09-24-2009 07:46 AM - edited 03-11-2019 09:19 AM
Hi,
I'm trying to configure ZBF on a 2811 router with a site-to-site VPN with GRE Tunnel. But, when I configure the Firewall, the tunnel stops. I've tryed adding several protocols like isakmp but it doesnt' work. Does anybody know which protocol to add to make it work?
Thanks in advance
Best regards
09-24-2009 08:28 AM
pls share the config.
09-25-2009 03:23 AM
This is the config:
class-map type inspect match-any L4-private-public-cmap
match protocol dns
match protocol smtp
match protocol pop3
match protocol https
match protocol ftp
match protocol icmp
match protocol ssh
match protocol isakmp
class-map type inspect http match-any HTTP-L7-private-public-cmap
match req-resp protocol-violation
match request port-misuse any
class-map type inspect match-any HTTP-L4-private-public-cmap
match protocol http
!
!
policy-map type inspect http HTTP-L7-private-public-pmap
class type inspect http HTTP-L7-private-public-cmap
reset
log
class class-default
policy-map type inspect L4-private-public-pmap
class type inspect HTTP-L4-private-public-cmap
inspect
service-policy http HTTP-L7-private-public-pmap
class class-default
drop
!
zone security private
zone security public
zone-pair security private-public source private destination public
service-policy type inspect L4-private-public-pmap
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key 123456 address aaa.bbb.ccc.ddd
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
!
crypto map IPSEC_VPN 3 ipsec-isakmp
set peer aaa.bbb.ccc.ddd
set transform-set ESP-3DES-SHA
match address 103
!
!
!
!
interface Tunnel1
ip address 10.1.1.10 255.255.255.252
keepalive 10 3
tunnel source FastEthernet0/0
tunnel destination aaa.bbb.ccc.ddd
!
!
interface Loopback0
ip address 10.11.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0
ip address eee.fff.ggg.hhh 255.255.255.248
ip access-group 14 out
ip nat outside
ip virtual-reassembly
zone-member security public
load-interval 30
duplex auto
speed auto
crypto map IPSEC_VPN
!
!
interface FastEthernet0/0/0
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface Vlan1
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security private
load-interval 30
!
ip route 0.0.0.0 0.0.0.0 iii.jjj.kkk.lll
ip route aaa.bbb.ccc.ddd 255.255.252.0 10.1.1.9
ip route aaa.bbb.ccc.ddd 255.255.255.255 iii.jjj.kkk.lll
!
!
ip http server
no ip http secure-server
!
ip nat inside source route-map primary interface FastEthernet0/0 overload
!
ip sla schedule 1 life forever start-time now
access-list 14 permit any
access-list 15 permit any
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
access-list 103 permit gre host eee.fff.ggg.hhh host aaa.bbb.ccc.ddd
!
route-map primary permit 10
match ip address 102
match interface FastEthernet0/0
!
control-plane
!
Thanks
Best Regards
09-25-2009 04:19 AM
pls configure "ip inspect log drop" and enable "debug policy-firewall det" and get me the logs when you see the problem.
09-25-2009 04:40 AM
Hi,
it doesn't accept the command: "debug policy-firewall det", is it correct?
Thanks
09-25-2009 04:45 AM
what version IOS do you use?
10-02-2009 03:46 AM
Excuse me for the delay but I couldn't write before.
IOS version is: 12.4(13r)T.
Thanks
10-02-2009 03:48 AM
Sorry but IOS version is: Version 12.4(9)T7 not the other one.
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: