×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Zone Interface Configuration Disconnecting VPN Users from Server

Answered Question
Dec 5th, 2013
User Badges:

Hello Friends



I have a problem with zone based firewall.


As per diagram my vpn server is configured on ASA.LAB.pngKindly help This is very Important.


ASA is not able to block torrent traffic so i am configuring Zone Base Firewall on my ISR Router.



After configuration router is blocking the  torrent traffic but it is not allowing my VPN users to connect to internal Database Server, as soon as I put interfaces in different zones, data connection is diconnecting (coz Server is in inside zone) but VPN connection is still working & client are connected to ASA. 



I tried many things but not able to solve the problem pls help friends coz torrents are consuming my bandwidth.



Here is the configuration configured on the Router



interface FastEthernet0/0


ip address 10.1.1.2 255.255.255.252

zone-member security outside




duplex auto


speed auto


!


interface FastEthernet0/1


ip address 192.168.88.1 255.255.255.0

zone-member security inside



duplex auto


speed auto


!


router ospf 100


log-adjacency-changes


passive-interface FastEthernet0/1


network 10.1.1.2 0.0.0.0 area 0


network 192.168.88.0 0.0.0.255 area 0



class-map type inspect match-all HTTP-ACCESS-CLS

match protocol http



class-map type inspect match-any PERMITTED-TRAFFIC-CLS-1

match protocol pptp

match protocol dns

match protocol https

match protocol icmp

match protocol smtp

match protocol pop3

match protocol tcp

match protocol udp

exit



class-map type inspect match-all PERMITTED-TRAFFIC-CLS-2

match class PERMITTED-TRAFFIC-CLS-1


Class-map type inspect http match-any HTTP-PORT-MISUSE

match request port-misuse p2p

match request port-misuse tunnel


policy-map type inspect http PLCY-HTTP-PORT-MISUSE

class type inspect http HTTP-PORT-MISUSE

log

reset



class-map type inspect match-any P2P-BLOCK-CLS-1

match protocol edonkey signature

match protocol gnutella signature

match protocol kazaa2 signature

match protocol fasttrack signature

match protocol bittorrent signature



class-map type inspect match-all P2P-BLOCK-CLS-2

match class-map P2P-BLOCK-CLS-1



parameter-map type urlf-glob FACEBOOK

pattern facebook.com

pattern *.facebook.com



parameter-map type urlf-glob YOUTUBE

pattern youtube.com

pattern *.youtube.com



parameter-map type urlf-glob DAILYMOTION

pattern dailymotion.com

pattern *.dailymotion.com



parameter-map type urlf-glob VIMEO

pattern vimeo.com

pattern *.vimeo.com



parameter-map type urlf-glob MEATACAFE

pattern Metacafe.com

pattern *.metacafe.com



parameter-map type urlf-glob HULU

pattern hulu.com

pattern *.hulu.com

parameter-map type urlf-glob VEOH

pattern veoh.com

pattern *.veoh.com



parameter-map type urlf-glob  PERMITTED-SITES

pattern *



class-map type urlfilter match-any BLOCKED-SITES

match  server-domain urlf-glob FACEBOOK

match  server-domain urlf-glob YOUTUBE

match  server-domain urlf-glob VEOH

match  server-domain urlf-glob HULU

match  server-domain urlf-glob MEATACAFE

match  server-domain urlf-glob VIMEO

match  server-domain urlf-glob DAILYMOTION





class-map type urlfilter match-any PERMITTED-SITES

match  server-domain urlf-glob PERMITTED-SITES





policy-map type inspect urlfilter CONTENT-FILTERING

class type urlfilter BLOCKED-SITES

  log

  reset

class type urlfilter PERMITTED-SITES

  allow


ip access-list extended ACL-IN-TO-OUT

permit ip host 192.168.88.x 10.1.50.0 0.0.0.255



class-map type inspect match-any CLS-IN-TO-OUT

match access-group name ACL-IN-TO-OUT



ip access-list extended ACL-OUT-TO-IN

PERmit IP 10.1.50.0 0.0.0.255 host 192.168.88.x



class-map type inspect match-any CLS-OUT-TO-IN

match access-group name ACL-OUT-TO-IN



policy-map type inspect PLCY-OUT-TO-IN

class type inspect CLS-OUT-TO-IN

inspect




policy-map type inspect TRAFFIC-INSPECT-IN-TO-OUT

class type inspect HTTP-ACCESS-CLS

inspect

service-policy http PLCY-HTTP-PORT-MISUSE

class type inspect HTTP-ACCESS-CLS

inspect

service-policy urlfilter CONTENT-FILTERING

class type inspect P2P-BLOCK-CLS-2

drop log

class type inspect PERMITTED-TRAFFIC-CLS-2

inspect

class type inspect CLS-IN-TO-OUT

inspect




zone-pair security OUT-TO-in source OUTSIDE destination INSIDE

service-policy type inspect PLCY-OUT-TO-IN

zone security OUTSIDE

zone security INSIDE

zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE

service-policy type inspect TRAFFIC-INSPECT-IN-TO-OUT




Thanks & Regards

Sabby

Correct Answer by Julio Carvajal about 3 years 8 months ago

Hello Sarbjit,


Those logs basically thing the IOS FW thinks the session does not honor a valid TCP session, there.

(this could be because of Asymetric routing, invalid payload,etc,etc) so the inspection is actually breaking this.



If you set a Pass/Pass rule for traffic comming from the VPN users to that server then this will work.


My recommendation:


Enabled packet-captures on the IOS Router (Embedded packet-captures) in order to see what the FW is seeing.



Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Correct Answer by Julio Carvajal about 3 years 8 months ago

Hello,


Is the VPN pool from the 10.1.50.0/24  subnet ?


If yes, then traffic should be allowed


So do


ip inspect log drop-pkt


And then attempt to connect


After it fails do a

show looging | include x.x.x.x (Internal server IP address)


and provide us the log



Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Julio Carvajal Thu, 12/05/2013 - 20:17
User Badges:
  • Purple, 4500 points or more

Hello,


Is the VPN pool from the 10.1.50.0/24  subnet ?


If yes, then traffic should be allowed


So do


ip inspect log drop-pkt


And then attempt to connect


After it fails do a

show looging | include x.x.x.x (Internal server IP address)


and provide us the log



Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Sabby0115 Fri, 12/06/2013 - 01:29
User Badges:

Hi


Thanks For reply


here is the log am getting..


%FW-6-DROP_PKT: Dropping tcp session 10.1.50.20:49198 192.168.88.x:PORT due to  policy match failure with ip ident 0


Thanks

Sabby

Correct Answer
Julio Carvajal Fri, 12/06/2013 - 04:20
User Badges:
  • Purple, 4500 points or more

Hello Sarbjit,


Those logs basically thing the IOS FW thinks the session does not honor a valid TCP session, there.

(this could be because of Asymetric routing, invalid payload,etc,etc) so the inspection is actually breaking this.



If you set a Pass/Pass rule for traffic comming from the VPN users to that server then this will work.


My recommendation:


Enabled packet-captures on the IOS Router (Embedded packet-captures) in order to see what the FW is seeing.



Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Sabby0115 Fri, 12/06/2013 - 04:58
User Badges:

Jcarvaja thanks for you help

I will change & check the result.

Thanks agian

Regards
Sabby

Sent from Cisco Technical Support

Sabby0115 Sat, 12/07/2013 - 02:34
User Badges:

Hello Jcarvaja



I tried to change as you suggested but did nt work.


The changed config is bold & underlined.


ip access-list extended ACL-IN-TO-OUT

permit ip host 192.168.88.x 10.1.50.0 0.0.0.255



class-map type inspect match-any CLS-IN-TO-OUT

match access-group name ACL-IN-TO-OUT



policy-map type inspect TRAFFIC-INSPECT-IN-TO-OUT

class type inspect CLS-IN-TO-OUT

pass


-----

ip access-list extended ACL-OUT-TO-IN

PERmit IP 10.1.50.0 0.0.0.255 host 192.168.88.x



class-map type inspect match-any CLS-OUT-TO-IN

match access-group name ACL-OUT-TO-IN



policy-map type inspect PLCY-OUT-TO-IN

class type inspect CLS-OUT-TO-IN

pass



So I changed few more config settings.


policy-map type inspect TRAFFIC-INSPECT-IN-TO-OUT

class type inspect PERMITTED-TRAFFIC-CLS-2

no inspect

pass


with this config  vpn was now working but internet connection from inside network were stooped.


so to trick it, I created another class map for matching only for pptp & I map it under policy-map as pass and now everything is working.r


here is my final configuration:



class-map type inspect match-all HTTP-ACCESS-CLS

match protocol http


class-map type inspect match-any PERMITTED-TRAFFIC-CLS-1

match protocol pptp


class-map type inspect match-all PERMITTED-TRAFFIC-CLS-2

match class-map PERMITTED-TRAFFIC-CLS-1


class-map type inspect match-any PERMITTED-TRAFFIC-CLS-3 (New Class-Map)

match protocol dns

match protocol http

match protocol https

match protocol udp

match protocol tcp

match protocol smtp

match protocol pop3

match protocol icmp

!

!

policy-map type inspect TRAFFIC-INSPECT-IN-TO-OUT

class type inspect HTTP-ACCESS-CLS

  inspect

  service-policy http PLCY-HTTP-PORT-MISUSE

  service-policy urlfilter CONTENT-FILTERING

class type inspect P2P-BLOCK-CLS-2

  drop log

class type inspect PERMITTED-TRAFFIC-CLS-2

  pass

class type inspect CLS-IN-TO-OUT

  pass

class type inspect PERMITTED-TRAFFIC-CLS-3

  inspect

class class-default

  drop

policy-map type inspect PLCY-OUT-TO-IN

class type inspect CLS-OUT-TO-IN

  pass

class class-default

  drop




Thank You for your help


Regards

Sabby

Julio Carvajal Sat, 12/07/2013 - 06:28
User Badges:
  • Purple, 4500 points or more

Hello Sarbit,


Ofcourse you needed the previous defined policies for the internet traffic.


Hey a pleasure to help



Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Actions

This Discussion