Zone-Based Firewall on a site to site VPN

Unanswered Question
May 13th, 2010

We have a site to site VPN between an 800 series router and a VPN concentrator.  I want to implement the Zone-based firewall on on the router.


On the 800 series router, once I apply the Zone on the outside interface which is the "Dialer 1"  VPN connection is terminated.  Based on the configuration below, what am I missing?




ip access-list extended county-out
permit ip any 192.168.60.0 0.0.0.255

ip access-list extended county-in
permit ip 192.168.60.0 0.0.0.255 any

ip access-list extended ICMPReply  
permit icmp any any host-unreachable  
permit icmp any any port-unreachable  
permit icmp any any ttl-exceeded  
permit icmp any any packet-too-big

ip access-list extended esp-traffic
permit esp any any

class-map type inspect match-any IPSec  
  match protocol isakmp  
  match protocol ipsec-msft
  match access-group name esp-traffic

class-map type inspect match-all ICMPReply  
  match access-group name ICMPReply 

 
class-map type inspect match-any in-out
match access-group name county-in
match protocol icmp
match protocol dns
match protocol http
match protocol https
match protocol ftp

class-map type inspect match-any out-in
match access-group name county-out

policy-map type inspect OutToSelf
description Permitted traffic from Internet to Router    
class type inspect ICMPReply  
   pass  
class type inspect IPSec  
   pass  
class class-default  
   drop log  
policy-map type inspect access-county
class type inspect in-out
  inspect
class class-default
  drop
policy-map type inspect county-out
class type inspect out-in
  inspect
zone security in-zone
zone security out-zone

zone-pair security OutToSelf source out-zone destination self  
service-policy type inspect OutToSelf 

zone-pair security in-out source in-zone destination out-zone
service-policy type inspect access-county

zone-pair security county-in source out-zone destination in-zone
service-policy type inspect county-out

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Diego Armando C... Thu, 05/13/2010 - 12:21

I would try to configure a zone from the self to the out zone. permit all IP... If not just get the ... IP INSPECT LOG DROP-PKT


this will tell us why the traffic is being dropped. If you attach a diagram of the topology that will help us to understand why is't not working. Are you using NAT for any of  the endpoints.?

mpanganiban Thu, 05/13/2010 - 13:01

Thanks for the reply!  It does work when I modify the self outzone with IP any any.  However, I want to be more specific if possible.  I am using NAT on each endpoint as well.  Unfortunately I am not onsite, I have the configuration unsaved and I am having the router reload automatically to go back to it's original configuration.  I will try the "ip inspect log drop-pkt"


I'll try to illustrate a quick topology:


192.168.60.x/24------871 router<-------Internet------->VPN Concentator------172.16.16.0/20

Actions

This Discussion