03-14-2011 05:59 PM - edited 02-21-2020 05:13 PM
I am having some problems running a zone based FW on my 3945 ISR. I have a site-to-site VPN tunnel built from the router to an ASA. With out the zone based firewall everything come up fine and i can to/from host on both sides of the tunnel. When I apply the zone based firewall I can still bring the tunnel up but then can only ping the ISR router interfaces from the other side of the tunnel, but nothing else on the internal networks. I am assuming it is because the ISR interfaces are in the "self" zone is why I can still reach them and tunnel is terminating on my physical want interface. config is below. any help would be appreciated.
class-map type inspect match-all inside-outside-vpn-cmap
match protocol tcp
match protocol icmp
match protocol udp
match access-group 111
class-map type inspect match-any inside-outside-cmap
match protocol dns
match protocol http
match protocol https
match protocol ftp
match protocol icmp
!
!
policy-map type inspect inside-outside-vpn-pmap
class type inspect inside-outside-vpn-cmap
pass
class class-default
drop
policy-map type inspect inside-outside-pmap
class type inspect inside-outside-cmap
inspect
class class-default
drop
Solved! Go to Solution.
03-15-2011 05:07 PM
And the action should be "inspect" instead of "pass":
policy-map type inspect inside-outside-vpn-pmap
class type inspect inside-outside-vpn-cmap
pass
should be:
policy-map type inspect inside-outside-vpn-pmap
class type inspect inside-outside-vpn-cmap
inspect
Hope that resolves the issue.
03-15-2011 03:03 AM
That's because your"inside-outside-vpn-cmap" policy map says "match-all", which means the traffic needs to match TCP, ICMP, UDP as well as ACL 111 which is pratically impossible , it can't be a TCP and ICMP and UDP at the same time.
Just remove the TCP, ICMP, UDP, and you should be fine:
class-map type inspect match-all inside-outside-vpn-cmap
no match protocol tcp
no match protocol icmp
no match protocol udp
So you will only have the following configured in that policy map:
class-map type inspect match-all inside-outside-vpn-cmap
match access-group 111
This is assuming that your internal network is 192.168.212.0 (0.0.3.255).
If it's otherwise, you will need to flip the source and destination of ACL 111.
Hope that helps.
03-15-2011 10:25 AM
Thanks for the help but it didn't work. new config.
class-map type inspect match-all inside-outside-vpn-cmap
match access-group 111
03-15-2011 05:07 PM
And the action should be "inspect" instead of "pass":
policy-map type inspect inside-outside-vpn-pmap
class type inspect inside-outside-vpn-cmap
pass
should be:
policy-map type inspect inside-outside-vpn-pmap
class type inspect inside-outside-vpn-cmap
inspect
Hope that resolves the issue.
03-15-2011 05:33 PM
Awesome. That did it. Thanks for you help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide