Zone based Firewall on ASR1002 with xconnect encapsulation mpls

Stefan Giera · ‎04-04-2013

Hi there,

we have an ASR1002 running zone-based-firewall with 2 zones:

zone_ouside

zone_ph

I have a common ZFW-configuration on that interfaces, e.g.

<code>

class-map type inspect match-any pass_cmap_in

match access-group name pass-ipv4-in

!

class-map type inspect match-any ph_cmap_in

match access-group name ph-ipv4-in

!

class-map type inspect match-any pass_cmap_out

match access-group name pass-ipv4-out

!

class-map type inspect match-any ph_cmap_out

match access-group name ph-ipv4-out

!

</code>

and these policy-maps

<code>

!

policy-map type inspect ph_pmap_in

class type inspect pass_cmap_in

pass

class type inspect ph_cmap_in

inspect

class class-default

drop

!

policy-map type inspect ph_pmap_out

class type inspect pass_cmap_out

pass

class type inspect ph_cmap_out

inspect

class class-default

drop

!

</code>

There is some basic stuff in the Access-Lists; direction ph-ipv4-in contains basically "permit ip any any" and ph-ipv4-out contains some permits for certain services, but nothing else.

The pass-ipv4-in/out ACL contains particularly the udp-500/4500-stuff as well as gre/esp/ah.

Here are the zone-pairs:

<code>

zone-pair security zone_ph-zone_outside source zone_ph destination zone_outside

service-policy type inspect ph_pmap_in

!

zone-pair security zone_outside-zone_ph source zone_outside destination zone_ph

service-policy type inspect ph_pmap_out

!

</code>

So I have the zones activaed on these interfaces:

<code>

!

interface GigabitEthernet0/0/0

description PH

ip address x.x.x.x 255.255.255.252

zone-member security zone_ph

!

interface TenGigabitEthernet0/2/0

description UPLINK

mtu 9180

ip address x.x.x.y 255.255.255.252

zone-member security zone_outside

!

</code>

So far, so good. Everything in this configuration works as its mentioned to be.

Now we made a L2VPN-Interface on the same router:

<code>

interface GigabitEthernet0/0/1

description L2VPN FOR PH

no ip address

zone-member security zone_outside

load-interval 30

negotiation auto

xconnect x.x.y.y 12345 encapsulation mpls

!
</code>

The xconnect is only built up correctly when I configure the interface in the zone_outside. The destination for the xconnect is an ASR9k. If I do not configure the zone on the L2VPN-Interface, only arp-packet are allowed to tgo through the tunnel.

The L2VPN connects a branch office to the network of "PH".

Now the trouble starts: when they are putting a host in the branch office, DHCP via the L2VPn works fine, they can ping anything from the branch office-PC in their local network and reach all internal servers etc.

BUT if they want to go to a destination outside their network, it will not work properly. For example, the branch-office-PC can ping 8.8.8.8 fine, but when they try to connect to a website, e.g. www.google.com, they run into a timeout.

Netstat says, that the http-syn is sent, but no ack is received.

On the router, I see:

Session 1178BAE8 (x.y.225.250:2370)=>(173.194.35.151:80) http SIS_OPENING

whereas x.y.225.250 is the PC connected via L2VPN in the branch office to their local lan.

When they put the same machine in their local lan directly behind the router (without l2vpn) everything works fine.

When I switch off the firewall on the Gi0/0/0-Interface, the PC from the branch office also reaches its destination, so for me it looks like the firewall inspects the traffic going via Gi0/0/1 and L2VPN, what in my opinion, it should not do....

Thanks for any suggestions!

Stefan Giera · ‎04-08-2013

is there no other person having this problem too?