11-06-2008 08:39 AM - edited 03-11-2019 07:09 AM
I've setup a VTI on two 2821 routers which both have ZFW deployed on them. Without ZFW on the VTI works between the two routers and all traffic passes freely. When I turn on ZFW (basic FW using the wizard) no traffic flows over the VTI. The VTI is up but I cannot ping across it and/or run OSPF. So, the questions I have are:
⢠Do I need to create a zone pair (along with the appropriate class-map and policy-map) between the internal interface and the tunnel interface and vice versa?
⢠Do I need to create a zone pair between the outside interface and some internal interface?
Thanks
11-14-2008 05:57 AM
Can you post config from your router?
11-23-2008 01:49 PM
If the internal interface and the tunnel interface are on the same zone, all the traffic is permitted between them.
Then you need to create a Zone-pair between the different interfaces of the router because if there are no zone-pair between them the traffic will fail.
I hope it helps.
06-12-2009 06:12 AM
I have same problem as bardellom. Tunnel is up, ISAKMP is established but traffic can not reach the other end. Tunnels are in the same sec. zone as LAN.
Do I need to create Zone-pair between self zone and LAN security zone?
06-12-2009 06:52 AM
Hello,
The thing is the following.
By default, the self zone is created once you create a zone.
In order to permit a L2L tunnel to be establish to the router, you will need something like this.
ip access-list ext Tunnel
permit udp any any eq 500
permit udp any any eq 4500
permit esp any any
class-map type inspect match-all VPN
match access-group name Tunnel
policy-map type inspect 2self
class VPN
pass
From the self zone to the out-zone don't, do any zone-pairs, and everything will be implicitly permitted.
For the VTI lines, please do the same but for the SSH and telnet ports.
If you have any questions, please let me know.
Chris - TAC Security Engineer
06-12-2009 10:06 AM
Hello torchris,
First I would like to thank you :)
I have following config on both routers:
ip access-list extended VPN
permit esp any any
permit udp any any eq isakmp
permit ahp any any
permit udp any any eq non500-isakmp
class-map type inspect match-all ipsec-cmap
match access-group name VPN
policy-map type inspect Internet2Self-pmap
class type inspect ipsec-cmap
inspect
class type inspect ssh-cmap
inspect
class type inspect icmp-cmap
inspect
class class-default
drop
zone-pair security Internet2Self source Internet destination self
service-policy type inspect Internet2Self-pmap
zone-pair security Self2Internet source self destination Internet
service-policy type inspect Internet2Self-pmap
ISAKMP and IPsec tunel are established, only firewall is blocking traffic. This is message from log file:
# %FW-6-DROP_PKT: Dropping Unknown-l4 session xxx.xxx.xxx.84:0 xxx.xxx.xxx.33:0 on zone-pair Internet2Self class class-default due to
# DROP action found in policy-map with ip ident 0
And when I am trying to ping from one tunnel interface to another:
# %FW-6-DROP_PKT: Dropping icmp session 192.168.5.21:0 192.168.1.1:0 due to policy match failure with ip ident 0
#
06-12-2009 10:36 AM
Thanks for the reply.
The problem that you are having is the action on the policy.
Instead of inspect, it should be pass.
The reason for this is that the firewall uses the payload of the packet to inspect the traffic. The thing is that in ESP, the payload is encrypted.
Also, I checked that the ICMP traffic is being dropped.
You can do the following to permit ICMP:
class-map type inspect match-all ICMP2Self
match protocol icmp
policy-map type inspect 2self
class ICMP2Self
pass
That should solve it for the ICMP and ESP traffic.
06-12-2009 11:43 AM
Thank you it is working :)
One more question.You mentioned:
class-map type inspect match-all ICMP2Self
match protocol icmp
Is icmp traffic also encrypted if I send it from LAN on router 1 to LAN on router 2?
Kind regards, Marko
06-12-2009 12:14 PM
Yes, the thing is the following.
If the traffic is from AN on router 1 to LAN on router 2 the flow will be different and the self zone will not participate.
If you try to ping the LAN interface of the router, the packet will get to the router and it will be decrypted, then send to the LAN interface and then through the VPN tunnel.
That means that when the packet gets to the LAN interface it is decrypted.
I hope it helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide