Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1158
Views
0
Helpful
4
Replies

Zone-Based Firewall on a site to site VPN

mpanganiban
Level 1
Level 1

‎05-13-2010 10:39 AM - edited ‎03-11-2019 10:45 AM

We have a site to site VPN between an 800 series router and a VPN concentrator.  I want to implement the Zone-based firewall on on the router.

On the 800 series router, once I apply the Zone on the outside interface which is the "Dialer 1"  VPN connection is terminated.  Based on the configuration below, what am I missing?

ip access-list extended county-out
permit ip any 192.168.60.0 0.0.0.255

ip access-list extended county-in
permit ip 192.168.60.0 0.0.0.255 any

ip access-list extended ICMPReply  
permit icmp any any host-unreachable  
permit icmp any any port-unreachable  
permit icmp any any ttl-exceeded  
permit icmp any any packet-too-big

ip access-list extended esp-traffic
permit esp any any

class-map type inspect match-any IPSec  
  match protocol isakmp  
  match protocol ipsec-msft
  match access-group name esp-traffic

class-map type inspect match-all ICMPReply  
  match access-group name ICMPReply 

 
class-map type inspect match-any in-out
match access-group name county-in
match protocol icmp
match protocol dns
match protocol http
match protocol https
match protocol ftp

class-map type inspect match-any out-in
match access-group name county-out

policy-map type inspect OutToSelf
description Permitted traffic from Internet to Router    
class type inspect ICMPReply  
   pass  
class type inspect IPSec  
   pass  
class class-default  
   drop log  
policy-map type inspect access-county
class type inspect in-out
  inspect
class class-default
  drop
policy-map type inspect county-out
class type inspect out-in
  inspect
zone security in-zone
zone security out-zone

zone-pair security OutToSelf source out-zone destination self  
service-policy type inspect OutToSelf 

zone-pair security in-out source in-zone destination out-zone
service-policy type inspect access-county

zone-pair security county-in source out-zone destination in-zone
service-policy type inspect county-out

Labels:
0 Helpful
4 Replies 4

Diego Armando Cambronero Arias
Level 3
Level 3

‎05-13-2010 12:21 PM

I would try to configure a zone from the self to the out zone. permit all IP... If not just get the ... IP INSPECT LOG DROP-PKT

this will tell us why the traffic is being dropped. If you attach a diagram of the topology that will help us to understand why is't not working. Are you using NAT for any of  the endpoints.?

0 Helpful

mpanganiban
Level 1
Level 1
In response to Diego Armando Cambronero Arias

‎05-13-2010 01:01 PM

Thanks for the reply!  It does work when I modify the self outzone with IP any any.  However, I want to be more specific if possible.  I am using NAT on each endpoint as well.  Unfortunately I am not onsite, I have the configuration unsaved and I am having the router reload automatically to go back to it's original configuration.  I will try the "ip inspect log drop-pkt"

I'll try to illustrate a quick topology:

192.168.60.x/24------871 router<-------Internet------->VPN Concentator------172.16.16.0/20

0 Helpful

Diego Armando Cambronero Arias
Level 3
Level 3
In response to mpanganiban

‎05-13-2010 01:15 PM

Ok But you are not NATing the endpoint. they are using the public IPs  right?

0 Helpful

mpanganiban
Level 1
Level 1
In response to Diego Armando Cambronero Arias

‎05-13-2010 01:31 PM

Yes, they are using public IP's

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card