Zone-Based Firewall on a site to site VPN

Unanswered Question
May 13th, 2010
User Badges:

We have a site to site VPN between an 800 series router and a VPN concentrator.  I want to implement the Zone-based firewall on on the router.

On the 800 series router, once I apply the Zone on the outside interface which is the "Dialer 1"  VPN connection is terminated.  Based on the configuration below, what am I missing?

ip access-list extended county-out
permit ip any

ip access-list extended county-in
permit ip any

ip access-list extended ICMPReply  
permit icmp any any host-unreachable  
permit icmp any any port-unreachable  
permit icmp any any ttl-exceeded  
permit icmp any any packet-too-big

ip access-list extended esp-traffic
permit esp any any

class-map type inspect match-any IPSec  
  match protocol isakmp  
  match protocol ipsec-msft
  match access-group name esp-traffic

class-map type inspect match-all ICMPReply  
  match access-group name ICMPReply 

class-map type inspect match-any in-out
match access-group name county-in
match protocol icmp
match protocol dns
match protocol http
match protocol https
match protocol ftp

class-map type inspect match-any out-in
match access-group name county-out

policy-map type inspect OutToSelf
description Permitted traffic from Internet to Router    
class type inspect ICMPReply  
class type inspect IPSec  
class class-default  
   drop log  
policy-map type inspect access-county
class type inspect in-out
class class-default
policy-map type inspect county-out
class type inspect out-in
zone security in-zone
zone security out-zone

zone-pair security OutToSelf source out-zone destination self  
service-policy type inspect OutToSelf 

zone-pair security in-out source in-zone destination out-zone
service-policy type inspect access-county

zone-pair security county-in source out-zone destination in-zone
service-policy type inspect county-out

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Diego Armando C... Thu, 05/13/2010 - 12:21
User Badges:
  • Bronze, 100 points or more

I would try to configure a zone from the self to the out zone. permit all IP... If not just get the ... IP INSPECT LOG DROP-PKT

this will tell us why the traffic is being dropped. If you attach a diagram of the topology that will help us to understand why is't not working. Are you using NAT for any of  the endpoints.?

mpanganiban Thu, 05/13/2010 - 13:01
User Badges:

Thanks for the reply!  It does work when I modify the self outzone with IP any any.  However, I want to be more specific if possible.  I am using NAT on each endpoint as well.  Unfortunately I am not onsite, I have the configuration unsaved and I am having the router reload automatically to go back to it's original configuration.  I will try the "ip inspect log drop-pkt"

I'll try to illustrate a quick topology:

192.168.60.x/24------871 router<-------Internet------->VPN Concentator------

Diego Armando C... Thu, 05/13/2010 - 13:15
User Badges:
  • Bronze, 100 points or more

Ok But you are not NATing the endpoint. they are using the public IPs  right?


This Discussion