Solved: VPN & Zone-based firewall

jazzlim2004 · ‎10-19-2010

Hi,

I have a site to site VPN using VTI.

I tried to configure my zone-based fw to deny ping on my WAN IP but when I applied it, my VPN went down.

Could someone advise me how to do it?

Below is my config:

class-map type inspect match-any Inside-Outside-Class
match protocol https
match protocol http
match protocol dns
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any Outside-Self-Class

match access-group name ICMPReply

match access-group name ISAKMP

class-map type inspect match-any VPN-Inside-Class
match protocol icmp
match protocol tcp
match protocol udp
match protocol http
match protocol ssh
match protocol https
match protocol sip
class-map type inspect match-any Inside-VPN-Class
match protocol icmp
match protocol tcp
match protocol udp
match protocol http
match protocol https
match protocol ssh
match protocol sip

policy-map type inspect Inside-Outside-Policy
class type inspect Inside-Outside-Class
inspect
class class-default
policy-map type inspect VPN-Inside-Policy
class type inspect VPN-Inside-Class
inspect
class class-default
policy-map type inspect Inside-VPN-Policy
class type inspect Inside-VPN-Class
inspect
class class-default

policy-map type inspect Outside-Self-Policy
class type inspect Outside-Self-Class
inspect
class class-default

zone security Inside
zone security Outside
zone security VPN

zone-pair security in-out source Inside destination Outside
service-policy type inspect Inside-Outside-Policy
zone-pair security VPN-In source VPN destination Inside
service-policy type inspect VPN-Inside-Policy
zone-pair security In-VPN source Inside destination VPN
service-policy type inspect Inside-VPN-Policy

zone-pair security Out-Self source Outside destination self
service-policy type inspect Outside-Self-Policy

Interface Tunnel100

zone-member security VPN

Tunnel source Dialer0

Interface Dialer0

zone-member security Outside

Interface Vlan1

zone-member security Inside

ip access-list extended ISAKMP
permit udp any any eq isakmp
permit ahp any any
permit esp any any
permit udp any any eq non500-isakmp

ip access-list extended ICMPReply
permit icmp any any host-unreachable

Thank you

Jennifer Halim · ‎10-19-2010

Thanks, so phase 1 is up, however, phase 2 is not.

I assume that it works if you remove the ZBFW?

Can you turn on logging, and check if there is any ZBFW error messages?

Also, did you clear the tunnel after the ZBFW configuration?

clear cry isa sa

clear cry sa

The configuration looks correct.

View solution in original post

Jennifer Halim · ‎10-20-2010

If you have a single policy applied via the ZBFW, you don't even need to configure any ICMP rules as by default, when you have 1 ZBFW rule, it will implicitly deny anything else unless you explicitly allow it.

Without that specific ICMP rule or with that specific ICMP rule that you have configured, you will get "ICMP Request timeout".

View solution in original post

Jennifer Halim · ‎10-19-2010

You would need to change the action from "inspect" to "pass" for Outside-Self-Policy policy as follows:

policy-map type inspect Outside-Self-Policy
class type inspect Outside-Self-Class
pass

Hope that helps.

jazzlim2004 · ‎10-19-2010

Hi,

good to hear from you again.

I had changed to 'pass' but VPN still down

Any suggestion for me?

Thank you

Jennifer Halim · ‎10-19-2010

When you say it's down, what is the status of both phases?

Pls share the output of:

show cry isa sa

show cry ipsec sa

jazzlim2004 · ‎10-19-2010

Local router:

Kim#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst

src state conn-id slot status

110.92.xxx.xxx 110.92.xxx.xxx QM_IDLE 2001 0 ACTIVE

IPv6 Crypto ISAKMP SA

Kim#sh crypto ipsec sa

interface: Tunnel100

Crypto map tag: Tunnel100-head-0, local addr 110.92.xxx.xxx

protected vrf: (none)

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

current_peer 110.92.xxx.xxx port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 110.92.xxx.xxx, remote crypto endpt.: 110.92.xxx.xxx

path mtu 1452, ip mtu 1452, ip mtu idb Dialer0

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

There 's no firewall on the remote router, to make troubleshooting easier.

Thank you

Jennifer Halim · ‎10-19-2010

Thanks, so phase 1 is up, however, phase 2 is not.

I assume that it works if you remove the ZBFW?

Can you turn on logging, and check if there is any ZBFW error messages?

Also, did you clear the tunnel after the ZBFW configuration?

clear cry isa sa

clear cry sa

The configuration looks correct.

jazzlim2004 · ‎10-19-2010

Yes, without zbf my vpn can work.

I did a 'wr' and reload my router after any changes in Fw.

What is the command to see FW logging?

Thank you!

Jennifer Halim · ‎10-19-2010

Just turn on logging in general on the router, and try to ping across the vpn tunnel, and check the output of "show log"

jazzlim2004 · ‎10-20-2010

Hi,

Its working now after I reset the router...very weird. anyway thanks for your help again!

The command

ip access-list extended ICMPReply
permit icmp any any host-unreachable

My understanding is it will reply host unreachable when there;s a ping on the WAN.

I tried to ping my WAN IP from Public IP with & without this command applied on my Outside-Self -Policy, But the result turned out to be the same " Request Timed Out'

This is correct?

Thank you.

Jennifer Halim · ‎10-20-2010

If you have a single policy applied via the ZBFW, you don't even need to configure any ICMP rules as by default, when you have 1 ZBFW rule, it will implicitly deny anything else unless you explicitly allow it.

Without that specific ICMP rule or with that specific ICMP rule that you have configured, you will get "ICMP Request timeout".

jazzlim2004 · ‎10-20-2010

Thank you

jazzlim2004 · ‎10-22-2010

Hi Halim,

the problem with VPN and firewall still not resolve. (previously thought it was working but not, because i did not apply the outside to self zone-pair).

So once I have a Outside to Self zone applied, my VPN will be down.

Please help.

Thank you

Jennifer Halim · ‎10-22-2010

On ACL "ISAKMP", can you also add "permit gre any any"

onepingonly · ‎10-28-2010

Were you able to solve this? I have the exact same problem. My site to site VPN works perfect, then when I apply a firewall it all goes down.

philippe.cousineau · ‎01-27-2011

anyone have a configuration exemple that work ?

Please share !