Thanks Piotr, Tyson, Kingsley, Mark. Umberto thanks for hanging out this late with me to get it working.
ZFW is working now. "Pass" did not work just inspect is fine. It is 2:00AM in NY and I do not have energy to try "Pass" option. I also found out that for some reason IPSec MAC client does not work with ZFW in the middle. But the same configuration below works fine on Win 7. Pretty strange. I used IPSec for MAC for last 2 days with EZVPN without ZFW in the middle. Worked without issues. I will test GDOI in the morning. I used the following configuration: hostname zfw-R3 ! ! class-map type inspect match-all i2o match access-group 101 class-map type inspect match-all o2i match access-group 102 ! ! policy-map type inspect i2o class type inspect i2o inspect class class-default drop policy-map type inspect o2i class type inspect o2i inspect class class-default drop ! zone security Inside zone security Outside zone-pair security i2o source Inside destination Outside service-policy type inspect i2o zone-pair security o2i source Outside destination Inside service-policy type inspect o2i ! ! interface FastEthernet0/0 description Link to SW1 f0/1. ip address 10.11.11.13 255.255.255.0 zone-member security Inside duplex auto speed auto ! interface FastEthernet0/1 description Link to SW3 f0/3 ip address 10.12.12.13 255.255.255.0 zone-member security Outside duplex auto speed auto ! router ospf 1 log-adjacency-changes network 10.11.11.0 0.0.0.255 area 0 network 10.12.12.0 0.0.0.255 area 0 ! ! access-list 101 permit esp any any access-list 101 permit udp any any eq isakmp access-list 101 permit udp any any eq non500-isakmp access-list 102 permit esp any any access-list 102 permit udp any any eq isakmp access-list 102 permit udp any any eq non500-isakmp ! end Best Regards. ______________________ Adil On Aug 4, 2011, at 1:42 AM, Piotr Matusiak wrote: > What's ACL 101? Since ESP is an IP protocol it probably gets matched by this > and inspected instead of passing. > Check this out. > > Regards, > Piotr > > > 2011/8/4 Adil Pasha <[email protected]> > I put the lab together. > > Pass or Inspect. Nothing works. IPSec client gets connected through ZFW but > cannot connect to any device behind the ezvpn server. > > Any further suggestion? > > If anyone on the list has done this setup or GETVPN thru ZFW, could you > please share the config? > > ! > class-map type inspect match-all o2i_esp > match access-group name pass_esp > class-map type inspect match-all i2o_esp > match access-group name pass_esp > class-map type inspect match-any o2i > match protocol telnet > match protocol http > match protocol https > match protocol icmp > match protocol isakmp > class-map type inspect match-all i2o_ip_any > match access-group 101 > ! > ! > policy-map type inspect i2o > class type inspect i2o_ip_any > inspect > class type inspect i2o_esp > pass > class class-default > drop > policy-map type inspect o2i > class type inspect o2i > inspect > class type inspect o2i_esp > pass > class class-default > drop > ! > zone security Inside > zone security Outside > zone-pair security i2o source Inside destination Outside > service-policy type inspect i2o > zone-pair security o2i source Outside destination Inside > service-policy type inspect o2i > ! > ip access-list extended pass_esp > permit esp any any > ! > > > Best Regards. > ______________________ > Adil > > On Aug 3, 2011, at 8:02 PM, Tyson Scott wrote: > >> Personally I recommend using match protocol gdoi, match protocol isakmp for >> the udp based traffic. Pass is just for ESP. >> >> Regards, >> >> Tyson Scott - CCIE #13513 R&S, Security, and SP >> Managing Partner / Sr. Instructor - IPexpert, Inc. >> Mailto: [email protected] >> Telephone: +1.810.326.1444, ext. 208 >> Live Assistance, Please visit: www.ipexpert.com/chat >> eFax: +1.810.454.0130 >> >> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >> training locations throughout the United States, Europe, South Asia and >> Australia. Be sure to visit our online communities at >> www.ipexpert.com/communities and our public website at www.ipexpert.com >> >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Mark Senteza >> Sent: Wednesday, August 03, 2011 7:26 PM >> To: Adil Pasha >> Cc: CCIE Security Maillist >> Subject: Re: [OSL | CCIE_Security] Remote Access through ZFW. >> >> Same thing - Apply the "pass" action on the IKE/ISAKMP and UDP 848 traffic >> >> On Wed, Aug 3, 2011 at 4:17 PM, Adil Pasha <[email protected]> wrote: >> >> Thanks Piotr and Mark, >> >> Is it really worth trying this scenario or am I making it too complicated? >> >> Also, what about GETVPN thru ZFW? >> >> :) >> >> I just want to cover all the bases. >> >> Best Regards. >> ______________________ >> Adil >> >> On Aug 3, 2011, at 4:41 PM, Mark Senteza wrote: >> >> >> "pass" ESP and IKE/ISAKMP traffic instead of "inspect" action >> >> On Wed, Aug 3, 2011 at 1:35 PM, Piotr Matusiak <[email protected]> wrote: >> ESP is not stateful in ZBF. You need another policy for that in opposite >> direction. >> >> Regards, >> Piotr >> >> 2011/8/3 Adil Pasha <[email protected]> >> Guys, >> >> I am trying my best to figure this out. >> >> I have the following: >> >> PC ----> ZFW router ----> EZVPN server >> >> I have the flowing configuration on ZFW router >> >> class-map type inspect match-any i2o >> match access-group 104 >> >> ! >> policy-map type inspect i2o >> class type inspect i2o >> inspect >> class class-default >> drop >> >> access-list 104 permit esp any any >> access-list 104 permit udp any any eq isakmp >> >> I am able to connect to the EZVPN router using my IPSec client through ZFW. >> The PC receives the EZVPN pool address and gateway. >> >> After the IPSec client established the connection I see the ACL counters >> increment, even when I try to PING. >> >> Extended IP access list 104 >> 10 permit esp any any (8 matches) <<<< PING packets >> 20 permit udp any any eq isakmp (4 matches) <<<< IPSec connection >> >> For some reason I do not get the reply back. >> >> I did not include "ip any any" on the ACL since my traffic is passing >> through the tunnel and in my opinion I do not need this. >> >> >> >> Best Regards. >> ______________________ >> Adil >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> >> >> > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
