VPN Client access through Zone-Based Firewall

talmadari · ‎01-14-2011

Hi All,

Lately i have tried to configure my c891w to work with Remote VPN client,

On the router there is already configured a Zone-based Firewall.

I have managed to connect with the client and to get an IP address from the pool (172.17.0.xxx), i check the crypto session/client/SA status and everything seems fine but i can't pass traffic through the VPN connection to neither side (Trust to VPN and vice verse)?!

My LAN IP Segment is: 172.16.0.0/24 and VPN IP Segment is: 172.17.0.0/24

Here is my Configuration:

version 15.1
parser config cache interface
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot system flash:/c890-universalk9-mz.151-2.T.bin
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging rate-limit all 100
logging console critical
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login local_authen local
aaa authentication login userauth local
aaa authentication enable default enable
aaa authorization exec local_author local
aaa authorization network groupauth local
!
!
!
!
!
aaa session-id common
!
clock timezone gmt 2 0
service-module wlan-ap 0 bootimage autonomous
crypto pki token default removal timeout 0
!
no ip source-route
no ip gratuitous-arps
!
!
ip dhcp excluded-address 172.16.0.1 172.16.0.150
!
ip dhcp pool LAN
   import all
   network 172.16.0.0 255.255.255.0
   default-router 172.16.0.1
   lease 7
!
ip dhcp pool DMZ
   import all
   network 10.99.0.0 255.255.255.240
   default-router 10.99.0.1
!
!
ip cef
no ip domain lookup
ip host mail 172.16.0.2
ip host ShareSpace 172.16.0.5
ip inspect log drop-pkt
no ipv6 cef
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
!
parameter-map type inspect global
log dropped-packets enable
parameter-map type inspect session-ctrl
audit-trail on
alert on
max-incomplete low 400
max-incomplete high 500
udp idle-time 15
icmp idle-time 10
dns-timeout 10
tcp idle-time 1800
tcp finwait-time 1
tcp synwait-time 15
tcp max-incomplete host 50 block-time 0
sessions maximum 1000
parameter-map type inspect default
audit-trail on
!
secure boot-image
secure boot-config
!
!
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-all VPN-CLIENT-CLASS
description VPN Clients Access Class
match access-group name VPN-CLIENT-ACL
class-map type inspect match-any VPN-ACCESS-CLASS
match access-group 123
match class-map VPN-CLIENT-CLASS
class-map type inspect http match-any bad-http-class
match request port-misuse any
match req-resp protocol-violation
class-map type inspect match-any self-cmap-deny
description Router Class-map Deny
match protocol http
match protocol https
match protocol telnet
match protocol ftp
match protocol icmp
class-map type inspect match-all OUTSIDE-to-DMZ
match protocol ftp
match protocol ftps
match protocol tftp
match protocol telnet
match protocol ssh
match protocol https
match protocol http
class-map type inspect match-any LAN-Access-Class
description LAN Access
match protocol http
match protocol https
match protocol dns
match protocol ssh
match protocol telnet
match protocol ftp
match protocol icmp
match protocol msnmsgr
match protocol tcp
match protocol udp
match protocol pop3
match protocol smtp
class-map type inspect match-all LAN-Access-ACL
description LAN Outbound policy
match class-map LAN-Access-Class
match access-group 10
class-map type inspect match-all all-trust
match access-group 10
class-map type inspect match-all all-dmz
match access-group 11
class-map type inspect match-any SELF-DENY-CLASS
match protocol icmp
match protocol echo
match protocol https
match protocol http
match protocol telnet
match protocol ftp
match protocol snmp
class-map type inspect match-any self-protocols
match protocol https
match protocol ssh
class-map type inspect match-all SELF-ACCESS-CLASS
match access-group 87
match access-group name SELF-ACCESS-ACL
class-map type inspect match-all self-cmap-allow
description Router Class-map Access
match class-map self-protocols
!
!
policy-map type inspect to-self-pmap
class type inspect self-cmap-allow
pass log
class type inspect self-cmap-deny
drop log
class class-default
drop log
policy-map type inspect SELF-ACCESS-POLICY
class type inspect SELF-ACCESS-CLASS
inspect
class type inspect VPN-ACCESS-CLASS
inspect
class class-default
drop log
policy-map type inspect OUTSIDE-to-DMZ-POLICY
class type inspect OUTSIDE-to-DMZ
inspect
class class-default
drop log
policy-map type inspect UNTRUST-TO-SELF-MAP
class type inspect SELF-ACCESS-CLASS
inspect session-ctrl
class type inspect VPN-ACCESS-CLASS
inspect
class class-default
drop log
policy-map type inspect DMZ-ACCESS-POLICY
description DMZ Access Policy
class class-default
pass log
policy-map type inspect trust-access-policy
description Trust zone outbound access policy
class type inspect LAN-Access-ACL
inspect session-ctrl
class class-default
drop log
!
zone security trust
description Trust Zone
zone security untrust
description Untrust Zone
zone security dmz
description DMZ Zone
zone-pair security trust-to-untrust source trust destination untrust
description Trust zone access policy
service-policy type inspect trust-access-policy
zone-pair security self-to-untrust source self destination untrust
service-policy type inspect SELF-ACCESS-POLICY
zone-pair security untrust-to-dmz source untrust destination dmz
service-policy type inspect OUTSIDE-to-DMZ-POLICY
zone-pair security UNTRUST-TO-SELF source untrust destination self
service-policy type inspect UNTRUST-TO-SELF-MAP
zone-pair security DMZ-TO-UNTRUST source dmz destination untrust
service-policy type inspect DMZ-ACCESS-POLICY
!
!
crypto isakmp policy 10
encr aes 256
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group client-group
key XXXXXXXXXXXXXXXX
dns xxxx.xxxx.xxxx.xxxx
wins 172.16.0.1
domain local.net
pool mypool
acl 108
!
!
crypto ipsec transform-set myset esp-aes 256 esp-md5-hmac
!
crypto dynamic-map dynmap 10
set security-association lifetime seconds 86400
set transform-set myset
reverse-route
!
!
!
!
crypto map mymap client authentication list userauth
crypto map mymap isakmp authorization list groupauth
crypto map mymap client configuration address respond
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
description WAN Connection to ADSL Modem
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
load-interval 30
duplex auto
speed auto
pppoe-client dial-pool-number 1
no cdp enable
!
interface GigabitEthernet0
no ip address
duplex auto
speed auto
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip address 192.168.192.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
load-interval 30
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
!
interface Vlan1
description Management network
ip address 172.16.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
zone-member security trust
load-interval 30
!
interface Vlan99
description DMZ Network
ip address 10.99.0.1 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
zone-member security dmz
load-interval 30
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
interface Dialer1
description Logical ADSL Interface$FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip verify unicast reverse-path
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
zone-member security untrust
encapsulation ppp
ip tcp adjust-mss 1452
load-interval 30
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp pap sent-username xxxxxxxx
no cdp enable
crypto map mymap
!
ip local pool mypool 172.17.0.1 172.17.0.254
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 10 interface Dialer1 overload
ip nat inside source list 11 interface Loopback1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended SELF-ACCESS-ACL
permit tcp any any eq 443
permit tcp any any eq 22
permit tcp any any eq telnet
ip access-list extended VPN-CLIENT-ACL
remark VPN Clients ACL
permit ip 172.17.0.0 0.0.0.255 172.16.0.0 0.0.0.255
permit icmp 172.17.0.0 0.0.0.255 any
!
logging esm config
logging origin-id hostname
logging facility local6
logging source-interface FastEthernet0
logging host 172.16.0.158 sequence-num-session
access-list 10 remark LAN-NAT-IP_Access_List
access-list 10 permit 172.16.0.0 0.0.0.255
access-list 11 remark DMZ-NAT-IP_Access_List
access-list 11 permit 10.99.0.0 0.0.0.15
access-list 52 permit xxxx.xxxx.xxxx.xxxx
access-list 52 permit 172.17.0.0 0.0.0.255
access-list 87 permit xxxx.xxxx.xxxx.xxxx
access-list 87 remark OUTSIDE-TRSUT-IP-ACL
access-list 87 permit xxxx.xxxx.xxxx.xxxx
access-list 99 permit 10.99.0.0 0.0.0.15
access-list 99 deny   any log
access-list 108 permit ip 172.16.0.0 0.0.0.255 172.17.0.0 0.0.255.255
access-list 110 remark LAN Access
access-list 110 deny   ip any any log
access-list 110 deny   icmp any any log
access-list 110 remark LAN Access
access-list 111 remark Outside Access
access-list 111 permit ip 0.0.0.0 255.255.240.0 host xxx.xxx.xxx.xxx
access-list 111 deny   ip any any log
access-list 123 permit esp any any
access-list 123 permit udp any any eq non500-isakmp
access-list 123 permit ahp any any
access-list 123 permit udp any any eq isakmp
!
!
!
!

control-plane
!
line con 0
login authentication local_authen
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin udptn ssh
line aux 0
line vty 0 4
access-class 7 in
exec-timeout 5 0
privilege level 15
authorization exec local_author
logging synchronous
login authentication local_authen
transport input ssh
transport output ssh
line vty 5 15
access-class 7 in
exec-timeout 5 0
privilege level 15
authorization exec local_author
logging synchronous
login authentication local_authen
transport input ssh
transport output ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
!
end

Does anyone encounter this kind of problem?

Yudong Wu · ‎01-14-2011

Please exclude the vpn traffic from the following NAT configuration.

ip nat inside source list 10 interface Dialer1 overload

talmadari · ‎01-15-2011

That's right i supposed to exclude NAT operation between both networks, but still no connectivity.

Here is the NAT exclusion config:

ip nat inside source list 109 interface Dialer1 overload

access-list 109 remark LAN NAT IP ACL
access-list 109 deny ip 172.16.0.0 0.0.0.255 172.17.0.0 0.0.0.255
access-list 109 permit ip 172.16.0.0 0.0.0.255 any

Here is the output for IPSec SA:

Router#sh crypto ipsec sa

interface: Dialer1
Crypto map tag: mymap, local addr x.x.x.x

   protected vrf: (none)
   local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (172.17.0.11/255.255.255.255/0/0)
   current_peer x.x.x.x port 49896
     PERMIT, flags={}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 23, #pkts decrypt: 23, #pkts verify: 23
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
     path mtu 1492, ip mtu 1492, ip mtu idb Dialer1
     current outbound spi: 0x9010FF8B(2417033099)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xA10E5E0D(2702073357)
        transform: esp-256-aes esp-md5-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 27, flow_id: Onboard VPN:27, sibling_flags 80000046, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4561800/86294)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0x9010FF8B(2417033099)
        transform: esp-256-aes esp-md5-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 28, flow_id: Onboard VPN:28, sibling_flags 80000046, crypto map: mymap
        sa timing: remaining key lifetime (k/sec): (4561803/86294)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

outbound ah sas:

outbound pcp sas:

interface: Virtual-Access1
Crypto map tag: mymap, local addr x.x.x.x

   protected vrf: (none)
   local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (172.17.0.11/255.255.255.255/0/0)
   current_peer x.x.x.x port 49896
     PERMIT, flags={}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 23, #pkts decrypt: 23, #pkts verify: 23
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0