Solved: thanks for the reply, i will

besnik baftijari · ‎08-22-2016

Does anyone have any working config for a zone based firewall and site to site IPSEC ?

pjain2 · ‎08-24-2016

configure a site to site tunnel and then you can use the below config for configuring ZBF:

class-map type inspect match-any Internet-cmap

match protocol icmp

match protocol tcp

match protocol udp

match protocol http

match protocol https

match protocol pop3

match protocol pop3s

match protocol smtp

class-map type inspect match-all ICMP-cmap

match access-group name ICMP

class-map type inspect match-all IPSEC-cmap

match access-group name ISAKMP_IPSEC

class-map type inspect match-all SSHaccess-cmap

match access-group name SSHaccess

!

!--- Define the Zone based firewall Policy maps

policy-map type inspect inside-outside-pmap

class type inspect Internet-cmap

inspect

class type inspect ICMP-cmap

inspect

class class-default

drop

policy-map type inspect outside-inside-pmap

class type inspect ICMP-cmap

inspect

class class-default

drop

policy-map type inspect Outside-Router-pmap

class type inspect SSHaccess-cmap

inspect

class type inspect ICMP-cmap

inspect

class type inspect IPSEC-cmap

pass

class class-default

drop

!

!--- Define zones

zone security inside

zone security outside

!

!--- Define zone-pairs

zone-pair security inside-to-outside source inside destination outside

service-policy type inspect inside-outside-pmap

zone-pair security outside-to-router source outside destination self

service-policy type inspect Outside-Router-pmap

zone-pair security outside-to-inside source outside destination inside

service-policy type inspect outside-inside-pmap

!

interface Ethernet0

ip address 172.16.10.20 255.255.255.0

!

!--- Define interface as part of inside zone

zone-member security inside

half-duplex

!

interface FastEthernet0

ip address 209.165.201.2 255.255.255.224

!

!--- Define interface as part of outside zone

zone-member security outside

speed auto

ip access-list extended ICMP

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any traceroute

!

ip access-list extended ISAKMP_IPSEC

permit udp any any eq isakmp

permit ahp any any

permit esp any any

permit udp any any eq non500-isakmp

!

ip access-list extended SSHaccess

permit tcp any any eq 22

!

View solution in original post

pjain2 · ‎08-24-2016

configure a site to site tunnel and then you can use the below config for configuring ZBF:

class-map type inspect match-any Internet-cmap

match protocol icmp

match protocol tcp

match protocol udp

match protocol http

match protocol https

match protocol pop3

match protocol pop3s

match protocol smtp

class-map type inspect match-all ICMP-cmap

match access-group name ICMP

class-map type inspect match-all IPSEC-cmap

match access-group name ISAKMP_IPSEC

class-map type inspect match-all SSHaccess-cmap

match access-group name SSHaccess

!

!--- Define the Zone based firewall Policy maps

policy-map type inspect inside-outside-pmap

class type inspect Internet-cmap

inspect

class type inspect ICMP-cmap

inspect

class class-default

drop

policy-map type inspect outside-inside-pmap

class type inspect ICMP-cmap

inspect

class class-default

drop

policy-map type inspect Outside-Router-pmap

class type inspect SSHaccess-cmap

inspect

class type inspect ICMP-cmap

inspect

class type inspect IPSEC-cmap

pass

class class-default

drop

!

!--- Define zones

zone security inside

zone security outside

!

!--- Define zone-pairs

zone-pair security inside-to-outside source inside destination outside

service-policy type inspect inside-outside-pmap

zone-pair security outside-to-router source outside destination self

service-policy type inspect Outside-Router-pmap

zone-pair security outside-to-inside source outside destination inside

service-policy type inspect outside-inside-pmap

!

interface Ethernet0

ip address 172.16.10.20 255.255.255.0

!

!--- Define interface as part of inside zone

zone-member security inside

half-duplex

!

interface FastEthernet0

ip address 209.165.201.2 255.255.255.224

!

!--- Define interface as part of outside zone

zone-member security outside

speed auto

ip access-list extended ICMP

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any traceroute

!

ip access-list extended ISAKMP_IPSEC

permit udp any any eq isakmp

permit ahp any any

permit esp any any

permit udp any any eq non500-isakmp

!

ip access-list extended SSHaccess

permit tcp any any eq 22

!

besnik baftijari · ‎09-01-2016

thanks for the reply, i will try that, and update

vkundanuru@ydesigngroup.com · ‎06-26-2018

Hello,

I have gone through your config, i have a query over this, recently we have moved to zone based 4431 router and i have ipsec tunnel Cryptomap applied to wan interface and the wan interface is in Outside zone.

Tunnel is working fine but my VOIP services are not working as the other end voipe swith fails to sync ( TMS sync fails ). Do i need to create policy map for IPSEC as well ? its directly applied on wan interface as cryptomap.

Sac-4431-1#sh run int gi0/0/1
Building configuration...

Current configuration : 321 bytes
!
interface GigabitEthernet0/0/1
description >>> Outside Interface 1 <<<
bandwidth 153600
ip address xxxx xxxx
ip nat outside
zone-member security SACOUTSIDE
ip ospf priority 64
load-interval 30
speed 1000
no negotiation auto
no cdp enable
crypto map Crypto-Map
hold-queue 50000 out
end

Sac-4431-1#

policy-map type inspect SACOUTSIDE-TO-INSIDE-POLICY
class type inspect SACOUTSIDE-TO-INSIDE-CLASS
inspect
class class-default
drop log

Site-toSite IPSec VPN + Zone-based firewall