Solved: Re: IPSEC VPN & Zone based FW

James Walsh · ‎03-14-2011

I am having some problems running a zone based FW on my 3945 ISR. I have a site-to-site VPN tunnel built from the router to an ASA. With out the zone based firewall everything come up fine and i can to/from host on both sides of the tunnel. When I apply the zone based firewall I can still bring the tunnel up but then can only ping the ISR router interfaces from the other side of the tunnel, but nothing else on the internal networks. I am assuming it is because the ISR interfaces are in the "self" zone is why I can still reach them and tunnel is terminating on my physical want interface. config is below. any help would be appreciated.

class-map type inspect match-all inside-outside-vpn-cmap

match protocol tcp

match protocol icmp

match protocol udp

match access-group 111

class-map type inspect match-any inside-outside-cmap

match protocol dns

match protocol http

match protocol https

match protocol ftp

match protocol icmp

!

policy-map type inspect inside-outside-vpn-pmap

class type inspect inside-outside-vpn-cmap

pass

class class-default

drop

policy-map type inspect inside-outside-pmap

class type inspect inside-outside-cmap

inspect

class class-default

drop

zone security outside

zone security inside

zone-pair security inside-outside source inside destination outside

service-policy type inspect inside-outside-pmap

zone-pair security outside-inside source outside destination inside

service-policy type inspect inside-outside-vpn-pmap

!

interface GigabitEthernet0/1

description Internet

ip address 10.10.10.1 255.255.255.252

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map YYY-XXX

zone-member security outside

access-list 111 permit ip 192.168.208.0 0.0.3.255 192.168.212.0 0.0.3.255

access-list 111 permit ip 10.250.4.0 0.0.3.255 192.168.212.0 0.0.3.255

access-list 111 permit ip 10.250.8.0 0.0.3.255 192.168.212.0 0.0.3.255

interface Vlan212

description DATA

ip address 192.168.212.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

zone-member security inside

!

interface Vlan1

description SRE-V

ip address 192.168.214.1 255.255.255.224

ip nat inside

ip virtual-reassembly in

zone-member security inside

Jennifer Halim · ‎03-15-2011

And the action should be "inspect" instead of "pass":

policy-map type inspect inside-outside-vpn-pmap

class type inspect inside-outside-vpn-cmap

pass

should be:

policy-map type inspect inside-outside-vpn-pmap

class type inspect inside-outside-vpn-cmap

inspect

Hope that resolves the issue.

View solution in original post

Jennifer Halim · ‎03-15-2011

That's because your"inside-outside-vpn-cmap" policy map says "match-all", which means the traffic needs to match TCP, ICMP, UDP as well as ACL 111 which is pratically impossible , it can't be a TCP and ICMP and UDP at the same time.

Just remove the TCP, ICMP, UDP, and you should be fine:

class-map type inspect match-all inside-outside-vpn-cmap

no match protocol tcp

no match protocol icmp

no match protocol udp

So you will only have the following configured in that policy map:

class-map type inspect match-all inside-outside-vpn-cmap

match access-group 111

This is assuming that your internal network is 192.168.212.0 (0.0.3.255).

If it's otherwise, you will need to flip the source and destination of ACL 111.

Hope that helps.

James Walsh · ‎03-15-2011

Thanks for the help but it didn't work. new config.

class-map type inspect match-all inside-outside-vpn-cmap

match access-group 111

zone-pair security outside-inside source outside destination inside

service-policy type inspect inside-outside-vpn-pmap

Once I add the interfaces to the correct zones I get the same results. VPN tunnel stays and I can only ping the router interfaces nothing behind them However and getting hits on the policy and ACL. I am just not getting a a reply.

before config is applied (from remote end):

CORE1#ping vrf XXX ip 192.168.214.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.214.2, timeout is 2 seconds:

!!!!!

After applied.

CORE1#ping vrf XXX ip 192.168.214.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.214.2, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

Service-policy inspect : inside-outside-vpn-pmap

Class-map: inside-outside-vpn-cmap (match-all)

Match: access-group 111

Pass

20 packets, 1600 bytes

Class-map: class-default (match-any)

Match: any

Drop

121 packets, 9896 bytes

Extended IP access list 111

10 permit ip 192.168.208.0 0.0.3.255 192.168.212.0 0.0.3.255

20 permit ip 10.250.4.0 0.0.3.255 192.168.212.0 0.0.3.255 (20 matches)

30 permit ip 10.250.8.0 0.0.3.255 192.168.212.0 0.0.3.255

Jennifer Halim · ‎03-15-2011

And the action should be "inspect" instead of "pass":

policy-map type inspect inside-outside-vpn-pmap

class type inspect inside-outside-vpn-cmap

pass

should be:

policy-map type inspect inside-outside-vpn-pmap

class type inspect inside-outside-vpn-cmap

inspect

Hope that resolves the issue.

James Walsh · ‎03-15-2011

Awesome. That did it. Thanks for you help