Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
872
Views
0
Helpful
2
Replies

VPN site-to-site with Zone Based Firewall

jrisler
Level 1
Level 1

‎01-29-2013 06:37 PM

The problem I am having is very strange and I have tried to upgrade the IOS on the 1841 to solve the problem but no luck.  The issue is when I enable Zone Based firewall security on of the 1841 routers two VPN site-to-site tunnels stops working.  If I turn off CEF (no ip cef) then the traffic for both tunnels works.  Someone told me that the Zone Based firewall must have a match for the VPN traffic and I created that with ACL 160 and 161 but it did not solve the problem.

Looking for some ideas on what else to try?

Current IOS is below.

Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 15.0(1)M9, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2012 by Cisco Systems, Inc.

Compiled Tue 11-Sep-12 23:58 by prod_rel_team

Zone based information below

class-map type inspect match-all sdm-cls-VPNOutsideToInside-1

match access-group 160

match protocol icmp

class-map type inspect match-all sdm-cls-VPNInsideToOutside-1

match access-group 161

match protocol icmp

class-map type inspect match-any SDM_HTTPS

match access-group name SDM_HTTPS

class-map type inspect match-any SDM_SSH

match access-group name SDM_SSH

class-map type inspect match-any SDM_SHELL

match access-group name SDM_SHELL

class-map type inspect match-any sdm-cls-access

match class-map SDM_HTTPS

match class-map SDM_SSH

match class-map SDM_SHELL

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-all sdm-access

match class-map sdm-cls-access

match access-group 104

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-invalid-src

match access-group 103

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class type inspect ccp-sip-inspect

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h323annexe-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class type inspect ccp-h323nxg-inspect

  inspect

class type inspect ccp-skinny-inspect

  inspect

class type inspect sdm-cls-VPNInsideToOutside-1

  pass

class class-default

  drop

policy-map type inspect ccp-permit

class type inspect sdm-access

  inspect

class class-default

  drop

policy-map type inspect sdm-inspect-all

class type inspect sdm-cls-VPNOutsideToInside-1

  inspect

!

zone security in-zone

zone security out-zone

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

!

access-list 160 permit ip 10.5.5.0 0.0.0.255 10.6.31.0 0.0.0.255

access-list 160 permit ip 10.5.4.0 0.0.0.255 10.6.31.0 0.0.0.255

access-list 161 permit ip 10.6.31.0 0.0.0.255 10.5.5.0 0.0.0.255

access-list 161 permit ip 10.6.31.0 0.0.0.255 10.5.4.0 0.0.0.255

ip access-list extended SDM_HTTPS

remark CCP_ACL Category=1

permit tcp any any eq 443

ip access-list extended SDM_SHELL

remark CCP_ACL Category=1

permit tcp any any eq cmd

ip access-list extended SDM_SSH

remark CCP_ACL Category=1

permit tcp any any eq 22

Labels:
0 Helpful
2 Replies 2

jrisler
Level 1
Level 1

‎01-31-2013 12:44 PM

Anyone have any suggestions on how I can get VPN's to function with the Zone Based firewall?

0 Helpful

Ashley Sahonta
Level 1
Level 1
In response to jrisler

‎01-31-2013 02:38 PM

You need to allow ISAKMP and ESP traffic through the firewall - I use the following for ACLs my ZBF:

permit udp any any eq isakmp

permit udp any any eq non500-isakmp

permit esp any any

You could create an ACL to allow traffic from the WAN and apply from outside to self zone.

0 Helpful
Customers Also Viewed These Support Documents