Equipment Support → Hardware By Brand → Cisco > [Config] Cisco ZBF with VTI Tunnel

[Config] Cisco ZBF with VTI Tunnel

Hello all,

I'm struggling with changing over from the old CBAC to ZBF.

I have a working setup with a LAN and WAN zone, which I think is working ok. WAN zone being tied to the Dialer and the LAN zone being tied to the internal interfaces. Everything regarding that portion seems to be working ok.. granted I haven't done detailed rule testing.

Where I'm having the largest issues is with my VTI Tunnel Interfaces. My Tunnels at this point are not part of a zone. I have tried them as part of the LAN zone, as well as part of the WAN zone. nothing seems to work. With out them being part of any zone, currently they are up/up and my EIGRP is working across them however I am only able to ping the local interfaces of the router (including the LAN ip's) but nothing behind it.

Should the esp/ahp/gre permits be on the WAN to LAN ? or WAN to SELF ? or WAN to ? should the Tunnel inteface be part of WAN ? LAN ? or a seprate zone all together. in my case the Tunnel's are all trusted remotes so I'm not particularly concerned about locking them down.

Does anyone have a sample config using what I would call a standard setup . ie LAN, WAN, and a Tunnel interface ?

I'm open to comments/suggestions. I've been searching online and once you start talking VTI's the examples seem to fade.

Thanks,

Dave

First off, a copy of your current config would be helpful.

Secondly, are the VTI's supposed to be for remote access VPN, or site to site?

Thirdly, and this is where your config would be of help, is there any NAT'ing going on with the tunnels?

I just got off doing a VTI tunnel config; probably the most detailed guide I've seen for xVTI would be this doc from Cisco.

Regards

Thanks Hellfire...

Here's a copy of my sanitized config. I should note that I've been trying things left and right so the config may not be 100% call it "smart" lol. I've been trying to change things around to see if one thing or another would work. I'm certainly open to suggestions and comments..

To give a high level overview.. I have a primary site with 2 links/2 routers, and a backup site. This router is a satelite site that connects to both, thus 3 tunnels. Each site uses private ip's. My primary site uses 10 address space where my sat sites use 192.168.x.x The only natting that goes on is between the site and the internet (site surfing etc). The Site-to-Site VTI's are open and talk private across them with no natting.

I'll take a look at the provided link. Thanks!

ip source-route
!
!
ip cef
ip domain name domain.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!

crypto map DSL_VPN 10 ipsec-isakmp
set peer x.x.x.x
set transform-set set1
match address x
crypto map DSL_VPN 11 ipsec-isakmp
set peer y.y.y.y
set transform-set set1
match address y
crypto map DSL_VPN 12 ipsec-isakmp
set peer z.z.z.z
set transform-set set2
match address z
!
archive
log config
hidekeys
!
!
ip ssh time-out 60
ip ssh authentication-retries 4
!
class-map type inspect match-all WAN-TO-SELF-CLASS
match access-group name WAN-TO-SELF-ACL
class-map type inspect match-all LAN-TO-WAN-CLASS
match access-group name LAN-TO-WAN-ACL
!
!
policy-map type inspect LAN-TO-WAN-POLICY
class type inspect LAN-TO-WAN-CLASS
inspect
class class-default
drop log
policy-map type inspect WAN-TO-LAN-POLICY
class type inspect WAN-TO-LAN-CLASS
inspect
class class-default
drop log
!
zone security LAN
zone security WAN
zone-pair security LAN-TO-WAN source LAN destination WAN
service-policy type inspect LAN-TO-WAN-POLICY
zone-pair security WAN-TO-LAN source WAN destination LAN
service-policy type inspect WAN-TO-LAN-POLICY
!
!
interface Tunnel0
description Tunnel Link to DSL Main Site
bandwidth 800
bandwidth receive 5000
ip address 172.31.1.6 255.255.255.252
shutdown
keepalive 5 4
tunnel source Dialer0ip
tunnel destination x.x.x.x
!
interface Tunnel1
description Tunnel Link to DSL Backup Site
ip address 172.31.1.10 255.255.255.252
keepalive 5 4
tunnel source Dialer0ip
tunnel destination y.y.y.y
!
interface Tunnel10
description Tunnel Link to DSL Main Site Link2
bandwidth 800
bandwidth receive 6000
ip address 172.30.1.6 255.255.255.252
keepalive 5 4
tunnel source Dialer0ip
tunnel destination z.z.z.z
!
interface FastEthernet0/0
description SPARE PORT FOR DSL MODEM
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
description Interface for VOIP
ip address 192.168.9.129 255.255.255.128
ip nat inside
ip virtual-reassembly
zone-member security LAN
duplex auto
speed auto
!
interface FastEthernet0/1/0
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface ATM0/0/0
no ip address
atm restart timer 300
no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
description DSL Link
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface Vlan1
description Lan Interface
ip address 192.168.9.1 255.255.255.128
ip nat inside
ip virtual-reassembly
zone-member security LAN
ip tcp adjust-mss 1448
!
interface Dialer0
description PPPOE Dialer
ip address negotiated
ip mtu 1488
ip nat outside
ip virtual-reassembly
zone-member security WAN
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username
crypto map DSL_VPN
!
router eigrp 100
passive-interface default
no passive-interface Tunnel0
no passive-interface Tunnel1
no passive-interface Tunnel10
network 10.10.10.0 0.0.0.255
network 10.10.11.0 0.0.0.255
network 172.30.1.4 0.0.0.3
network 172.31.1.4 0.0.0.3
network 172.31.1.8 0.0.0.3
network 192.168.9.0
no auto-summary
eigrp stub connected
neighbor 172.31.1.5 Tunnel0
neighbor 172.31.1.9 Tunnel1
neighbor 172.30.1.5 Tunnel10
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
!
ip dns server
no ip nat service sip udp port 5060
ip nat inside source route-map nonat interface Dialer0 overload
ip nat inside source static tcp 192.168.9.1 22 dialer0ip 22 route-map nonat extendable
ip nat inside source static tcp 192.168.9.1 23 dialer0ip 23 route-map nonat extendable
ip nat inside source static tcp 192.168.9.2 3389 dialer0ip 3389 route-map nonat extendable
ip nat inside source static tcp 192.168.9.2 5900 dialer0ip 5900 route-map nonat extendable
!
ip access-list extended x
permit gre host Dialer0ip host x.x.x.x
ip access-list extended y
permit gre host Dialer0ip host y.y.y.y
ip access-list extended z
permit gre host Dialer0ip host z.z.z.z
ip access-list extended LAN-TO-WAN-ACL
permit eigrp any any
permit ip any any
permit esp any any
permit gre any any
permit tcp any any
permit icmp any any
ip access-list extended TRAFFIC-NO-NAT
remark Nat Access List
deny ip 192.168.9.0 0.0.0.127 10.0.0.0 0.255.255.255
deny ip 192.168.9.128 0.0.0.127 10.0.0.0 0.255.255.255
deny ip 192.168.9.0 0.0.0.127 192.168.0.0 0.0.0.255
deny ip 192.168.9.128 0.0.0.127 192.168.0.0 0.0.0.255
deny ip 192.168.9.0 0.0.0.127 192.168.100.0 0.0.0.255
deny ip 192.168.9.128 0.0.0.127 192.168.100.0 0.0.0.255
permit ip any any
ip access-list extended WAN-TO-LAN-ACL
permit ip host x.x.x.x 192.168.9.0 0.0.0.255 -added for testing.
permit ip host y.y.y.y 192.168.9.0 0.0.0.255 -added for testing.
permit ip host z.z.z.z 192.168.9.0 0.0.0.255 -added for testing.
permit tcp host w.w.w.w host 192.168.9.2 eq 3389
permit tcp host w.w.w.w host 192.168.9.2 eq 5900
permit tcp host y.y.y.y host 192.168.9.2 eq 3389
permit tcp host y.y.y.y host 192.168.9.2 eq 5900
permit esp host x.x.x.x host Dialer0
permit ahp host x.x.x.x host Dialer0
permit gre host x.x.x.x host Dialer0
permit esp host y.y.y.y host Dialer0
permit ahp host y.y.y.y host Dialer0
permit gre host y.y.y.y host Dialer0
permit esp host z.z.z.z host Dialer0
permit ahp host z.z.z.z host Dialer0
permit gre host z.z.z.z host Dialer0

dialer-list 1 protocol ip permit
no cdp run

!
route-map nonat permit 10
match ip address TRAFFIC-NO-NAT
!

Should also add a diagram would be helpful as well to visualize your setup -- what may be obvious to you sometimes
isn't obvious to others...

Will need some time to review your config as well... you already said that with CBAC this worked without issue;
it was when you moved to ZBFW that it broke, right?

Regards

REALLY dumb question... but you able to attach that VSD as a JPG file as well?

Regards

Oh YUCK! Multipoint VPN...

For starters, what's the IOS loaded on the devices, and do they support VPNs?

Secondly, I'd recommend reading this link for a primer on VTI configuration -- it's pretty heady stuff, but so far it's also
the most full featured guide I've found so far about VTI config and operation.

I also came across this link that's doing multiple xVTI configs for remote
and site to site. Don't know how well you can read into the configs themselves, but if you can, HOW they are doing
the site to site xVTI's may give you some ideas.

Thirdly, the fact that your config has "crypto map" in it tells me you're not doing VTI. Is this an old config somehow?

Fourth, and this is just to simply things -- I hope you can lab this up for testing / troubleshooting, cuz if this
is on a PROD setup that you have to do the messing around with, I can tell you just by looking it's not a case of
"change this and it'll work." This is going to stay broken for awhile, and have to be worked on in pieces to figure out.

My 00000010bits.

Regards