Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN & Zone-based firewall

Hi,

I have a site to site VPN using VTI.

I tried to configure my zone-based fw to deny ping on my WAN IP but when I applied it, my VPN went down.

Could someone advise me how to do it?

Below is my config:

class-map type inspect match-any Inside-Outside-Class
match protocol https
match protocol http
match protocol dns
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any Outside-Self-Class

match access-group name ICMPReply

match access-group name ISAKMP

class-map type inspect match-any VPN-Inside-Class
match protocol icmp
match protocol tcp
match protocol udp
match protocol http
match protocol ssh
match protocol https
match protocol sip
class-map type inspect match-any Inside-VPN-Class
match protocol icmp
match protocol tcp
match protocol udp
match protocol http
match protocol https
match protocol ssh
match protocol sip

policy-map type inspect Inside-Outside-Policy
class type inspect Inside-Outside-Class
  inspect
class class-default
policy-map type inspect VPN-Inside-Policy
class type inspect VPN-Inside-Class
  inspect
class class-default
policy-map type inspect Inside-VPN-Policy
class type inspect Inside-VPN-Class
  inspect
class class-default

policy-map type inspect Outside-Self-Policy
class type inspect Outside-Self-Class
  inspect
class class-default

zone security Inside
zone security Outside
zone security VPN


zone-pair security in-out source Inside destination Outside
service-policy type inspect Inside-Outside-Policy
zone-pair security VPN-In source VPN destination Inside
service-policy type inspect VPN-Inside-Policy
zone-pair security In-VPN source Inside destination VPN
service-policy type inspect Inside-VPN-Policy

zone-pair security Out-Self source Outside destination self
service-policy type inspect Outside-Self-Policy

Interface Tunnel100

zone-member security VPN

Tunnel source Dialer0

Interface Dialer0

zone-member security Outside

Interface Vlan1

zone-member security Inside

ip access-list extended ISAKMP
permit udp any any eq isakmp
permit ahp any any
permit esp any any
permit udp any any eq non500-isakmp

ip access-list extended ICMPReply
permit icmp any any host-unreachable

Thank you

2 ACCEPTED SOLUTIONS

Accepted Solutions
Super Bronze

Re: VPN & Zone-based firewall

Thanks, so phase 1 is up, however, phase 2 is not.

I assume that it works if you remove the ZBFW?

Can you turn on logging, and check if there is any ZBFW error messages?

Also, did you clear the tunnel after the ZBFW configuration?

clear cry isa sa

clear cry sa

The configuration looks correct.

Super Bronze

Re: VPN & Zone-based firewall

If you have a single policy applied via the ZBFW, you don't even need to configure any ICMP rules as by default, when you have 1 ZBFW rule, it will implicitly deny anything else unless you explicitly allow it.

Without that specific ICMP rule or with that specific ICMP rule that you have configured, you will get "ICMP Request timeout".

18 REPLIES
Super Bronze

Re: VPN & Zone-based firewall

You would need to change the action from "inspect" to "pass" for Outside-Self-Policy policy as follows:

policy-map type inspect Outside-Self-Policy
  class type inspect Outside-Self-Class
    pass

Hope that helps.

New Member

Re: VPN & Zone-based firewall

Hi,

good to hear from you again.

I had changed to 'pass' but VPN still down

Any suggestion for me?

Thank you

Super Bronze

Re: VPN & Zone-based firewall

When you say it's down, what is the status of both phases?

Pls share the output of:

show cry isa sa

show cry ipsec sa

New Member

Re: VPN & Zone-based firewall

Local router:

Kim#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst               

      src             state               conn-id slot                status

110.92.xxx.xxx  110.92.xxx.xxx  QM_IDLE           2001    0 ACTIVE

IPv6 Crypto ISAKMP SA

Kim#sh crypto ipsec sa

interface: Tunnel100

    Crypto map tag: Tunnel100-head-0, local addr 110.92.xxx.xxx

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   current_peer 110.92.xxx.xxx port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 110.92.xxx.xxx, remote crypto endpt.: 110.92.xxx.xxx

     path mtu 1452, ip mtu 1452, ip mtu idb Dialer0

     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

There 's no firewall on the remote router, to make troubleshooting easier.

Thank you

Super Bronze

Re: VPN & Zone-based firewall

Thanks, so phase 1 is up, however, phase 2 is not.

I assume that it works if you remove the ZBFW?

Can you turn on logging, and check if there is any ZBFW error messages?

Also, did you clear the tunnel after the ZBFW configuration?

clear cry isa sa

clear cry sa

The configuration looks correct.

New Member

Re: VPN & Zone-based firewall

Yes, without zbf my vpn can work.

I did a 'wr' and reload my router after any changes in Fw.

What is the command to see FW logging?

Thank you!

Super Bronze

Re: VPN & Zone-based firewall

Just turn on logging in general on the router, and try to ping across the vpn tunnel, and check the output of "show log"

New Member

Re: VPN & Zone-based firewall

Hi,

Its working now after I reset the router...very weird. anyway thanks for your help again!

The command

ip access-list extended ICMPReply
  permit icmp any any host-unreachable

My understanding is it will reply host unreachable when there;s a ping on the WAN.

I tried to ping my WAN IP from Public IP with & without this command applied on my Outside-Self -Policy, But the result turned out to be the same " Request Timed Out'

This is correct?

Thank you.

Super Bronze

Re: VPN & Zone-based firewall

If you have a single policy applied via the ZBFW, you don't even need to configure any ICMP rules as by default, when you have 1 ZBFW rule, it will implicitly deny anything else unless you explicitly allow it.

Without that specific ICMP rule or with that specific ICMP rule that you have configured, you will get "ICMP Request timeout".

New Member

Re: VPN & Zone-based firewall

Thank you

New Member

Re: VPN & Zone-based firewall

Hi Halim,

the problem with VPN and firewall still not resolve. (previously thought it was working but not, because i did not apply the outside to self zone-pair).

So once I have a Outside to Self zone applied, my VPN will be down.

Please help.

Thank you

Super Bronze

Re: VPN & Zone-based firewall

On ACL "ISAKMP", can you also add "permit gre any any"

New Member

Re: VPN & Zone-based firewall

Were you able to solve this? I have the exact same problem. My site to site VPN works perfect, then when I apply a firewall it all goes down.

Re: VPN & Zone-based firewall

anyone have a configuration exemple that work ?

Please share !

Cisco Employee

Re: VPN & Zone-based firewall

Hi,

The following link gives basic configuration of VPN with ZBF.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_white_paper0900aecd8062a909.html

Regards,

Anisha

- do rate helpful posts.

Re: VPN & Zone-based firewall

I think you need to define zone pair between Outside and VPN as well.


Re: VPN & Zone-based firewall

But I can't understand how VPN traffic ( ESP, ipsec ) will pass

through the firewall without any ACL to permit it ?

they dont talk about that

Re: VPN & Zone-based firewall

ESP and Isakmp packet are destinated to the router itself. So, it is controlled by zone pair policy between "self" and "outside" interface. By default, if you don't define a zone pair policy between "self" and "outside", it will be permitted automatically. But, if you does define a zone pair policy between 'self' and 'outside' like what Kim did in his setup, you must permit esp and iskamp traffic like Kim's setup.

1483
Views
0
Helpful
18
Replies