10-19-2010 07:46 PM
Hi,
I have a site to site VPN using VTI.
I tried to configure my zone-based fw to deny ping on my WAN IP but when I applied it, my VPN went down.
Could someone advise me how to do it?
Below is my config:
class-map type inspect match-any Inside-Outside-Class
match protocol https
match protocol http
match protocol dns
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any Outside-Self-Class
match access-group name ICMPReply
match access-group name ISAKMP
class-map type inspect match-any VPN-Inside-Class
match protocol icmp
match protocol tcp
match protocol udp
match protocol http
match protocol ssh
match protocol https
match protocol sip
class-map type inspect match-any Inside-VPN-Class
match protocol icmp
match protocol tcp
match protocol udp
match protocol http
match protocol https
match protocol ssh
match protocol sip
policy-map type inspect Inside-Outside-Policy
class type inspect Inside-Outside-Class
inspect
class class-default
policy-map type inspect VPN-Inside-Policy
class type inspect VPN-Inside-Class
inspect
class class-default
policy-map type inspect Inside-VPN-Policy
class type inspect Inside-VPN-Class
inspect
class class-default
policy-map type inspect Outside-Self-Policy
class type inspect Outside-Self-Class
inspect
class class-default
zone security Inside
zone security Outside
zone security VPN
zone-pair security in-out source Inside destination Outside
service-policy type inspect Inside-Outside-Policy
zone-pair security VPN-In source VPN destination Inside
service-policy type inspect VPN-Inside-Policy
zone-pair security In-VPN source Inside destination VPN
service-policy type inspect Inside-VPN-Policy
zone-pair security Out-Self source Outside destination self
service-policy type inspect Outside-Self-Policy
Interface Tunnel100
zone-member security VPN
Tunnel source Dialer0
Interface Dialer0
zone-member security Outside
Interface Vlan1
zone-member security Inside
ip access-list extended ISAKMP
permit udp any any eq isakmp
permit ahp any any
permit esp any any
permit udp any any eq non500-isakmp
ip access-list extended ICMPReply
permit icmp any any host-unreachable
Thank you
Solved! Go to Solution.
10-19-2010 11:05 PM
Thanks, so phase 1 is up, however, phase 2 is not.
I assume that it works if you remove the ZBFW?
Can you turn on logging, and check if there is any ZBFW error messages?
Also, did you clear the tunnel after the ZBFW configuration?
clear cry isa sa
clear cry sa
The configuration looks correct.
10-20-2010 01:01 AM
If you have a single policy applied via the ZBFW, you don't even need to configure any ICMP rules as by default, when you have 1 ZBFW rule, it will implicitly deny anything else unless you explicitly allow it.
Without that specific ICMP rule or with that specific ICMP rule that you have configured, you will get "ICMP Request timeout".
10-19-2010 08:33 PM
You would need to change the action from "inspect" to "pass" for Outside-Self-Policy policy as follows:
policy-map type inspect Outside-Self-Policy
class type inspect Outside-Self-Class
pass
Hope that helps.
10-19-2010 10:14 PM
Hi,
good to hear from you again.
I had changed to 'pass' but VPN still down
Any suggestion for me?
Thank you
10-19-2010 10:43 PM
When you say it's down, what is the status of both phases?
Pls share the output of:
show cry isa sa
show cry ipsec sa
10-19-2010 10:52 PM
Local router:
Kim#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst
src state conn-id slot status
110.92.xxx.xxx 110.92.xxx.xxx QM_IDLE 2001 0 ACTIVE
IPv6 Crypto ISAKMP SA
Kim#sh crypto ipsec sa
interface: Tunnel100
Crypto map tag: Tunnel100-head-0, local addr 110.92.xxx.xxx
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 110.92.xxx.xxx port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 110.92.xxx.xxx, remote crypto endpt.: 110.92.xxx.xxx
path mtu 1452, ip mtu 1452, ip mtu idb Dialer0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
There 's no firewall on the remote router, to make troubleshooting easier.
Thank you
10-19-2010 11:05 PM
Thanks, so phase 1 is up, however, phase 2 is not.
I assume that it works if you remove the ZBFW?
Can you turn on logging, and check if there is any ZBFW error messages?
Also, did you clear the tunnel after the ZBFW configuration?
clear cry isa sa
clear cry sa
The configuration looks correct.
10-19-2010 11:21 PM
Yes, without zbf my vpn can work.
I did a 'wr' and reload my router after any changes in Fw.
What is the command to see FW logging?
Thank you!
10-19-2010 11:30 PM
Just turn on logging in general on the router, and try to ping across the vpn tunnel, and check the output of "show log"
10-20-2010 12:34 AM
Hi,
Its working now after I reset the router...very weird. anyway thanks for your help again!
The command
ip access-list extended ICMPReply
permit icmp any any host-unreachable
My understanding is it will reply host unreachable when there;s a ping on the WAN.
I tried to ping my WAN IP from Public IP with & without this command applied on my Outside-Self -Policy, But the result turned out to be the same " Request Timed Out'
This is correct?
Thank you.
10-20-2010 01:01 AM
If you have a single policy applied via the ZBFW, you don't even need to configure any ICMP rules as by default, when you have 1 ZBFW rule, it will implicitly deny anything else unless you explicitly allow it.
Without that specific ICMP rule or with that specific ICMP rule that you have configured, you will get "ICMP Request timeout".
10-20-2010 01:22 AM
Thank you
10-22-2010 12:05 AM
Hi Halim,
the problem with VPN and firewall still not resolve. (previously thought it was working but not, because i did not apply the outside to self zone-pair).
So once I have a Outside to Self zone applied, my VPN will be down.
Please help.
Thank you
10-22-2010 01:17 AM
On ACL "ISAKMP", can you also add "permit gre any any"
10-28-2010 01:30 PM
Were you able to solve this? I have the exact same problem. My site to site VPN works perfect, then when I apply a firewall it all goes down.
01-27-2011 01:22 PM
anyone have a configuration exemple that work ?
Please share !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide