10-19-2010 07:46 PM
Hi,
I have a site to site VPN using VTI.
I tried to configure my zone-based fw to deny ping on my WAN IP but when I applied it, my VPN went down.
Could someone advise me how to do it?
Below is my config:
class-map type inspect match-any Inside-Outside-Class
match protocol https
match protocol http
match protocol dns
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any Outside-Self-Class
match access-group name ICMPReply
match access-group name ISAKMP
class-map type inspect match-any VPN-Inside-Class
match protocol icmp
match protocol tcp
match protocol udp
match protocol http
match protocol ssh
match protocol https
match protocol sip
class-map type inspect match-any Inside-VPN-Class
match protocol icmp
match protocol tcp
match protocol udp
match protocol http
match protocol https
match protocol ssh
match protocol sip
policy-map type inspect Inside-Outside-Policy
class type inspect Inside-Outside-Class
inspect
class class-default
policy-map type inspect VPN-Inside-Policy
class type inspect VPN-Inside-Class
inspect
class class-default
policy-map type inspect Inside-VPN-Policy
class type inspect Inside-VPN-Class
inspect
class class-default
policy-map type inspect Outside-Self-Policy
class type inspect Outside-Self-Class
inspect
class class-default
zone security Inside
zone security Outside
zone security VPN
zone-pair security in-out source Inside destination Outside
service-policy type inspect Inside-Outside-Policy
zone-pair security VPN-In source VPN destination Inside
service-policy type inspect VPN-Inside-Policy
zone-pair security In-VPN source Inside destination VPN
service-policy type inspect Inside-VPN-Policy
zone-pair security Out-Self source Outside destination self
service-policy type inspect Outside-Self-Policy
Interface Tunnel100
zone-member security VPN
Tunnel source Dialer0
Interface Dialer0
zone-member security Outside
Interface Vlan1
zone-member security Inside
ip access-list extended ISAKMP
permit udp any any eq isakmp
permit ahp any any
permit esp any any
permit udp any any eq non500-isakmp
ip access-list extended ICMPReply
permit icmp any any host-unreachable
Thank you
Solved! Go to Solution.
01-27-2011 06:18 PM
Hi,
The following link gives basic configuration of VPN with ZBF.
Regards,
Anisha
- do rate helpful posts.
01-27-2011 09:39 PM
I think you need to define zone pair between Outside and VPN as well.
01-28-2011 07:02 AM
But I can't understand how VPN traffic ( ESP, ipsec ) will pass
through the firewall without any ACL to permit it ?
they dont talk about that
01-28-2011 08:04 AM
ESP and Isakmp packet are destinated to the router itself. So, it is controlled by zone pair policy between "self" and "outside" interface. By default, if you don't define a zone pair policy between "self" and "outside", it will be permitted automatically. But, if you does define a zone pair policy between 'self' and 'outside' like what Kim did in his setup, you must permit esp and iskamp traffic like Kim's setup.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide