×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ZBF with GRE Tunnel (GRE over IPSec)

Unanswered Question
Oct 27th, 2010
User Badges:


ZBF with GRE Tunnel (GRE over IPSec)


I have a GRE tunnel between two ISR's. The tunnel works perfectly... until I apply a Zone based firewall using CCP Ver 2.3. Below is the firewall being applied to Router 1. As soon as it is applied I can no longer use the tunnel from Router 2. What steps might I want to take inorder to figure this out?




Router 1

WAN - XXX.XXX.XXX.196/26

Vlan25 - 10.1.25.0/24

Vlan50 - 10.1.50.0/24

GRE Tunnel - 10.254.254.196



Router 2

WAN - XXX.XXX.XXX.141/29

Lan - 10.0.25.0/24

GRE Tunnel - 10.254.254.141




Split GRE Tunnel for the 10.X.25.0/24 networks




----------------------------------------------------------------------




ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

exit

ip access-list extended SDM_HTTPS

remark CCP_ACL Category=1

permit tcp any any eq 443

exit

ip access-list extended SDM_IP

remark CCP_ACL Category=0

permit ip any any

exit

ip access-list extended SDM_GRE

remark CCP_ACL Category=1

permit gre any any

exit

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

exit

ip access-list extended SDM_SSH

remark CCP_ACL Category=1

permit tcp any any eq 22

exit


access-list 104 remark CCP_ACL Category=128

access-list 104 permit ip host XXX.XXX.XXX.141 any

access-list 103 remark CCP_ACL Category=128

access-list 103 permit ip XXX.XXX.XXX.143 0.0.0.7 any

access-list 102 remark CCP_ACL Category=128

access-list 102 permit ip host 255.255.255.255 any

access-list 102 permit ip 127.0.0.0 0.255.255.255 any

access-list 102 permit ip XXX.XXX.XXX.192 0.0.0.63 any


ip access-list extended SDM_SHELL

remark CCP_ACL Category=1

permit tcp any any eq cmd

exit

class-map type inspect match-any SDM_SSH

match access-group name SDM_SSH

exit

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

exit

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

exit

class-map type inspect match-any SDM_VPN_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

exit

class-map type inspect match-any SDM_HTTPS

match access-group name SDM_HTTPS

exit

class-map type inspect match-any SDM_SHELL

match access-group name SDM_SHELL

exit

class-map type inspect match-any sdm-cls-access

match class-map SDM_HTTPS

match class-map SDM_SSH

match class-map SDM_SHELL

exit

class-map type inspect match-any SDM_IP

match access-group name SDM_IP

exit

class-map type inspect match-all SDM_GRE

match access-group name SDM_GRE

exit

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

exit

class-map type inspect match-all ccp-invalid-src

match access-group 102

exit

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

exit

class-map type inspect match-all SDM_VPN_PT

match access-group 104

match class-map SDM_VPN_TRAFFIC

exit

class-map type inspect match-all ccp-protocol-http

match protocol http

exit

class-map type inspect match-all sdm-access

match class-map sdm-cls-access

match access-group 103

exit

class-map type inspect match-any ccp-sip-inspect

match protocol sip

exit

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

exit

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

exit

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

exit

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

exit

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

exit

class-map type inspect match-any ccp-h323-inspect

match protocol h323

exit

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

exit

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  no drop

  inspect

  exit

class class-default

  no drop

  pass

  exit

exit

policy-map type inspect sdm-permit-ip

class type inspect SDM_IP

  no drop

  pass

  exit

class class-default

  drop log

  exit

exit

policy-map type inspect sdm-permit-gre

class type inspect SDM_GRE

  no drop

  pass

  exit

class class-default

  drop log

  exit

exit

policy-map type inspect ccp-permit

class type inspect SDM_VPN_PT

  no drop

  pass

  exit

class type inspect sdm-access

  no drop

  inspect

  exit

class class-default

exit

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

  exit

class type inspect ccp-protocol-http

  no drop

  inspect

  exit

class type inspect ccp-insp-traffic

  no drop

  inspect

  exit

class type inspect ccp-sip-inspect

  no drop

  inspect

  exit

class type inspect ccp-h323-inspect

  no drop

  inspect

  exit

class type inspect ccp-h323annexe-inspect

  no drop

  inspect

  exit

class type inspect ccp-h225ras-inspect

  no drop

  inspect

  exit

class type inspect ccp-h323nxg-inspect

  no drop

  inspect

  exit

class type inspect ccp-skinny-inspect

  no drop

  inspect

  exit

exit


zone security gre-zone

zone security out-zone

zone security in-zone


zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

exit

zone-pair security sdm-zp-in-gre1 source in-zone destination gre-zone

service-policy type inspect ccp-inspect

exit

zone-pair security ccp-zp-out-gre source out-zone destination gre-zone

service-policy type inspect sdm-permit-gre

exit

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

exit

zone-pair security sdm-zp-gre-in1 source gre-zone destination in-zone

service-policy type inspect sdm-permit-ip

exit

zone-pair security ccp-zp-gre-out source gre-zone destination out-zone

service-policy type inspect sdm-permit-gre

exit

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

exit


interface Vlan50

description Vlan$FW_INSIDE$

zone-member security in-zone

exit

interface GigabitEthernet0/0

description WAN$FW_OUTSIDE$

zone-member security out-zone

exit

interface Tunnel0

zone-member security gre-zone

exit

interface Vlan25

description Vlan$FW_INSIDE$

zone-member security in-zone

exit


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Atul Singh Tue, 11/02/2010 - 02:51
User Badges:
  • Cisco Employee,

Hi,

I think the out to self zone is dropping gre packets which is why the tunnel is no coming up. Try putting this config after applying the firewall from ccp:

ip access-list extended SDM_GRE_1

permit gre any any

exit

class-map type inspect SDM_GRE_1

match access-group name SDM_GRE_1

exit

policy-map type inspect ccp-permit

class type inspect SDM_GRE_1

  pass

  exit

exit

!


See how it goes..

Actions

This Discussion