Hi All,

Ive just deployed three 887w's for a customer at a few branch offices, and as its the first time I have deployed these devices I decided to go with the GUI (downloaded config pro 2.3) to get the config done as I had a few time pressures to get them in place (sometimes I do go with the gui first off then look back at the CLI to see what its done and then pick it apart in notepad, to get a better understanding of any new features that the CLI has maybe gone and enabled).

One thing I new I was going to be facing was my first experience of the IOS Zone Based Firewall type of config.......

At this stage,I'm still quite fuzzy on the config (hence why Im posting here I guess!) - But the main issue I have at the moment is with Management Access to the devices.

Particularily in regards to management access from the head office to the inside IP address of the branch routers.

I should mention that the branch routers are connected to the head office by IPSec site to site VPN connections, and these connections are all fine, all connectivity (PC to server, PC to printer, etc...) is fine....I can also send ping packets (using the inside interface as the source) from the branch routers to servers on the head office LAN.

I have configured management access using config pro to allow access from the head office subnet to the router (on its inside interface) as well as the local subnet and also SSH access for a specific internet host - The local subnet and the single internet based host can access the router fine.

Im not sure if the problem is with the ZBF config or if its something really obvious Im missing! - Ive done branch routers many times before, so with this being the first ZBF config I have done, then I have come to the conclusion that it must be something in the lack of my understanding.

Any help greatly appreciated....sanitized config below!

Thanks in advance

Paul

version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Dummy-Name
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
!
memory-size iomem 10
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
service-module wlan-ap 0 bootimage autonomous
!
crypto pki trustpoint TP-self-signed-2874941309
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2874941309
revocation-check none
rsakeypair TP-self-signed-2874941309
!
!
crypto pki certificate chain TP-self-signed-2874941309
certificate self-signed 01
<Certificate removed>

no ip source-route
!
!
ip dhcp excluded-address 10.0.0.1 10.0.0.63
ip dhcp excluded-address 10.0.0.193 10.0.0.254
!
ip dhcp pool ccp-pool
   import all
   network 10.0.0.0 255.255.255.0
   default-router 10.0.0.1
   domain-name xxxxxxxxx.com
   dns-server 192.168.xx.20 194.74.xx.68
   lease 0 2
!
!
ip cef
no ip bootp server
ip domain name xxxxxxx.com
ip name-server 192.168.xx.20
ip name-server 194.74.xx.68
no ipv6 cef
!
!
multilink bundle-name authenticated

parameter-map type urlfpolicy websense cpwebpara0
server 192.168.xx.25
source-interface Vlan1
allow-mode on
parameter-map type urlf-glob cpaddbnwlocparapermit0
pattern citrix.xxxxxxxxxxxx.com

license udi pid CISCO887MW-GN-E-K9 sn xxxxxxxxxxx
!
!
username xxxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxx
username xxxxxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
!
!
ip tcp synwait-time 10
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 106
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any sdm-mgmt-cls-0
match class-map SDM_SHELL
match class-map SDM_SSH
match class-map SDM_HTTPS
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 105
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type urlfilter match-any cpaddbnwlocclasspermit0
match  server-domain urlf-glob cpaddbnwlocparapermit0
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type urlfilter websense match-any cpwebclass0
match  server-response any
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-0
match class-map sdm-mgmt-cls-0
match access-group 103
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
  inspect
class class-default
  pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-1
  inspect
class class-default
  drop
policy-map type inspect urlfilter cppolicymap-1
parameter type urlfpolicy websense cpwebpara0
class type urlfilter cpaddbnwlocclasspermit0
  allow
  log
class type urlfilter websense cpwebclass0
  server-specified-action
  log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
  drop log
class type inspect ccp-protocol-http
  inspect
  service-policy urlfilter cppolicymap-1
class type inspect ccp-insp-traffic
  inspect
class class-default
  drop
policy-map type inspect ccp-permit
class type inspect SDM_VPN_PT
  pass
class type inspect sdm-mgmt-cls-ccp-permit-0
  inspect
class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxxxx address 194.105.xxx.xxx
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to194.105.xxx.xxx
set peer 194.105.xxx.xxx
set transform-set ESP-3DES-SHA
match address VPN-ACL
!
!
!
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description $ES_WAN$
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 10.0.0.1 255.255.255.0
ip access-group 104 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
interface Dialer0
description $FW_OUTSIDE$
ip address 81.142.xxx.xxx 255.255.xxx.xxx
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxxxxxxx
ppp chap password 7 xxxxxxxxxxxxxxxxx
no cdp enable
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_HTTP
remark CCP_ACL Category=0
permit tcp any any eq www
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=0
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=0
permit tcp any any eq cmd
ip access-list extended SDM_SNMP
remark CCP_ACL Category=0
permit udp any any eq snmp
ip access-list extended SDM_SSH
remark CCP_ACL Category=0
permit tcp any any eq 22
ip access-list extended SDM_TELNET
remark CCP_ACL Category=0
permit tcp any any eq telnet
ip access-list extended VPN-ACL
remark ACL to Indentify interesting traffic to bring up VPN tunnel
remark CCP_ACL Category=4
permit ip 10.0.0.0 0.0.0.255 192.168.xx.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 10.128.xx.0 0.0.255.255
permit ip 10.0.0.0 0.0.0.255 160.69.xx.0 0.0.255.255
!
logging trap debugging
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 23 permit 193.195.xxx.xxx
access-list 23 remark CCP_ACL Category=17
access-list 23 permit 192.168.xx.0 0.0.0.255
access-list 23 permit 10.0.0.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 81.142.xxx.xxx 0.0.0.7 any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark CCP_ACL Category=1
access-list 101 permit tcp host 193.195.xxx.xxx host 81.142.xxx.xxx eq 22
access-list 101 permit tcp host 193.195.xxx.xxx host 81.142.xxx.xxx eq 443
access-list 101 permit tcp host 193.195.xxx.xxx host 81.142.xxx.xxx eq cmd
access-list 101 deny   tcp any host 81.142.xxx.xxx eq telnet
access-list 101 deny   tcp any host 81.142.xxx.xxx eq 22
access-list 101 deny   tcp any host 81.142.xxx.xxx eq www
access-list 101 deny   tcp any host 81.142.xxx.xxx eq 443
access-list 101 deny   tcp any host 81.142.xxx.xxx eq cmd
access-list 101 deny   udp any host 81.142.xxx.xxx eq snmp
access-list 101 permit ip 160.69.0.0 0.0.255.255 10.0.0.0 0.0.0.255
access-list 101 permit ip 10.128.0.0 0.0.255.255 10.0.0.0 0.0.0.255
access-list 101 permit ip 192.168.xx.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit udp host 194.105.xxx.xxx host 81.142.xxx.xxx eq non500-isakmp
access-list 101 permit udp host 194.105.xxx.xxx host 81.142.xxx.xxx eq isakmp
access-list 101 permit esp host 194.105.xxx.xxx host 81.142.xxx.xxx
access-list 101 permit ahp host 194.105.xxx.xxx host 81.142.xxx.xxx
access-list 101 permit ip any any
access-list 102 remark CCP_ACL Category=1
access-list 102 permit ip 192.168.xx.0 0.0.0.255 any
access-list 102 permit ip host 193.195.xxx.xxx any
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark CCP_ACL Category=1
access-list 103 permit ip host 193.195.xxx.xxx host 81.142.xxx.xxx
access-list 104 remark Auto generated by SDM Management Access feature
access-list 104 remark CCP_ACL Category=1
access-list 104 permit tcp 192.168.xx.0 0.0.0.255 host 10.0.0.1 eq telnet
access-list 104 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq telnet
access-list 104 permit tcp 192.168.xx.0 0.0.0.255 host 10.0.0.1 eq 22
access-list 104 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq 22
access-list 104 permit tcp 192.168.xx.0 0.0.0.255 host 10.0.0.1 eq www
access-list 104 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq www
access-list 104 permit tcp 192.168.xx.0 0.0.0.255 host 10.0.0.1 eq 443
access-list 104 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq 443
access-list 104 permit tcp 192.168.xx.0 0.0.0.255 host 10.0.0.1 eq cmd
access-list 104 permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq cmd
access-list 104 deny   tcp any host 10.0.0.1 eq telnet
access-list 104 deny   tcp any host 10.0.0.1 eq 22
access-list 104 deny   tcp any host 10.0.0.1 eq www
access-list 104 deny   tcp any host 10.0.0.1 eq 443
access-list 104 deny   tcp any host 10.0.0.1 eq cmd
access-list 104 deny   udp any host 10.0.0.1 eq snmp
access-list 104 permit ip any any
access-list 105 remark CCP_ACL Category=128
access-list 105 permit ip host 194.105.xxx.xxx any
access-list 106 remark CCP_ACL Category=0
access-list 106 permit ip 192.168.xx.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 106 permit ip 10.128.0.0 0.0.255.255 10.0.0.0 0.0.0.255
access-list 106 permit ip 160.69.0.0 0.0.255.255 10.0.0.0 0.0.0.255
access-list 107 remark CCP_ACL Category=2
access-list 107 deny   ip 10.0.0.0 0.0.0.255 160.69.0.0 0.0.255.255
access-list 107 deny   ip 10.0.0.0 0.0.0.255 10.128.0.0 0.0.255.255
access-list 107 deny   ip 10.0.0.0 0.0.0.255 192.168.xx.0 0.0.0.255
access-list 107 permit ip 10.0.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run

!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 107
!
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
access-class 102 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
ntp update-calendar
ntp server 130.159.196.118 prefer source Dialer0
end