Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ZBFW with GRE Tunnel (GRE over IPSec)

ZBFW with GRE Tunnel (GRE over IPSec)

I have a GRE tunnel between two ISR's. The tunnel works perfectly... until I apply a Zone based firewall using CCP Ver 2.3. Below is the firewall being applied to Router 1. As soon as it is applied I can no longer use the tunnel from Router 2. What steps might I want to take inorder to figure this out? I am pulling my hair out here.

Router 1

WAN - XXX.XXX.XXX.196/26

Vlan25 - 10.1.25.0/24

Vlan50 - 10.1.50.0/24

GRE Tunnel - 10.254.254.196

Router 2

WAN - XXX.XXX.XXX.141/29

Lan - 10.0.25.0/24

GRE Tunnel - 10.254.254.141

Split GRE Tunnel for the 10.X.25.0/24 networks

----------------------------------------------------------------------

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

exit

ip access-list extended SDM_HTTPS

remark CCP_ACL Category=1

permit tcp any any eq 443

exit

ip access-list extended SDM_IP

remark CCP_ACL Category=0

permit ip any any

exit

ip access-list extended SDM_GRE

remark CCP_ACL Category=1

permit gre any any

exit

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

exit

ip access-list extended SDM_SSH

remark CCP_ACL Category=1

permit tcp any any eq 22

exit

access-list 104 remark CCP_ACL Category=128

access-list 104 permit ip host XXX.XXX.XXX.141 any

access-list 103 remark CCP_ACL Category=128

access-list 103 permit ip XXX.XXX.XXX.143 0.0.0.7 any

access-list 102 remark CCP_ACL Category=128

access-list 102 permit ip host 255.255.255.255 any

access-list 102 permit ip 127.0.0.0 0.255.255.255 any

access-list 102 permit ip XXX.XXX.XXX.192 0.0.0.63 any

ip access-list extended SDM_SHELL

remark CCP_ACL Category=1

permit tcp any any eq cmd

exit

class-map type inspect match-any SDM_SSH

match access-group name SDM_SSH

exit

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

exit

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

exit

class-map type inspect match-any SDM_VPN_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

exit

class-map type inspect match-any SDM_HTTPS

match access-group name SDM_HTTPS

exit

class-map type inspect match-any SDM_SHELL

match access-group name SDM_SHELL

exit

class-map type inspect match-any sdm-cls-access

match class-map SDM_HTTPS

match class-map SDM_SSH

match class-map SDM_SHELL

exit

class-map type inspect match-any SDM_IP

match access-group name SDM_IP

exit

class-map type inspect match-all SDM_GRE

match access-group name SDM_GRE

exit

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

exit

class-map type inspect match-all ccp-invalid-src

match access-group 102

exit

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

exit

class-map type inspect match-all SDM_VPN_PT

match access-group 104

match class-map SDM_VPN_TRAFFIC

exit

class-map type inspect match-all ccp-protocol-http

match protocol http

exit

class-map type inspect match-all sdm-access

match class-map sdm-cls-access

match access-group 103

exit

class-map type inspect match-any ccp-sip-inspect

match protocol sip

exit

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

exit

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

exit

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

exit

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

exit

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

exit

class-map type inspect match-any ccp-h323-inspect

match protocol h323

exit

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

exit

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  no drop

  inspect

  exit

class class-default

  no drop

  pass

  exit

exit

policy-map type inspect sdm-permit-ip

class type inspect SDM_IP

  no drop

  pass

  exit

class class-default

  drop log

  exit

exit

policy-map type inspect sdm-permit-gre

class type inspect SDM_GRE

  no drop

  pass

  exit

class class-default

  drop log

  exit

exit

policy-map type inspect ccp-permit

class type inspect SDM_VPN_PT

  no drop

  pass

  exit

class type inspect sdm-access

  no drop

  inspect

  exit

class class-default

exit

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

  exit

class type inspect ccp-protocol-http

  no drop

  inspect

  exit

class type inspect ccp-insp-traffic

  no drop

  inspect

  exit

class type inspect ccp-sip-inspect

  no drop

  inspect

  exit

class type inspect ccp-h323-inspect

  no drop

  inspect

  exit

class type inspect ccp-h323annexe-inspect

  no drop

  inspect

  exit

class type inspect ccp-h225ras-inspect

  no drop

  inspect

  exit

class type inspect ccp-h323nxg-inspect

  no drop

  inspect

  exit

class type inspect ccp-skinny-inspect

  no drop

  inspect

  exit

exit

zone security gre-zone

zone security out-zone

zone security in-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

exit

zone-pair security sdm-zp-in-gre1 source in-zone destination gre-zone

service-policy type inspect ccp-inspect

exit

zone-pair security ccp-zp-out-gre source out-zone destination gre-zone

service-policy type inspect sdm-permit-gre

exit

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

exit

zone-pair security sdm-zp-gre-in1 source gre-zone destination in-zone

service-policy type inspect sdm-permit-ip

exit

zone-pair security ccp-zp-gre-out source gre-zone destination out-zone

service-policy type inspect sdm-permit-gre

exit

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

exit

interface Vlan50

description Vlan$FW_INSIDE$

zone-member security in-zone

exit

interface GigabitEthernet0/0

description WAN$FW_OUTSIDE$

zone-member security out-zone

exit

interface Tunnel0

zone-member security gre-zone

exit

interface Vlan25

description Vlan$FW_INSIDE$

zone-member security in-zone

exit

15 REPLIES
New Member

Re: ZBFW with GRE Tunnel (GRE over IPSec)

I am guessing this is why people frown upon the CCP users...

Cisco Employee

Re: ZBFW with GRE Tunnel (GRE over IPSec)

Hello!!!!

NIIICEEEEEEEEE, its been a while since I dont see a Beautiful Zone based not letting people to create the GRE over IPsec , whe need to know which Encapsulation protocol is he dropping.

Would you please put the command ip inspect log drop-pkt and do term mon on the global configuration mode and try to bring the tunnel up?

Let me know please !!!

Mike

Mike
New Member

Re: ZBFW with GRE Tunnel (GRE over IPSec)

I was also pinging the unit from the remote side when I brought it up.

rt-p196(config)#ip inspect log drop-pkt
rt-p196(config)#
*Oct 29 17:21:55.639: %FW-6-DROP_PKT: Dropping Unknown-l4 session XXX.remoteWAN.141
:0 XXX.LocalWAN.196:0 on zone-pair ccp-zp-out-self class class-default due to  DROP
action found in policy-map with ip ident 0
*Oct 29 17:22:14.187: %FW-6-LOG_SUMMARY: 19 packets were dropped from XXX.remoteWAN
.141:0 => XXX.LocalWAN.196:0 (target:class)-(ccp-zp-out-self:class-default)
*Oct 29 17:22:14.187: %FW-6-LOG_SUMMARY: 19 packets were dropped from XXX.remoteWAN
.141:8 => XXX.LocalWAN.196:0 (target:class)-(ccp-zp-out-self:class-default)
*Oct 29 17:22:25.647: %FW-6-DROP_PKT: Dropping Unknown-l4 session XXX.remoteWAN.141
:0 XXX.LocalWAN.196:0 on zone-pair ccp-zp-out-self class class-default due to  DROP
action found in policy-map with ip ident 0
*Oct 29 17:22:55.655: %FW-6-DROP_PKT: Dropping Unknown-l4 session XXX.remoteWAN.141
:0 XXX.LocalWAN.196:0 on zone-pair ccp-zp-out-self class class-default due to  DROP
action found in policy-map with ip ident 0
*Oct 29 17:23:14.187: %FW-6-LOG_SUMMARY: 59 packets were dropped from XXX.remoteWAN
.141:0 => XXX.LocalWAN.196:0 (target:class)-(ccp-zp-out-self:class-default)
*Oct 29 17:23:14.187: %FW-6-LOG_SUMMARY: 60 packets were dropped from XXX.remoteWAN
.141:8 => XXX.LocalWAN.196:0 (target:class)-(ccp-zp-out-self:class-default)

THANKS FOR HELPING!

New Member

Re: ZBFW with GRE Tunnel (GRE over IPSec)

Here it is agian without pinging the unit.

rt-p196(config)#ip inspect log drop-pkt
rt-p196(config)#
*Oct 29 17:37:56.519: %FW-6-DROP_PKT: Dropping icmp session XXX.remoteWAN.141:0
XXX.LocalWAN.196:0 on zone-pair ccp-zp-out-self class class-default due to  DROP actio
n found in policy-map with ip ident 0
*Oct 29 17:38:14.187: %FW-6-LOG_SUMMARY: 5 packets were dropped from XXX.remoteWAN
141:8 => XXX.LocalWAN.196:0 (target:class)-(ccp-zp-out-self:class-default)
*Oct 29 17:38:28.491: %FW-6-DROP_PKT: Dropping Unknown-l4 session XXX.remoteWAN.141
:0 XXX.LocalWAN.196:0 on zone-pair ccp-zp-out-self class class-default due to  DROP
action found in policy-map with ip ident 0
*Oct 29 17:38:59.207: %FW-6-DROP_PKT: Dropping Unknown-l4 session XXX.remoteWAN.141
:0 XXX.LocalWAN.196:0 on zone-pair ccp-zp-out-self class class-default due to  DROP
action found in policy-map with ip ident 0
*Oct 29 17:39:14.187: %FW-6-LOG_SUMMARY: 23 packets were dropped from XXX.remoteWAN
.141:8 => XXX.LocalWAN.196:0 (target:class)-(ccp-zp-out-self:class-default)

Cisco Employee

Re: ZBFW with GRE Tunnel (GRE over IPSec)

Hello,

The one that you mention on ACL 104, is that your Endpoint for the GRE? Can you show me the configuration for the Tunnel Interface?

Let me know.

Mike

Mike
New Member

Re: ZBFW with GRE Tunnel (GRE over IPSec)

!

!

class-map type inspect match-any SDM_HTTPS

match access-group name SDM_HTTPS

class-map type inspect match-any SDM_SSH

match access-group name SDM_SSH

class-map type inspect match-any SDM_SHELL

match access-group name SDM_SHELL

class-map type inspect match-any sdm-cls-access

match class-map SDM_HTTPS

match class-map SDM_SSH

match class-map SDM_SHELL

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_VPN_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_VPN_PT

match access-group 104

match class-map SDM_VPN_TRAFFIC

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any SDM_IP

match access-group name SDM_IP

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-all sdm-access

match class-map sdm-cls-access

match access-group 103

class-map type inspect match-all SDM_GRE

match access-group name SDM_GRE

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-invalid-src

match access-group 102

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect sdm-permit-gre

class type inspect SDM_GRE

  pass

class class-default

  drop log

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class type inspect ccp-sip-inspect

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h323annexe-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class type inspect ccp-h323nxg-inspect

  inspect

class type inspect ccp-skinny-inspect

  inspect

class class-default

  drop

policy-map type inspect ccp-permit

class type inspect SDM_VPN_PT

  pass

class type inspect sdm-access

  inspect

class class-default

  drop

policy-map type inspect sdm-permit-ip

class type inspect SDM_IP

  pass

class class-default

  drop log

!

zone security gre-zone

zone security out-zone

zone security in-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security sdm-zp-in-gre1 source in-zone destination gre-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-gre source out-zone destination gre-zone

service-policy type inspect sdm-permit-gre

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security sdm-zp-gre-in1 source gre-zone destination in-zone

service-policy type inspect sdm-permit-ip

zone-pair security ccp-zp-gre-out source gre-zone destination out-zone

service-policy type inspect sdm-permit-gre

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key **KEY** address XXX.remoteWAN.141

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel toXXX.remoteWAN.141

set peer XXX.remoteWAN.141

set transform-set ESP-3DES-SHA

match address 100

!

!

!

!

!

interface Tunnel0

ip address 10.254.254.196 255.255.255.0

ip mtu 1420

zone-member security gre-zone

tunnel source GigabitEthernet0/0

tunnel destination XXX.remoteWAN.141

tunnel path-mtu-discovery

crypto map SDM_CMAP_1

!

!

interface GigabitEthernet0/0

description WAN$FW_OUTSIDE$

ip address XXX.LocalWAN.196 255.255.255.192

ip nat outside

ip virtual-reassembly

zone-member security out-zone

duplex auto

speed auto

crypto map SDM_CMAP_1

!

!

interface GigabitEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

!

interface FastEthernet0/0/0

description 50 - Vlan50

switchport access vlan 50

!

!

interface FastEthernet0/0/1

description 50 - Vlan50

switchport access vlan 50

!

!

interface FastEthernet0/0/2

description 25 - Vlan25

switchport access vlan 25

!

!

interface FastEthernet0/0/3

description 25 - Vlan25

switchport access vlan 25

!

!

interface Vlan25

description Vlan25-Vlan$FW_INSIDE$

ip address 10.1.25.1 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security in-zone

no mop enabled

!

!

interface Vlan50

description Vlan50-Vlan$FW_INSIDE$

ip address 10.1.50.1 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security in-zone

!

!

ip forward-protocol nd

!

ip http server

ip http secure-server

!

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 XXX.NEXTHOP.193

ip route 10.0.25.0 255.255.255.0 Tunnel0

!

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

ip access-list extended SDM_GRE

remark CCP_ACL Category=1

permit gre any any

ip access-list extended SDM_HTTPS

remark CCP_ACL Category=1

permit tcp any any eq 443

ip access-list extended SDM_IP

remark CCP_ACL Category=0

permit ip any any

ip access-list extended SDM_SHELL

remark CCP_ACL Category=1

permit tcp any any eq cmd

ip access-list extended SDM_SSH

remark CCP_ACL Category=1

permit tcp any any eq 22

!

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.1.25.0 0.0.0.255

access-list 1 permit 10.1.50.0 0.0.0.255

access-list 100 remark CCP_ACL Category=4

access-list 100 permit gre host XXX.LocalWAN.196 host XXX.remoteWAN.141

access-list 101 remark CCP_ACL Category=2

access-list 101 deny   gre host XXX.LocalWAN.196 host XXX.remoteWAN.141

access-list 101 permit ip 10.1.50.0 0.0.0.255 any

access-list 101 permit ip 10.1.25.0 0.0.0.255 any

access-list 102 remark CCP_ACL Category=128

access-list 102 permit ip host 255.255.255.255 any

access-list 102 permit ip 127.0.0.0 0.255.255.255 any

access-list 102 permit ip XXX.LocalWAN.192 0.0.0.63 any

access-list 103 remark CCP_ACL Category=128

access-list 103 permit ip host XXX.remoteWAN.141 any

access-list 104 remark CCP_ACL Category=128

access-list 104 permit ip host XXX.remoteWAN.141 any

!

!

!

!

route-map SDM_RMAP_1 permit 1

match ip address 101

!

!

Cisco Employee

Re: ZBFW with GRE Tunnel (GRE over IPSec)

Are you able to see the IPsec Tunnel coming up?

Cheers

Mike

Mike
New Member

Re: ZBFW with GRE Tunnel (GRE over IPSec)

No not once the firewall is in place.

Cisco Employee

Re: ZBFW with GRE Tunnel (GRE over IPSec)

Hello,

Is the host on the ACL 104 the endpoint on the other side? Can you change this class map class-map type inspect match-all SDM_VPN_PT instead of match all to match any?

It would be like this

class-map type inspect match-any SDM_VPN_PT

Thanks!

Mike

Mike
New Member

Re: ZBFW with GRE Tunnel (GRE over IPSec)

Host on ACL 104 and endpoint are the same.

class-map type inspect match-any SDM_VPN_PT

yeilded nothing..

Cisco Employee

Re: ZBFW with GRE Tunnel (GRE over IPSec)

Hello,


Thanks. Would you please take out the new logs?

Let me know.

Mike
New Member

Re: ZBFW with GRE Tunnel (GRE over IPSec)

*Oct 29 22:44:44.226: %FW-6-DROP_PKT: Dropping icmp session XXX.LocalWAN.196:0

XXX.RemoteWAN.141:0 on zone-pair ccp-zp-self-out class ccp-icmp-access   with ip ident 0

Cisco Employee

Re: ZBFW with GRE Tunnel (GRE over IPSec)

Hi,

If your shift is not over please try this and let me know.


policy-map type inspect ccp-permit
  class class-default
    pass

policy-map type inspect ccp-icmp-access
  class ccp-permit-icmpreply
    no inspect
      pass

Cheers

Mike.

Mike
New Member

Re: ZBFW with GRE Tunnel (GRE over IPSec)

I get

% class map ccp-permit-icmpreply not configured

Cisco Employee

Re: ZBFW with GRE Tunnel (GRE over IPSec)

Sorry,

Here are the correct changes

policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
   no inspect
     pass


policy-map type inspect ccp-permit
   class class-default
     no drop 
       pass

Cheers.

Mike

Mike
1905
Views
0
Helpful
15
Replies