Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
391
Views
0
Helpful
1
Replies

Site-to-site VPN with ZB firewall

stephenkm
Level 1
Level 1

‎11-20-2014 08:26 PM

Hi,

I've been trying to get this site-to-site VPN working for a few days with no joy. The tunnel comes up and when I do an extended ping, I can get to the internal interfaces on both routers. However, I cannot ping any devices on both ends. I'm not sure if its my NAT'ing that's wrong or its something in my firewall. Router on SiteB has another tunnel (Crypto map mymap 10) to another router that works just fine. Have attached the configs for both routers.

Any assistance appreciated.

Cheers!

Labels:
Preview file
7 KB
Preview file
7 KB
0 Helpful
1 Reply 1

Michal Dulovic
Level 1
Level 1

‎12-03-2014 05:28 AM

Hi, i think your problem is this service policy on site A router:

policy-map type inspect permit-server-traffic
 class class-default
  drop

This service policy is controlling the traffic coming from out-zone (outside of your local lan) to in-zone (your local lan) . The remote lan is in this context in out-zone (respectively on bot routers).
As you do not have any classes here and the class-default is set to drop all traffic coming from outside local lan (respectively on both routers)so from out-zone gets dropped (it always gets dropped on the router which is on remote site from where you are trying to communicate).

I hope you can get me :) what i am trying to say.

You have to specify another class where you have to define what type of traffic you want permitted from out-zone to in-zone and then insert it into this service policy (policy-map) policy-map type inspect permit-server-traffic.
 

Of course you also have to edit this policy also on router on site B which now block traffic coming from lan of router site A except what is specified in access-list 101.

in this acl this line is not effective i think "access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255" as it controls traffic coming from opposite direction.

-------------------------------------------------------------------------------------------------------------------

 

Also there are few thing that catched my eye, which doesnt really makes sense for me, but should not be causing the issue you are experiencing.

Firstly:

policy-map type inspect inspect-traffic
 class type inspect inspect-outbound-traffic
  inspect
 class class-default
  pass

This pass here is not really effective as it passes the traffic from in-zone to out-zone, but no statefull information is created, so the returning traffic gets dropped. Only the traffic specified in class-map inspect-outbound-traffic has statefull information created, thus allowed in.

 

The second thing is that you have specified VPN access to your router in different classes which is hard to read but other than that it has no effect on traffic forwarding. Best way it to group traffic for one purpose in one class so its easy to distinguish which class is for what.

 

 

 

0 Helpful
Customers Also Viewed These Support Documents