Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1096
Views
0
Helpful
7
Replies

zfw VPN tunnel problem

Go to solution
Josh Sprang
Level 1
Level 1

‎03-03-2012 06:02 AM

Recently i attempted to build a LAN 2 LAN VPN tunnel from an Asa to a 2911 running zone based firewall. This was a standard IPSec psk tunnel nothing fancy. I got the tunnel to establish but i could only get traffic to encap on the Asa side and decap on the 2911 side. I couldn't get return traffic. I followed this doc here for classic IPSec in the last example.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_white_paper0900aecd8062a909.html

And I am sure the Asa is right I built a ton of those but I am new to zfw. I did not see anything about a NAT exempt rule. But since everything uses real IPs instead of NAT I wasnt sure and I could not find any info. Do I need to do NAT exempt? If so do you use a route map on the end of you NAT overload config line like in the past?

Also I have a zone-pair to "self" and I was not sure if I needed anything there to be able to ping the inside interface of the 2911 when the tunnel is up from the remote end. Thanks

Labels:
0 Helpful
4 Accepted Solutions

Accepted Solutions

Go to solution
Henrik Grankvist
Level 4
Level 4

‎03-03-2012 10:26 AM

Is the zone-pair to self, from the outside to self?

And you say you dont use NAT, only have real addresses (public routable addresses?),so why would you need to do an exception for the NAT that you dont have?

View solution in original post

0 Helpful

Go to solution
Henrik Grankvist
Level 4
Level 4
In response to Josh Sprang

‎03-03-2012 03:14 PM

In your "ccp-permit-icmpreply" policy map you inspect the ICMP traffic and the default is pass, don't know if the pass default is a security risk, but because of that everything is allowed to your router, but the return traffic will not be sent back.

But I would do this for the self to outside:

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class SELF-TO-OUT-VPN

  inspect

class class-default

  drop

class-map type inspect match-any SELF-TO-OUT-VPN-CMAP

match access-group name SELF-TO-OUT-VPN-ACL

ip access-list extended SELF-TO-OUT-VPN-ACL

permit esp any any

permit ahp any any

permit udp any any eq isakmp

I'm not sure this will fix your problem, because I never use the pass as defualt so I dont know how it works.

View solution in original post

0 Helpful

Go to solution
Henrik Grankvist
Level 4
Level 4
In response to Josh Sprang

‎03-04-2012 06:05 AM

You don't have to define anything to the self-zone, everything is by default passed to the self zone, but as you can understand that would be a security risk.

And also by default nothing is permitted between the different zones, so you have to create zone-pairs and define policys so communication is possible.

The remote network will fall into both, becuase you get traffic from the remote network (out->self) and you send traffic to the remote network (self->out).

View solution in original post

0 Helpful

Go to solution
Henrik Grankvist
Level 4
Level 4
In response to Josh Sprang

‎03-04-2012 07:44 AM

Im sorry for not knowing what netflow and snap is

But if the traffic originate from the router and is being sent to the router is it like you just wrote, but if it originate inside the network it is from inside->out and out->inside.

+

I have to do a correction of myself. The traffic going to and from the router(self) has to be "pass" not "inspect".

Default should still be drop in my opinion.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Henrik Grankvist
Level 4
Level 4

‎03-03-2012 10:26 AM

Is the zone-pair to self, from the outside to self?

And you say you dont use NAT, only have real addresses (public routable addresses?),so why would you need to do an exception for the NAT that you dont have?

0 Helpful

Go to solution
Josh Sprang
Level 1
Level 1
In response to Henrik Grankvist

‎03-03-2012 11:40 AM

yes it looks like they wanted ping allowed:

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

policy-map type inspect ccp-permit

class type inspect SDM_EASY_VPN_SERVER_PT

  pass

class class-default

  drop

class-map type inspect match-all SDM_EASY_VPN_SERVER_PT

match class-map SDM_EASY_VPN_SERVER_TRAFFIC

class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match protocol user-ctcp-ezvpnsvr

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

0 Helpful

Go to solution
Henrik Grankvist
Level 4
Level 4
In response to Josh Sprang

‎03-03-2012 03:14 PM

In your "ccp-permit-icmpreply" policy map you inspect the ICMP traffic and the default is pass, don't know if the pass default is a security risk, but because of that everything is allowed to your router, but the return traffic will not be sent back.

But I would do this for the self to outside:

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class SELF-TO-OUT-VPN

  inspect

class class-default

  drop

class-map type inspect match-any SELF-TO-OUT-VPN-CMAP

match access-group name SELF-TO-OUT-VPN-ACL

ip access-list extended SELF-TO-OUT-VPN-ACL

permit esp any any

permit ahp any any

permit udp any any eq isakmp

I'm not sure this will fix your problem, because I never use the pass as defualt so I dont know how it works.

0 Helpful

Go to solution
Josh Sprang
Level 1
Level 1
In response to Henrik Grankvist

‎03-04-2012 05:31 AM

Thanks I am going to give that a try Monday I'll let u know. Do you have to define a self to out and out to self is the default behavior nothing will connect to the router? I am building a VPN to the customer so that we can connect a bw grapher and netflow to the device. Is the remote network on the tunnel fall into the zone pair self to out and out to self?

I know the Asa does defines the interfaces in that security level. Also I don't have a zone pair self to in? Does it allow all traffic on the inside? Thanks again for the help I am new to the zfw and the whole "self" thing has me confused.

0 Helpful

Go to solution
Henrik Grankvist
Level 4
Level 4
In response to Josh Sprang

‎03-04-2012 06:05 AM

You don't have to define anything to the self-zone, everything is by default passed to the self zone, but as you can understand that would be a security risk.

And also by default nothing is permitted between the different zones, so you have to create zone-pairs and define policys so communication is possible.

The remote network will fall into both, becuase you get traffic from the remote network (out->self) and you send traffic to the remote network (self->out).

0 Helpful

Go to solution
Josh Sprang
Level 1
Level 1
In response to Henrik Grankvist

‎03-04-2012 06:59 AM

Ok that makes sense

So if I need snap and netflow to traverse the VPN I need to define these ports in the self to out and out to self maps right?

0 Helpful

Go to solution
Henrik Grankvist
Level 4
Level 4
In response to Josh Sprang

‎03-04-2012 07:44 AM

Im sorry for not knowing what netflow and snap is

But if the traffic originate from the router and is being sent to the router is it like you just wrote, but if it originate inside the network it is from inside->out and out->inside.

+

I have to do a correction of myself. The traffic going to and from the router(self) has to be "pass" not "inspect".

Default should still be drop in my opinion.

0 Helpful
Customers Also Viewed These Support Documents