-permit-2
 pass
 class type inspect SDM_DHCP_CLIENT_PT
 pass
 class type inspect VPNInbound
 inspect
 class class-default
 drop
!
Family-Router#sh ip access-lists
Standard IP access list LOGIN
 10 permit 10.0.0.0, wildcard bits 0.255.255.255 (2431120 matches)
 20 permit 172.16.0.0, wildcard bits 0.0.0.255 (76 matches)
Extended IP access list 101
 10 permit udp any eq bootps any eq bootpc
Extended IP access list DHCP
 10 permit ip any any (47697 matches)
Extended IP access list Guest-Lockdown
 10 permit ip any host 10.0.2.3
 20 permit ip any host 10.0.1.4
 30 permit ip any host 10.0.3.2
 40 deny tcp any host 10.0.4.1 eq 22
 50 deny ip any 10.0.1.0 0.0.0.255 (13 matches)
 60 deny ip any 10.0.2.0 0.0.0.255
 70 deny ip any 10.0.3.0 0.0.0.255
 80 permit ip any any (11922 matches)
Extended IP access list NTP
 10 permit ip any any (593 matches)
Extended IP access list VPNAllow
 10 permit udp any any eq isakmp non500-isakmp
 20 permit esp any any
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card