Zone based firewall and VPN

Unanswered Question
Sep 2nd, 2009
User Badges:

Hello,


we are trying to migrate from CBAC to ZBF to ease our firewall management. We translated all the ACLs to ZBF and it was a breeze. Everything went fine except one thing (the VPNs stopped working) which I'm hoping someone with more experience will help us figure out.


The network topology to illustrate the problem is as follows:

(the IPs slightly changed to protect the innocent)


[Internet]

.5 ^

|

192.168.0.4/30

|

| .6 F0/1

[ Cisco 2801] .17 Vlan 1<--- 192.168.63.16/29 --> [DMZ]

F0/0 ^ .1

|

192.168.1.0/24

|

v

[LAN]


(yes I know my ASCII drawing is bad)


We have three zones: Internet, DMZ and Lan. The VPNs terminate on the LNS at 192.168.63.17 (public IPs) and the VirtualTemplate2 is a member of the LAN zone to allow trusted traffic to flow between the LAN and the VPN clients. Unfortunately this doesn't seem to work... removing both i/faces F0/0 and VirtualTemplate2 from the LAN zone and the traffic flows as expected so this is clearly a ZBF problem. From the VPN client we can ping the LAN i/face of the router (192.168.1.1) but no other hosts (such as 192.168.1.2) unless we remove both interfaces from the LAN zone. Any ideas on how to solve this?


Bellow are the relevant parts of the configuration on 2801:


vpdn enable

!

vpdn-group PPTP

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 2

!


class-map type inspect match-any allow-cmap

match protocol tcp

match protocol udp

match protocol icmp


policy-map type inspect allow-pmap

class type inspect allow-cmap

inspect

class class-default

drop


zone security internet

description 'Internet zone'

zone security lan

description 'LAN zone'

zone security dmz

description 'DMZ zone'

zone-pair security lan-internet source lan destination internet

service-policy type inspect allow-pmap

zone-pair security lan-dmz source lan destination dmz

service-policy type inspect allow-pmap

zone-pair security dmz-lan source dmz destination lan

service-policy type inspect allow-pmap

zone-pair security dmz-internet source dmz destination internet

service-policy type inspect allow-pmap

zone-pair security internet-dmz source internet destination dmz

service-policy type inspect internet-dmz-pmap


interface FastEthernet0/0

ip address 192.168.1.1 255.255.255.0

no ip redirects

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

no mop enabled

zone-member security lan


interface FastEthernet0/1

ip address 192.168.0.6 255.255.255.252

no ip redirects

ip mtu 1492

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

no mop enabled

zone-member security internet


interface Virtual-Template2

ip unnumbered FastEthernet0/0

no ip route-cache

no ip mroute-cache

peer default ip address pool VPN_POOL

no keepalive

ppp encrypt mppe 128 required

ppp authentication ms-chap-v2

zone-member security lan


interface Vlan1

ip address 192.168.63.17 255.255.255.248

no ip redirects

ip virtual-reassembly

no mop enabled

zone-member security dmz


ip local pool VPN_POOL 192.168.1.235 192.168.1.254

no ip cef


We 've already read "Using VPN with Zone-Based Policy Firewall" but didn't help us figure it out. We were expecting this "Traffic is implicitly allowed to flow by default among interfaces that are members of the same zone" to hold out.


Thanks in advance!

-fotos

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
georgiadisf Fri, 09/04/2009 - 08:33
User Badges:

Ok we figured this out. For some reason the above policy has been blocking GRE replies from the Vlan1 going out to the peer through F0/1 (consumed by Firewall as we noticed in the debug logs).


We did a couple of changes in the policy-maps and everything works as expected.

m.yost Sun, 07/11/2010 - 09:18
User Badges:

can you post your changes?  I'm having a similar issue....Thanks

georgiadisf Sun, 07/11/2010 - 15:16
User Badges:

Well it's been some time (almost a year) and I don't remember the specific changes.


But something like this should do the trick:


ip access-list extended PPTP

permit tcp any host XXX.XXX.XXX.XXX eq 1723

permit gre any host XXX.XXX.XXX.XXX (same host as above)


ip access-list extended GRE

permit gre any any


zone security internet

description 'Internet zone'

zone security dmz

description 'DMZ zone'


zone-pair security internet-dmz source internet destination dmz

service-policy type inspect internet-dmz-pmap


policy-map type inspect internet-dmz-pmap

class type inspect dmz-other-services-cmap

  inspect

class class-default

  drop log


class-map type inspect match-all dmz-other-services-cmap

match class-map other-services-cmap


class-map type inspect match-any other-services-cmap

match protocol icmp

match access-group name GRE


Hope this helps and sorry I can't give more specific info,

-fotos

Actions

This Discussion