Всем привет!
Схема во вложении. Туннель между cisco (25.25.25.1) и juniper (26.26.26.1) проблема в следующем. Настраиваю ZBF, как только добавляю policy-map для зоны Self трафик в туннеле перестает ходить.
Код, с которым трафик в тоннеле ходит
Код:
class-map type inspect match-any CMAP-1
match protocol tcp
match protocol icmp
match protocol udp
match access-group name permit_all
class-map type inspect match-any CMAP-self
match access-group name permit_all
!
type inspect PMAP-1
zone-pair security outside-to-inside source outside destination inside
service-policy type inspect PMAP-1
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key qwerty address 26.26.26.1
crypto isakmp key qwerty address 27.27.27.1
!
!
crypto ipsec transform-set Tset1 esp-3des esp-sha-hmac
!
!
crypto ipsec profile ipsec_profile_1
set transform-set Tset1
!
!
!
!
!
!
interface Tunnel1
ip address 172.16.255.1 255.255.255.255
ip mtu 1400
zone-member security inside
ip tcp adjust-mss 1360
tunnel source Ethernet0/1
tunnel mode ipsec ipv4
tunnel destination 26.26.26.1
tunnel protection ipsec profile ipsec_profile_1
!
interface Tunnel2
ip address 172.16.255.2 255.255.255.255
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source Ethernet0/1
tunnel mode ipsec ipv4
tunnel destination 27.27.27.1
tunnel protection ipsec profile ipsec_profile_1
!
interface Ethernet0/0
ip address 10.10.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security inside
!
interface Ethernet0/1
ip address 25.25.25.1 255.255.255.252
ip nat outside
ip virtual-reassembly in
zone-member security outside
!
interface Ethernet0/2
no ip address
shutdown
!
interface Ethernet0/3
no ip address
shutdown
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat pool NAME_OF_POOL 25.25.25.1 25.25.25.1 netmask 255.255.255.0
ip nat inside source list NO-NAT interface Ethernet0/1 overload
ip route 0.0.0.0 0.0.0.0 25.25.25.2
ip route 10.20.0.0 255.255.255.0 Tunnel1
ip route 192.168.100.0 255.255.255.0 Tunnel2
!
ip access-list standard permit_all
permit any
!
ip access-list extended NO-NAT
deny ip 10.10.0.0 0.0.0.255 10.20.0.0 0.0.0.255
deny ip 10.10.0.0 0.0.0.255 192.168.100.0 0.0.0.255
deny ip 10.10.0.0 0.0.0.255 host 10.255.0.3
permit ip 10.10.0.0 0.0.0.255 any
ip access-list extended to_self
permit ip host 26.26.26.1 any
permit ip host 27.27.27.1 any
permit ip any any
!
Если добавить
Код:
policy-map type inspect PMAP-outside-self
class type inspect CMAP-self
inspect
policy-map type inspect PMAP-self-outside
class type inspect CMAP-self
inspect
zone-pair security outside-to-SELF source outside destination self
service-policy type inspect PMAP-outside-self
zone-pair security SELF-to-outside source self destination outside
service-policy type inspect PMAP-self-outside
то трафик в тоннеле не ходит. туннель добавил в зону inside для упрощения. Если создать отдельную зону с туннелем то ничего не меняется.