Search This Blog

Wednesday, October 9, 2013

IOS Firewall - VPN Traffic for IPSEC_CLASS


Cisco 1841

The VPN Client can successfully connect outside. However on the Cisco 2811, its been blocked.
Here some traffic using generated Microsoft PPTP.

1. So here we checkout the policy that uses the IPSEC_CLASS.

Policy Map type inspect A_OUTBOUND_INTERNET
  Class 0_INVALID_CLASS
    Drop log
  Class 1_INTERNET_CLASS
    Inspect
  Class 2_TORRENT_CLASS
    Drop
  Class 4_IPSEC_CLASS
    Pass
  Class 5_ICMP_OUT
    Inspect
  Class class-default
    Pass

Policy Map type inspect B_INBOUND_INTERNET
  Class 7_CISCO_EZVPN
    Pass
  Class 4_IPSEC_CLASS
    Pass
  Class class-default
    Drop log


2. So let's define the VPN Traffic using class-map type inspect statement.

class-map type inspect match-any 4_IPSEC_CLASS
 match class-map CLASS_ESP
 match class-map CLASS_GRE

   class-map type inspect match-any CLASS_ESP
     match access-group name ACL_ESP
   class-map type inspect match-any CLASS_GRE
     match access-group name ACL_GRE

          ip access-list extended ACL_ESP
            permit esp any any
          ip access-list extended ACL_GRE
            permit gre any any


3. The resulting "show policy-map type inspect zone-pair"

Zone-pair: ZP1-3

  Service-policy inspect : A_OUTBOUND_INTERNET

Class-map: 4_IPSEC_CLASS (match-any)
  Match: class-map match-any CLASS_ESP
    85201 packets, 11014192 bytes
    30 second rate 1000 bps
    Match: access-group name ACL_ESP
      0 packets, 0 bytes
      30 second rate 0 bps
  Match: class-map match-any CLASS_GRE
    0 packets, 0 bytes
    30 second rate 0 bps
    Match: access-group name ACL_GRE
      0 packets, 0 bytes
      30 second rate 0 bps
  Pass
    85201 packets, 11014192 bytes


 Zone-pair: ZP3-1

  Service-policy inspect : B_INBOUND_INTERNET

Class-map: 4_IPSEC_CLASS (match-any)
  Match: class-map match-any CLASS_ESP
    91560 packets, 47086534 bytes
    30 second rate 0 bps
    Match: access-group name ACL_ESP
      0 packets, 0 bytes
      30 second rate 0 bps
  Match: class-map match-any CLASS_GRE
    0 packets, 0 bytes
    30 second rate 0 bps
    Match: access-group name ACL_GRE
      0 packets, 0 bytes
      30 second rate 0 bps
  Pass
    91560 packets, 47086534 bytes

# clear zone-pair counter
# clear zone-pair inspect session policy-map


Posted by at
Labels:

1 comment:

Subscribe to: Post Comments (Atom)