Enable this command "ip inspect log drop-pkt", you will see in which zone is the packet being dropped.
Post the access-list "pass_esp" configuration. For lab perspective, try this is way too far and you can do it for learning. Punching holes in ZFW for IPSec will be a challenge. With regards Kings On Thu, Aug 4, 2011 at 9:51 AM, Adil Pasha <[email protected]> wrote: > I put the lab together. > > Pass or Inspect. Nothing works. IPSec client gets connected through ZFW but > cannot connect to any device behind the ezvpn server. > > Any further suggestion? > > If anyone on the list has done this setup or GETVPN thru ZFW, could you > please share the config? > > ! > class-map type inspect match-all o2i_esp > match access-group name pass_esp > class-map type inspect match-all i2o_esp > match access-group name pass_esp > class-map type inspect match-any o2i > match protocol telnet > match protocol http > match protocol https > match protocol icmp > match protocol isakmp > class-map type inspect match-all i2o_ip_any > match access-group 101 > ! > ! > policy-map type inspect i2o > class type inspect i2o_ip_any > inspect > class type inspect i2o_esp > pass > class class-default > drop > policy-map type inspect o2i > class type inspect o2i > inspect > class type inspect o2i_esp > pass > class class-default > drop > ! > zone security Inside > zone security Outside > zone-pair security i2o source Inside destination Outside > service-policy type inspect i2o > zone-pair security o2i source Outside destination Inside > service-policy type inspect o2i > ! > ip access-list extended pass_esp > permit esp any any > ! > > > Best Regards. > ______________________ > Adil > > On Aug 3, 2011, at 8:02 PM, Tyson Scott wrote: > > Personally I recommend using match protocol gdoi, match protocol isakmp for > the udp based traffic. Pass is just for ESP.**** > ** ** > Regards,**** > **** > Tyson Scott - CCIE #13513 R&S, Security, and SP > Managing Partner / Sr. Instructor - IPexpert, Inc. > Mailto: [email protected] > Telephone: +1.810.326.1444, ext. 208 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130**** > ** ** > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com*** > * > ** ** > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Mark Senteza > *Sent:* Wednesday, August 03, 2011 7:26 PM > *To:* Adil Pasha > *Cc:* CCIE Security Maillist > *Subject:* Re: [OSL | CCIE_Security] Remote Access through ZFW.**** > ** ** > > Same thing - Apply the "pass" action on the IKE/ISAKMP and UDP 848 traffic > **** > On Wed, Aug 3, 2011 at 4:17 PM, Adil Pasha <[email protected]> wrote:**** > ** ** > Thanks Piotr and Mark,**** > ** ** > Is it really worth trying this scenario or am I making it too complicated? > **** > ** ** > Also, what about GETVPN thru ZFW?**** > ** ** > :)**** > ** ** > > I just want to cover all the bases.**** > Best Regards.**** > ______________________**** > Adil **** > ** ** > On Aug 3, 2011, at 4:41 PM, Mark Senteza wrote:**** > > > **** > > "pass" ESP and IKE/ISAKMP traffic instead of "inspect" action**** > On Wed, Aug 3, 2011 at 1:35 PM, Piotr Matusiak <[email protected]> wrote:**** > > ESP is not stateful in ZBF. You need another policy for that in opposite > direction. > > Regards, > Piotr**** > 2011/8/3 Adil Pasha <[email protected]>**** > > Guys,**** > ** ** > I am trying my best to figure this out.**** > ** ** > I have the following:**** > ** ** > *PC ----> ZFW router ----> EZVPN server***** > ** ** > I have the flowing configuration on ZFW router**** > ** ** > class-map type inspect match-any i2o**** > match access-group 104**** > ** ** > !**** > policy-map type inspect i2o**** > class type inspect i2o**** > inspect **** > class class-default**** > drop**** > ** ** > access-list 104 permit esp any any**** > access-list 104 permit udp any any eq isakmp**** > ** ** > I am able to connect to the EZVPN router using my IPSec client through ZFW. > The PC receives the EZVPN pool address and gateway.**** > ** ** > After the IPSec client established the connection I see the ACL counters > increment, even when I try to PING.**** > ** ** > Extended IP access list 104**** > 10 permit esp any any (8 matches) <<<< PING packets**** > 20 permit udp any any eq isakmp (4 matches) <<<< IPSec connection*** > * > ** ** > For some reason I do not get the reply back.**** > ** ** > I did not include "ip any any" on the ACL since my traffic is passing > through the tunnel and in my opinion I do not need this.**** > ** ** > > ** ** > Best Regards.**** > ______________________**** > Adil **** > ** ** > ** ** > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com**** > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com**** > ** ** > ** ** > ** ** > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
