04-04-2013 05:55 AM - edited 03-04-2019 07:29 PM
Hi there,
we have an ASR1002 running zone-based-firewall with 2 zones:
zone_ouside
zone_ph
I have a common ZFW-configuration on that interfaces, e.g.
<code>
class-map type inspect match-any pass_cmap_in
match access-group name pass-ipv4-in
!
class-map type inspect match-any ph_cmap_in
match access-group name ph-ipv4-in
!
class-map type inspect match-any pass_cmap_out
match access-group name pass-ipv4-out
!
class-map type inspect match-any ph_cmap_out
match access-group name ph-ipv4-out
!
</code>
and these policy-maps
<code>
!
policy-map type inspect ph_pmap_in
class type inspect pass_cmap_in
pass
class type inspect ph_cmap_in
inspect
class class-default
drop
!
policy-map type inspect ph_pmap_out
class type inspect pass_cmap_out
pass
class type inspect ph_cmap_out
inspect
class class-default
drop
!
</code>
There is some basic stuff in the Access-Lists; direction ph-ipv4-in contains basically "permit ip any any" and ph-ipv4-out contains some permits for certain services, but nothing else.
The pass-ipv4-in/out ACL contains particularly the udp-500/4500-stuff as well as gre/esp/ah.
Here are the zone-pairs:
<code>
zone-pair security zone_ph-zone_outside source zone_ph destination zone_outside
service-policy type inspect ph_pmap_in
!
zone-pair security zone_outside-zone_ph source zone_outside destination zone_ph
service-policy type inspect ph_pmap_out
!
</code>
So I have the zones activaed on these interfaces:
<code>
!
interface GigabitEthernet0/0/0
description PH
ip address x.x.x.x 255.255.255.252
zone-member security zone_ph
!
interface TenGigabitEthernet0/2/0
description UPLINK
mtu 9180
ip address x.x.x.y 255.255.255.252
zone-member security zone_outside
!
!
</code>
So far, so good. Everything in this configuration works as its mentioned to be.
Now we made a L2VPN-Interface on the same router:
<code>
interface GigabitEthernet0/0/1
description L2VPN FOR PH
no ip address
zone-member security zone_outside
load-interval 30
negotiation auto
xconnect x.x.y.y 12345 encapsulation mpls
!
</code>
The xconnect is only built up correctly when I configure the interface in the zone_outside. The destination for the xconnect is an ASR9k. If I do not configure the zone on the L2VPN-Interface, only arp-packet are allowed to tgo through the tunnel.
The L2VPN connects a branch office to the network of "PH".
Now the trouble starts: when they are putting a host in the branch office, DHCP via the L2VPn works fine, they can ping anything from the branch office-PC in their local network and reach all internal servers etc.
BUT if they want to go to a destination outside their network, it will not work properly. For example, the branch-office-PC can ping 8.8.8.8 fine, but when they try to connect to a website, e.g. www.google.com, they run into a timeout.
Netstat says, that the http-syn is sent, but no ack is received.
On the router, I see:
Session 1178BAE8 (x.y.225.250:2370)=>(173.194.35.151:80) http SIS_OPENING
whereas x.y.225.250 is the PC connected via L2VPN in the branch office to their local lan.
When they put the same machine in their local lan directly behind the router (without l2vpn) everything works fine.
When I switch off the firewall on the Gi0/0/0-Interface, the PC from the branch office also reaches its destination, so for me it looks like the firewall inspects the traffic going via Gi0/0/1 and L2VPN, what in my opinion, it should not do....
Thanks for any suggestions!
04-08-2013 12:51 AM
is there no other person having this problem too?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide