Zone based firewall and vpn access

mateomateo1 · ‎10-08-2012

My vpn connections out and in are not working through zbfw, what can be wrong?

class-map type inspect match-any CM_GRE_PROTOCOLS
 match access-group name GRE
class-map type inspect match-any classmap2
 match access-group 110
class-map type inspect match-any classmap1
 match protocol tcp
 match protocol udp
 match protocol icmp
 match protocol pptp
class-map match-any p2p
 match protocol gnutella
 match protocol kazaa2
 match protocol fasttrack
 match protocol novadigm
 match protocol edonkey
 match protocol bittorrent
!
!
policy-map policy-p2p
 class p2p
  drop
policy-map type inspect policymap1
 class type inspect classmap1
  inspect
 class type inspect CM_GRE_PROTOCOLS
  pass
 class class-default
  drop log
policy-map type inspect policymap2
 class type inspect classmap2
  inspect
 class type inspect CM_GRE_PROTOCOLS
  pass
 class class-default
  drop log
!
zone security inside
zone security outside
zone-pair security in-to-out source inside destination outside
 service-policy type inspect policymap1
zone-pair security out-to-in source outside destination inside
 service-policy type inspect policymap2
ip access-list extended GRE
 remark Access List to allow PPTP GRE outbound
 permit gre any any
ip nat inside source static tcp 10.28.24.2 1723 x.x.x.x 1723 extendable

Javier Portuguez · ‎10-08-2012

Hi Matt,

What is not working?

VPN connections to the Router?

VPN clients connected but unable to reach internal resources?

VPN connnections passing through the Router?

Thanks.

Portu.

Please rate any helpful posts

mateomateo1 · ‎10-08-2012

i have internal vpn set up on windows server but cant get from outside, also if i am trying to connect from inside to outside (also to windows 2008 vpn server) it is also failing. zbfw not allowing any type of vpn passthrough

Javier Portuguez · ‎10-08-2012

Matt,

Please run the following command in configuration mode:

ip inspect log drop-pkt

Then try to connect, attach the output, it will help us identify where the issue is.

Thanks.

Portu.

Please rate any helpful posts

Julio Carvajal · ‎10-08-2012

Hello Matt,

So this is just for PTTP traffic right?

Also can you share the show access-list 110?

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Javier Portuguez · ‎10-08-2012

Julio is right, I have been asking about IPsec (since this is the VPN forum) but, is this for PPTP traffic?

Thanks.

mateomateo1 · ‎10-08-2012

I am sorry guys this is about pptp connections in and out...

access-list 110 permit tcp any host 10.28.3.2 eq smtp

access-list 110 permit tcp any host 10.28.3.2 eq www

access-list 110 permit tcp any host 10.28.3.2 eq 443

access-list 110 permit tcp any host 10.28.24.2 eq 443

access-list 110 permit tcp any host 10.28.24.2 eq www

access-list 110 permit tcp any host 10.28.24.2 eq smtp

access-list 110 permit tcp any host 10.28.24.2 eq 987

access-list 110 permit tcp any host 10.28.24.2 eq 1723

access-list 110 permit tcp any host 10.28.3.2 eq smtp

access-list 110 permit tcp any host 10.28.3.2 eq www

access-list 110 permit tcp any host 10.28.3.2 eq 443

access-list 110 permit tcp any host 10.28.24.2 eq 443

access-list 110 permit tcp any host 10.28.24.2 eq www

access-list 110 permit tcp any host 10.28.24.2 eq smtp

access-list 110 permit tcp any host 10.28.24.2 eq 987

access-list 110 permit tcp any host 10.28.24.2 eq 1723

Javier Portuguez · ‎10-08-2012

Matt,

Please check this out:

PPTP Connection Through Zone Based Firewall Router with NAT Configuration Example

Thanks.

Portu.

Javier Portuguez · ‎10-08-2012

I would suggest adjusting your settings accordingly, if you still face issues, let us know.

HTH.

Julio Carvajal · ‎10-08-2012

Hello Mat,

We are still waiting for the IP inspect-log drop packets logs... Do the following and let me know the results:

Can you do the following please:

ip access-list extended GRE

remark Access List to allow PPTP GRE outbound

permit gre any any

Ip access-list ext PPTP

permit tcp any host 10.28.24.2 eq 1723

class-map GRE

match access-group GRE

class-map type inspect match-all PPTP_out_in

match protocol PPTP

match access-group PPTP

class-map type inspect match-all PPTP_in_out

match protocol PPTP

policy-map type inspect policymap1

class PPTP_in_out

inspect

class GRE

pass

policy-map type inspect policymap2

class PPTP_out_in

inspect

class GRE

pass

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mateomateo1 · ‎10-09-2012

hello, I have following dropouts, bolded ones are when I am trying to connect to windows 2008 vpn server.

There are also different dropouts every minute but so far nobody reports that to me.

jcarvaja when i try to add class GRE on policymap1 I am getting

% class GRE of type default is not allowed in policy-map policymap1 of type inspect

Oct 9 12:10:14: %FW-6-DROP_PKT: Dropping tcp session 10.28.46.10:3808 172.17.40.34:8192 on zone-pair in-to-out class classmap1 due to Invalid Segment with ip ident 0

Oct 9 12:10:49: %FW-6-DROP_PKT: Dropping tcp session 77.72.118.168:80 10.28.3.53:49533 due to SYN inside current window with ip ident 0

Oct 9 12:11:21: %FW-6-DROP_PKT: Dropping Unknown-l4 session 81.143.27.54:0 10.28.3.2:0 on zone-pair out-to-in class classmap2 due to Invalid Segment with ip ident 0

Oct 9 12:11:52: %FW-6-DROP_PKT: Dropping Unknown-l4 session 81.143.27.54:0 10.28.3.2:0 on zone-pair out-to-in class classmap2 due to Invalid Segment with ip ident 0

Oct 9 12:12:22: %FW-6-DROP_PKT: Dropping tcp session 10.28.46.10:3808 172.17.40.34:8192 on zone-pair in-to-out class classmap1 due to Invalid Segment with ip ident 0

Oct 9 12:12:58: %FW-6-DROP_PKT: Dropping tcp session 10.28.46.11:3606 172.17.40.34:8192 on zone-pair in-to-out class classmap1 due to Invalid Segment with ip ident 0