Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

zfw VPN tunnel problem

Recently i attempted to build a LAN 2 LAN VPN tunnel from an Asa to a 2911 running zone based firewall. This was a standard IPSec psk tunnel nothing fancy. I got the tunnel to establish but i could only get traffic to encap on the Asa side and decap on the 2911 side. I couldn't get return traffic. I followed this doc here for classic IPSec in the last example.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_white_paper0900aecd8062a909.html

And I am sure the Asa is right I built a ton of those but I am new to zfw. I did not see anything about a NAT exempt rule. But since everything uses real IPs instead of NAT I wasnt sure and I could not find any info. Do I need to do NAT exempt? If so do you use a route map on the end of you NAT overload config line like in the past?

Also I have a zone-pair to "self" and I was not sure if I needed anything there to be able to ping the inside interface of the 2911 when the tunnel is up from the remote end. Thanks

4 ACCEPTED SOLUTIONS

Accepted Solutions

Re: zfw VPN tunnel problem

Is the zone-pair to self, from the outside to self?

And you say you dont use NAT, only have real addresses (public routable addresses?),so why would you need to do an exception for the NAT that you dont have?

Re: zfw VPN tunnel problem

In your "ccp-permit-icmpreply" policy map you inspect the ICMP traffic and the default is pass, don't know if the pass default is a security risk, but because of that everything is allowed to your router, but the return traffic will not be sent back.

But I would do this for the self to outside:

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class SELF-TO-OUT-VPN

  inspect

class class-default

  drop

class-map type inspect match-any SELF-TO-OUT-VPN-CMAP

match access-group name SELF-TO-OUT-VPN-ACL

ip access-list extended SELF-TO-OUT-VPN-ACL

permit esp any any

permit ahp any any

permit udp any any eq isakmp

I'm not sure this will fix your problem, because I never use the pass as defualt so I dont know how it works.

Re: zfw VPN tunnel problem

You don't have to define anything to the self-zone, everything is by default passed to the self zone, but as you can understand that would be a security risk.

And also by default nothing is permitted between the different zones, so you have to create zone-pairs and define policys so communication is possible.

The remote network will fall into both, becuase you get traffic from the remote network (out->self) and you send traffic to the remote network (self->out).

Re: zfw VPN tunnel problem

Im sorry for not knowing what netflow and snap is

But if the traffic originate from the router and is being sent to the router is it like you just wrote, but if it originate inside the network it is from inside->out and out->inside.

+

I have to do a correction of myself. The traffic going to and from the router(self) has to be "pass" not "inspect".

Default should still be drop in my opinion.

7 REPLIES

Re: zfw VPN tunnel problem

Is the zone-pair to self, from the outside to self?

And you say you dont use NAT, only have real addresses (public routable addresses?),so why would you need to do an exception for the NAT that you dont have?

New Member

Re: zfw VPN tunnel problem

yes it looks like they wanted ping allowed:

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

policy-map type inspect ccp-permit

class type inspect SDM_EASY_VPN_SERVER_PT

  pass

class class-default

  drop

class-map type inspect match-all SDM_EASY_VPN_SERVER_PT

match class-map SDM_EASY_VPN_SERVER_TRAFFIC

class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match protocol user-ctcp-ezvpnsvr

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

Re: zfw VPN tunnel problem

In your "ccp-permit-icmpreply" policy map you inspect the ICMP traffic and the default is pass, don't know if the pass default is a security risk, but because of that everything is allowed to your router, but the return traffic will not be sent back.

But I would do this for the self to outside:

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class SELF-TO-OUT-VPN

  inspect

class class-default

  drop

class-map type inspect match-any SELF-TO-OUT-VPN-CMAP

match access-group name SELF-TO-OUT-VPN-ACL

ip access-list extended SELF-TO-OUT-VPN-ACL

permit esp any any

permit ahp any any

permit udp any any eq isakmp

I'm not sure this will fix your problem, because I never use the pass as defualt so I dont know how it works.

New Member

Re: zfw VPN tunnel problem

Thanks I am going to give that a try Monday I'll let u know. Do you have to define a self to out and out to self is the default behavior nothing will connect to the router? I am building a VPN to the customer so that we can connect a bw grapher and netflow to the device. Is the remote network on the tunnel fall into the zone pair self to out and out to self?

I know the Asa does defines the interfaces in that security level. Also I don't have a zone pair self to in? Does it allow all traffic on the inside? Thanks again for the help I am new to the zfw and the whole "self" thing has me confused.

Re: zfw VPN tunnel problem

You don't have to define anything to the self-zone, everything is by default passed to the self zone, but as you can understand that would be a security risk.

And also by default nothing is permitted between the different zones, so you have to create zone-pairs and define policys so communication is possible.

The remote network will fall into both, becuase you get traffic from the remote network (out->self) and you send traffic to the remote network (self->out).

New Member

Re: zfw VPN tunnel problem

Ok that makes sense

So if I need snap and netflow to traverse the VPN I need to define these ports in the self to out and out to self maps right?

Re: zfw VPN tunnel problem

Im sorry for not knowing what netflow and snap is

But if the traffic originate from the router and is being sent to the router is it like you just wrote, but if it originate inside the network it is from inside->out and out->inside.

+

I have to do a correction of myself. The traffic going to and from the router(self) has to be "pass" not "inspect".

Default should still be drop in my opinion.

499
Views
0
Helpful
7
Replies
CreatePlease login to create content