Allow ESP traffic thru Cisco IOS zone based firewall

Toggle sidebar Toggle sidebar
P

pac1085

Diamond Member
Jun 27, 2000
3,456
0
76
I've got a 3825 setup on my home network and everything is working except for my company provided Avaya VPN phone. Previously I had used the old style CBAC firewall and it worked fine - once I put a rule in to allow inbound ESP traffic. I can't figure out how to do that with the ZBFW. Can anyone help? My current config is below. The VPN phone is located on VLAN 14, in the "Trusted" security zone. Thanks!

Using 4591 out of 491512 bytes
!
! Last configuration change at 03:18:34 UTC Wed Sep 24 2014
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname phil-r1
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
!
dot11 syslog
ip source-route
ip dhcp excluded-address 192.168.100.1 192.168.100.100
ip dhcp excluded-address 192.168.15.1 192.168.15.100
ip dhcp excluded-address 192.168.16.1 192.168.16.100
ip dhcp excluded-address 192.168.14.1 192.168.14.100
!
ip dhcp pool lwapp-pool
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
option 43 hex f104.c0a8.6318
!
ip dhcp pool vlan-15
network 192.168.15.0 255.255.255.0
default-router 192.168.15.1
dns-server 8.8.8.8 8.8.4.4
!
ip dhcp pool vlan-16
network 192.168.16.0 255.255.255.0
default-router 192.168.16.1
dns-server 8.8.8.8 8.8.4.4
!
ip dhcp pool vlan-14
network 192.168.14.0 255.255.255.0
default-router 192.168.14.1
dns-server 8.8.8.8 8.8.4.4
!
!
!
ip cef
!
!
no ip domain lookup
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
!
!
!
redundancy
!
!
!
class-map type inspect match-any Guest_Protocols
match protocol http
match protocol https
match protocol dns
class-map type inspect match-any All_Protocols
match protocol tcp
match protocol udp
match protocol icmp
!
!
policy-map type inspect Trusted
class class-default
pass
policy-map type inspect Guest_to_Internet
class type inspect Guest_Protocols
inspect
class class-default
drop
policy-map type inspect Trusted_to_Internet
class type inspect All_Protocols
inspect
class class-default
drop
!
zone security Trusted
zone security Guest
zone security Internet
zone-pair security Trusted source Trusted destination Trusted
service-policy type inspect Trusted
zone-pair security Trusted->Internet source Trusted destination Internet
service-policy type inspect Trusted_to_Internet
zone-pair security Guest->Internet source Guest destination Internet
service-policy type inspect Guest_to_Internet
!
!
!
!
!
!
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
media-type sfp
negotiation auto
!
interface GigabitEthernet0/1
description Outside - TWC Roadrunner
ip address dhcp
ip nat outside
ip virtual-reassembly in
zone-member security Internet
duplex auto
speed auto
media-type rj45
!
interface Integrated-Service-Engine1/0
description Internally connected to NME-AIR-WLC8-K9
ip address 192.168.99.254 255.255.255.0
no keepalive
!
interface Integrated-Service-Engine1/0.15
encapsulation dot1Q 15
ip address 192.168.15.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security Trusted
!
interface Integrated-Service-Engine1/0.16
encapsulation dot1Q 16
ip address 192.168.16.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security Guest
!
interface GigabitEthernet2/0
description Internally connected to NME-16ES-1G-P
ip address 20.0.0.1 255.255.255.0
load-interval 30
!
interface GigabitEthernet2/0.14
encapsulation dot1Q 14
ip address 192.168.14.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security Trusted
!
interface GigabitEthernet2/0.100
encapsulation dot1Q 100
ip address 192.168.100.1 255.255.255.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list NAT interface GigabitEthernet0/1 overload
!
ip access-list standard NAT
permit 192.168.14.0 0.0.0.255
permit 192.168.15.0 0.0.0.255
permit 192.168.16.0 0.0.0.255
!
!
!
!
!
!
!
!
!
control-plane
!
bridge 15 protocol ieee
bridge 16 protocol ieee
!
!
line con 0
password 7
line aux 0
exec-timeout 0 1
no exec
transport output none
line 66
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line 130
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
access-class 99 in
privilege level 2
transport input ssh
transport output all
line vty 5 924
access-class 99 in
privilege level 2
transport input ssh
transport output all
!
scheduler allocate 20000 1000
 
U

user1193526

Junior Member
Sep 21, 2014
17
0
0
don't know. but maybe this may help if you did not already know

service-names-port-numbers from www.iana.org
Code: 
Service Name   Port Number Protocol          Description                                Assignee                                                 Contact                              Date         Date              Reference             Code    Unauthorized

ah-esp-encap       2070        tcp    AH and ESP Encapsulated in   [Amy_Weaver]                                          [Amy_Weaver]
ah-esp-encap       2070        udp    AH and ESP Encapsulated in   [Amy_Weaver]                                          [Amy_Weaver]

esp-encap          2797        tcp    esp-encap                    [Jorn_Sierwald]                                       [Jorn_Sierwald]
esp-encap          2797        udp    esp-encap                    [Jorn_Sierwald]                                       [Jorn_Sierwald]

esps-portal        2867        tcp    esps-portal                  [Nicholas_Stowfis]                                    [Nicholas_Stowfis]
esps-portal        2867        udp    esps-portal                  [Nicholas_Stowfis]                                    [Nicholas_Stowfis]

esp-lm             3383        tcp    Enterprise Software Products [George_Rudy]                                         [George_Rudy]
esp-lm             3383        udp    Enterprise Software Products [George_Rudy]                                         [George_Rudy]
                                      file namespace.

esp                            tcp    Extensis Server Protocol     [Loren_Barr]                                          [Loren_Barr]                                              2006-12                                                                       Defined TXT keys: none
 
L

lif_andi

Member
Apr 15, 2013
173
0
0
you'd have to create an access-list and apply it to the interface you are expecting the ESP packets from. You would allow the ESP protocol access, it is not done through IP port numbers.

Example:
ip access-list extended outside-in
permit esp any any
 
P

pac1085

Diamond Member
Jun 27, 2000
3,456
0
76
Hmm, OK. That is how I had it working with CBAC. I thought I had to do it differently with the zone-based method. I had tried the following, which didn't work. Maybe I am over thinking it? I will try tonight.


ip access-list extended VPNPHONE
permit esp <source ip> any

class type inspect Internet_to_Trusted
match access-group name VPNPHONE
class class-default
drop

zone-pair security Internet->Trusted source Internet destination Trusted
service-policy type inspect Internet_to_Trusted
 
L

lif_andi

Member
Apr 15, 2013
173
0
0
Actually I think you are right, and that I am the one that is confused.

Have you looked at the NAT configuration ? As in, is the phone supposed to receive the ESP packet, or the router ?

If its the phone, you'd have to create a static NAT translation from your public IP to the phone for the ESP protocol. As far as I can see, you have only created outbound NAT rules and the is no crypto configuration on the router to accept ESP packets.

Allowing ESP through the Firewall with no internal destination will just "drop" the packet.

Try creating a static NAT translation for the phone and applying the

class type inspect Internet_to_Trusted
match access-group name VPNPHONE

as before.
 
Last edited:
P

pac1085

Diamond Member
Jun 27, 2000
3,456
0
76
The phone is supposed to receive the ESP packet, not the router. I think the NAT configuration is correct, because when I remove the zone firewall statements, the phone starts working again.
 
L

lif_andi

Member
Apr 15, 2013
173
0
0
In that case, does the phone know how to "phone home" ?

Other words, is your phone initiating the connection or the remote office ? Because if its your phone, you would have to look from inside out.

Have you tried adding an inspection rule for ESP from inside out ?
 
Last edited:
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom