Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Zone-Based Firewall on a site to site VPN

We have a site to site VPN between an 800 series router and a VPN concentrator.  I want to implement the Zone-based firewall on on the router.

On the 800 series router, once I apply the Zone on the outside interface which is the "Dialer 1"  VPN connection is terminated.  Based on the configuration below, what am I missing?

ip access-list extended county-out
permit ip any

ip access-list extended county-in
permit ip any

ip access-list extended ICMPReply  
permit icmp any any host-unreachable  
permit icmp any any port-unreachable  
permit icmp any any ttl-exceeded  
permit icmp any any packet-too-big

ip access-list extended esp-traffic
permit esp any any

class-map type inspect match-any IPSec  
  match protocol isakmp  
  match protocol ipsec-msft
  match access-group name esp-traffic

class-map type inspect match-all ICMPReply  
  match access-group name ICMPReply 

class-map type inspect match-any in-out
match access-group name county-in
match protocol icmp
match protocol dns
match protocol http
match protocol https
match protocol ftp

class-map type inspect match-any out-in
match access-group name county-out

policy-map type inspect OutToSelf
description Permitted traffic from Internet to Router    
class type inspect ICMPReply  
class type inspect IPSec  
class class-default  
   drop log  
policy-map type inspect access-county
class type inspect in-out
class class-default
policy-map type inspect county-out
class type inspect out-in
zone security in-zone
zone security out-zone

zone-pair security OutToSelf source out-zone destination self  
service-policy type inspect OutToSelf 

zone-pair security in-out source in-zone destination out-zone
service-policy type inspect access-county

zone-pair security county-in source out-zone destination in-zone
service-policy type inspect county-out


Re: Zone-Based Firewall on a site to site VPN

I would try to configure a zone from the self to the out zone. permit all IP... If not just get the ... IP INSPECT LOG DROP-PKT

this will tell us why the traffic is being dropped. If you attach a diagram of the topology that will help us to understand why is't not working. Are you using NAT for any of  the endpoints.?

New Member

Re: Zone-Based Firewall on a site to site VPN

Thanks for the reply!  It does work when I modify the self outzone with IP any any.  However, I want to be more specific if possible.  I am using NAT on each endpoint as well.  Unfortunately I am not onsite, I have the configuration unsaved and I am having the router reload automatically to go back to it's original configuration.  I will try the "ip inspect log drop-pkt"

I'll try to illustrate a quick topology:

192.168.60.x/24------871 router<-------Internet------->VPN Concentator------

Re: Zone-Based Firewall on a site to site VPN

Ok But you are not NATing the endpoint. they are using the public IPs  right?

New Member

Re: Zone-Based Firewall on a site to site VPN

Yes, they are using public IP's

CreatePlease login to create content