Allow VPN traffic through a Zone Based Firewall

2044418Puts · ‎03-31-2009

Hi,

I'm trying to allow IPSec and L2TP VPN traffic through a IOS Zone Based Firewall. The router running the ZBF is NOT a vpn end point. It only needs to pass traffic from VPN clients behind the router to other remote routers.

When I try to connect to a remote router, the Username/Password dialog box does not appear (Cisco VPN client). When I remove the zones from the interfaces of the firewall the VPN works perfectly. So I suppose I'm blocking something in the ZBF but I don't know what.

I'm using the following policy map for VPN to allow traffic from the INSIDE to OUTSIDE and vica versa:

policy-map type inspect OUTSIDE_INSIDE_PM

class type inspect VPN_PROTOCOLS_CM

pass

class-map type inspect match-any VPN_PROTOCOLS_CM

match protocol isakmp

match access-group name VPN_PROTOCOLS_ACL

ip access-list extended VPN_PROTOCOLS_ACL

permit esp any any

permit udp any any eq non500-isakmp

permit gre any any

Anyone any idea how to allow VPN traffic to passthrough?

Thanks!

murabi · ‎04-06-2009

If non-VTI IPsec is employed, you must exercise caution when you configure the firewall policy for VPN. The zone policy must specifically allow access by IP address to protected hosts for remote VPN sites' hosts or clients if they are in a different zone than the VPN traffic's ingress interface, where encrypted traffic will be sent to and received from remote VPN sites or clients. Access policy must be configured by including an access control list (ACL) enumerating the source addresses of the VPN clients and the destination addresses of the hosts the VPN clients will be allowed to reach. If the access policy is not properly configured, the policy could expose vulnerable hosts to hostile traffic.