Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1231
Views
1
Helpful
5
Replies

Router 4331 with ZBF zone based firewall - VPN tunnel not working

Go to solution
Mina Tawfik
Level 1
Level 1

‎03-03-2024 06:05 PM

Hi,

Kindly, we need your help.

We are testing on a router R2 some security ideas to secure the environment.

I hit a wall and need second help with the configuration.

 

First, here is the design ideas:

  • R2 is connected to internet connection from with a static public IP.
  • I use zone-based firewall ZBF and created the following:
    • Private zone which will be the Melbourne Office local network
      • This is vlan10 with 10.10.10.0 255.255.255.0.
    • Internet zone which is the internet connection.
    • Paired the 2 zones together with policy.
      • Allowed http, https, dns, icmp, and ssh.
  • A SW connected to R2; A laptop connected to the SW.
    • Laptop is on port 1 on the sw.
    • Router is on port 26 on the sw.
    • The SW is configured as trunk. No other configuration. SW is working fine without any issues
  • DHCP is on the router.
  • Uses isakmp to create a site-to-site VPN tunnel with Dom internal home network.
    • This is where the problem is right now.

 

The internal laptop is getting a correct IP from DHCP on the router. We can browse the internet without any issues.

Now, the issue here is the tunnel is up, but Dom’s home computer cannot communicate with the laptop here. No ping, or cannot open shared folder, and so on.

It looks like that the traffic from the VPN is not routed to the internal network. I tried to configure as in the config file below. The configuration should allow the traffic from the vpn tunnel to the internal network. Somehow, I failed to do that.

 

Can you take a look at the attached config file? I removed all the password from the file for security reasons.

Let me know your thoughts and recommendations.

 

 

Config file on R2:

---------------------------------------------------------------------------

service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname ci_secondary
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
enable secret 5 -----------------
enable password -----------------
!
no aaa new-model
!
!
!
ip name-server ----------------- ----------------- ----------------- ----------------- ----------------- -----------------

ip domain name ci.local
!
ip dhcp pool vlan10
 network 10.10.10.0 255.255.255.0
 default-router 10.10.10.1
 dns-server -----------------
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
!
vpdn-group pppoe
!
!
!
!
spanning-tree extend system-id
!
username mina privilege 15 password 0 -----------------
username dominic privilege 0 secret 5 -----------------
!
redundancy
 mode none
!
!
!
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-any priv-internet-class
 match protocol http
 match protocol https
 match protocol dns
 match protocol icmp
 match protocol ssh
!
policy-map type inspect priv-internet-policy
 class type inspect priv-internet-class
  inspect
 class class-default
  drop
!
zone security private
zone security internet
zone-pair security priv-internet-zone source private destination internet
 service-policy type inspect priv-internet-policy
!
!
!
class-map type inspect match-any DHCP-ALLOW
 match protocol udp
 match access-group name ALLOW-DHCP

policy-map type inspect priv-internet-policy
 class type inspect DHCP-ALLOW
  pass
 class type inspect priv-internet-class
  inspect
 class class-default
  drop

ip access-list extended ALLOW-DHCP
 permit udp any any eq 67
 permit udp any any eq 68


!

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key ----------------- address -----------------
crypto isakmp key ----------------- address -----------------
crypto isakmp key ----------------- address -----------------
crypto isakmp key ----------------- address -----------------
crypto isakmp key ----------------- address -----------------
crypto isakmp key ----------------- address -----------------
crypto isakmp key ----------------- address -----------------
crypto isakmp key ----------------- address -----------------
crypto isakmp key ----------------- address -----------------
crypto isakmp key ----------------- address -----------------
crypto isakmp keepalive 180 periodic
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
 mode tunnel
!
!
crypto map CMAP 70 ipsec-isakmp
 set peer -----------------
 set transform-set TS
 match address DOM-VPN-TRAFFIC

!
!
!
!
!
!
interface GigabitEthernet0/0/0
 description Internet SecondaryWAN
 ip address ----------------- 255.255.255.254
 ip nat outside
 no shutdown
 zone-member security internet
 negotiation auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 crypto map CMAP

!
interface GigabitEthernet0/0/1
 description SecondaryLAN
 no ip address
 ip nat inside
 zone-member security private
 no shutdown
 negotiation auto

!
interface GigabitEthernet0/0/1.10
 description vlan10 Melbourne office LAN network for internet
 encapsulation dot1Q 10
 ip address 10.10.10.1 255.255.255.0
 zone-member security private
 ip nat inside
 no shutdown

!
!
!
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
!
!
ip forward-protocol nd
ip dns server
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 -----------------
ip ssh version 2
!
!
ip access-list extended DOM-VPN-TRAFFIC
 permit ip 10.10.10.0 0.0.0.255 192.168.70.0 0.0.0.255
 permit ip 10.10.10.0 0.0.0.255 192.168.71.0 0.0.0.255
!
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip nat inside source route-map NONAT interface GigabitEthernet0/0/0 overload
ip nat inside source list DOM-VPN-TRAFFIC interface GigabitEthernet0/0/0 overload


route-map NONAT permit 10
 match ip address DOM-VPN-TRAFFIC
!
!
!
!
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list DOM-VPN-TRAFFIC permit ip 10.10.10.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
route-map SWITCHVOX permit 10
 match ip address 110
!
!
!
control-plane
!
!
! To enable ssh access locally to the router.
crypto key generate rsa general-keys modulus 2048
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 access-class 1 in
 exec-timeout 60 0
 login local
 transport input ssh
line vty 5 15
 access-class 1 in
 login local
!
!
end

---------------------------------------------------------------------------

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Mina Tawfik

‎03-08-2024 08:02 AM - edited ‎03-08-2024 08:02 AM

Hello @Mina Tawfik ,

remove the line

ip nat inside source list 1 interface GigabitEthernet0/0/0 overload

using:

conf t

no ip nat inside source list 1 interface GigabitEthernet0/0/0 overload

because this is causing the NAT issue with VPN traffic . It it the route-map NONAT that use ACL 1 in the second block

Hope to help

Giuseppe

 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎03-03-2024 11:17 PM

Hello @Mina Tawfik ,

the VPN traffic is likely NATTED with current config.

You need to change the route-map NONAT in the following manner:

route-map NONAT deny 10
 match ip address DOM-VPN-TRAFFIC

route-map NONAT permit 20
match ip address 1

!

You need also to remove the line:

no ip nat inside source list DOM-VPN-TRAFFIC interface GigabitEthernet0/0/0 overload    

 in global config

Edit:

I assume that the correct config of the named ACL is

ip access-list extended DOM-VPN-TRAFFIC
 permit ip 10.10.10.0 0.0.0.255 192.168.70.0 0.0.0.255
 permit ip 10.10.10.0 0.0.0.255 192.168.71.0 0.0.0.255
!

Hope to help

Giuseppe

 

0 Helpful

Go to solution
Mina Tawfik
Level 1
Level 1
In response to Giuseppe Larosa

‎03-07-2024 03:43 PM

Hi Giuseppe,

I did that and still not working. Here is the config file:

 

---------------------------------------------------------------------------

service timestamps debug datetime msec

service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname -----------------
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!

!
no aaa new-model
!
!
!
ip name-server ----------------- ----------------- ----------------- -----------------

ip domain name -----------------
!
ip dhcp pool vlan10
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server -----------------
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
!
vpdn-group pppoe
!
!
!
license udi pid ISR4331/K9 sn FDO22381VB1
!
spanning-tree extend system-id
!

!
redundancy
mode none
!
!
!
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-any priv-internet-class
match protocol http
match protocol https
match protocol dns
match protocol icmp
match protocol ssh
!
policy-map type inspect priv-internet-policy
class type inspect priv-internet-class
inspect
class class-default
drop
!
zone security private
zone security internet
zone-pair security priv-internet-zone source private destination internet
service-policy type inspect priv-internet-policy
!
!
!
class-map type inspect match-any DHCP-ALLOW
match protocol udp
match access-group name ALLOW-DHCP

policy-map type inspect priv-internet-policy
class type inspect DHCP-ALLOW
pass
class type inspect priv-internet-class
inspect
class class-default
drop

ip access-list extended ALLOW-DHCP
permit udp any any eq 67
permit udp any any eq 68


!

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key ----------------- address -----------------
crypto isakmp keepalive 180 periodic
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
crypto map CMAP 70 ipsec-isakmp
set peer -----------------
set transform-set TS
match address DOM-VPN-TRAFFIC

!
!
!
!
!
!
interface GigabitEthernet0/0/0
description Internet SecondaryWAN
ip address ----------------- -----------------
ip nat outside
no shutdown
zone-member security internet
negotiation auto
pppoe enable group global
pppoe-client dial-pool-number 1
crypto map CMAP

!
interface GigabitEthernet0/0/1
description SecondaryLAN
no ip address
ip nat inside
zone-member security private
no shutdown
negotiation auto

!
interface GigabitEthernet0/0/1.10
description vlan10 -----------------t
encapsulation dot1Q 10
ip address 10.10.10.1 255.255.255.0
zone-member security private
ip nat inside
no shutdown

!
!
!
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
!
!
ip forward-protocol nd
ip dns server
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 -----------------
ip ssh version 2
!
!
ip access-list extended DOM-VPN-TRAFFIC
permit ip 10.10.10.0 0.0.0.255 192.168.70.0 0.0.0.255
permit ip 10.10.10.0 0.0.0.255 192.168.71.0 0.0.0.255
!
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip nat inside source route-map NONAT interface GigabitEthernet0/0/0 overload


route-map NONAT deny 10
match ip address DOM-VPN-TRAFFIC
!
route-map NONAT permit 20
match ip address 1
!
!
!
!
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
route-map SWITCHVOX permit 10
match ip address 110
!
!
!
control-plane
!
!
! To enable ssh access locally to the router.
crypto key generate rsa general-keys modulus 2048
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 1 in
exec-timeout 60 0
login local
transport input ssh
line vty 5 15
access-class 1 in
login local
!
!
end

---------------------------------------------------------------------------

 
 
And here are the logs from the router once we tried the VPN connection:

*Mar 8 00:03:51.691: ISAKMP: (1001):set new node 3787667595 to QM_IDLE
*Mar 8 00:03:51.691: ISAKMP-PAK: (1001):sending packet to ----------------- my_port 500 peer_port 500 (R) QM_IDLE
*Mar 8 00:03:51.691: ISAKMP: (1001):Sending an IKE IPv4 Packet.
*Mar 8 00:03:51.691: ISAKMP: (1001):purging node 3787667595
*Mar 8 00:03:51.691: ISAKMP: (1001):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE
*Mar 8 00:03:51.691: ISAKMP: (1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Mar 8 00:03:51.704: ISAKMP-PAK: (1001):received packet from ----------------- dport 500 sport 500 Global (R) QM_IDLE
*Mar 8 00:03:51.704: ISAKMP: (1001):set new node 464899042 to QM_IDLE
*Mar 8 00:03:51.704: ISAKMP: (1001):processing HASH payload. message ID = 464899042
*Mar 8 00:03:51.704: ISAKMP: (1001):deleting node 464899042 error FALSE reason "Informational (in) state 1"
*Mar 8 00:03:51.704: ISAKMP: (1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar 8 00:03:51.704: ISAKMP: (1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Mar 8 00:04:41.704: ISAKMP: (1001):purging node 464899042

 

 

So, the VPN connection is up. Still I cannot get the traffic between the 2 local subnets 192.168.70.x and 10.10.10.x

 

 
0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Mina Tawfik

‎03-08-2024 08:02 AM - edited ‎03-08-2024 08:02 AM

Hello @Mina Tawfik ,

remove the line

ip nat inside source list 1 interface GigabitEthernet0/0/0 overload

using:

conf t

no ip nat inside source list 1 interface GigabitEthernet0/0/0 overload

because this is causing the NAT issue with VPN traffic . It it the route-map NONAT that use ACL 1 in the second block

Hope to help

Giuseppe

 

0 Helpful

Go to solution
Mina Tawfik
Level 1
Level 1
In response to Giuseppe Larosa

‎03-14-2024 05:11 PM

Hi Giuseppe,

Looks like your trick solved the issue. I could ping the external router. Also, on the other side of the vpn tunnel, the user can ping the internet router here.
We could not ping the computers on both sides for some reason. But at least for now, the traffic is coming through the tunnel and exempted from NAT.

I will do more testing to troubleshoot why the computers cannot see the shared folders on each other yet.

Thank you so much mate for all the help.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎03-04-2024 06:14 AM

you need to add new Zone pair 
Self zone to internet zone (and reverse) allow (not inspect) the UDP 500 and 4500 traffic 

MHM

Customers Also Viewed These Support Documents