03-03-2012 06:02 AM
Recently i attempted to build a LAN 2 LAN VPN tunnel from an Asa to a 2911 running zone based firewall. This was a standard IPSec psk tunnel nothing fancy. I got the tunnel to establish but i could only get traffic to encap on the Asa side and decap on the 2911 side. I couldn't get return traffic. I followed this doc here for classic IPSec in the last example.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_white_paper0900aecd8062a909.html
And I am sure the Asa is right I built a ton of those but I am new to zfw. I did not see anything about a NAT exempt rule. But since everything uses real IPs instead of NAT I wasnt sure and I could not find any info. Do I need to do NAT exempt? If so do you use a route map on the end of you NAT overload config line like in the past?
Also I have a zone-pair to "self" and I was not sure if I needed anything there to be able to ping the inside interface of the 2911 when the tunnel is up from the remote end. Thanks
Solved! Go to Solution.
03-03-2012 10:26 AM
Is the zone-pair to self, from the outside to self?
And you say you dont use NAT, only have real addresses (public routable addresses?),so why would you need to do an exception for the NAT that you dont have?
03-03-2012 03:14 PM
In your "ccp-permit-icmpreply" policy map you inspect the ICMP traffic and the default is pass, don't know if the pass default is a security risk, but because of that everything is allowed to your router, but the return traffic will not be sent back.
But I would do this for the self to outside:
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class SELF-TO-OUT-VPN
inspect
class class-default
drop
class-map type inspect match-any SELF-TO-OUT-VPN-CMAP
match access-group name SELF-TO-OUT-VPN-ACL
ip access-list extended SELF-TO-OUT-VPN-ACL
permit esp any any
permit ahp any any
permit udp any any eq isakmp
I'm not sure this will fix your problem, because I never use the pass as defualt so I dont know how it works.
03-04-2012 06:05 AM
You don't have to define anything to the self-zone, everything is by default passed to the self zone, but as you can understand that would be a security risk.
And also by default nothing is permitted between the different zones, so you have to create zone-pairs and define policys so communication is possible.
The remote network will fall into both, becuase you get traffic from the remote network (out->self) and you send traffic to the remote network (self->out).
03-04-2012 07:44 AM
Im sorry for not knowing what netflow and snap is
But if the traffic originate from the router and is being sent to the router is it like you just wrote, but if it originate inside the network it is from inside->out and out->inside.
+
I have to do a correction of myself. The traffic going to and from the router(self) has to be "pass" not "inspect".
Default should still be drop in my opinion.
03-03-2012 10:26 AM
Is the zone-pair to self, from the outside to self?
And you say you dont use NAT, only have real addresses (public routable addresses?),so why would you need to do an exception for the NAT that you dont have?
03-03-2012 11:40 AM
yes it looks like they wanted ping allowed:
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
policy-map type inspect ccp-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class class-default
drop
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match protocol user-ctcp-ezvpnsvr
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
03-03-2012 03:14 PM
In your "ccp-permit-icmpreply" policy map you inspect the ICMP traffic and the default is pass, don't know if the pass default is a security risk, but because of that everything is allowed to your router, but the return traffic will not be sent back.
But I would do this for the self to outside:
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class SELF-TO-OUT-VPN
inspect
class class-default
drop
class-map type inspect match-any SELF-TO-OUT-VPN-CMAP
match access-group name SELF-TO-OUT-VPN-ACL
ip access-list extended SELF-TO-OUT-VPN-ACL
permit esp any any
permit ahp any any
permit udp any any eq isakmp
I'm not sure this will fix your problem, because I never use the pass as defualt so I dont know how it works.
03-04-2012 05:31 AM
Thanks I am going to give that a try Monday I'll let u know. Do you have to define a self to out and out to self is the default behavior nothing will connect to the router? I am building a VPN to the customer so that we can connect a bw grapher and netflow to the device. Is the remote network on the tunnel fall into the zone pair self to out and out to self?
I know the Asa does defines the interfaces in that security level. Also I don't have a zone pair self to in? Does it allow all traffic on the inside? Thanks again for the help I am new to the zfw and the whole "self" thing has me confused.
03-04-2012 06:05 AM
You don't have to define anything to the self-zone, everything is by default passed to the self zone, but as you can understand that would be a security risk.
And also by default nothing is permitted between the different zones, so you have to create zone-pairs and define policys so communication is possible.
The remote network will fall into both, becuase you get traffic from the remote network (out->self) and you send traffic to the remote network (self->out).
03-04-2012 06:59 AM
Ok that makes sense
So if I need snap and netflow to traverse the VPN I need to define these ports in the self to out and out to self maps right?
03-04-2012 07:44 AM
Im sorry for not knowing what netflow and snap is
But if the traffic originate from the router and is being sent to the router is it like you just wrote, but if it originate inside the network it is from inside->out and out->inside.
+
I have to do a correction of myself. The traffic going to and from the router(self) has to be "pass" not "inspect".
Default should still be drop in my opinion.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide