PEルータにおいてZFWを実装する方法についてまとめます。PEルータにてZFWを実装するにはVRFを追加して強引にinterfaceを作成しなければなりません。IEWB v5 vol2 Lab4の超難問に対する考察です。
動作確認
構成図
Internet Expert Workbook Volume II Lab04の構成を用いて動作確認を行います。構成の一部を図示すると以下の通りです。
+--------+ VPN_A+--------+ +--------+VPN_A +--------+
| CE | s0/0/0| PE | tu0 tu0| PE | f0/1 | CE |
| BB1 +----------+ R6 +----------+ R4 +----------+ BB3 |
| | .6| | .6 .4| | .4 | |
+--------+ +--------+ +--------+ +--------+
54.7.1.6/24 141.7.46.0/24 204.12.7.0/24
Loopback100 Loopback100
150.7.66.66/24 150.7.44.44/24
初期設定は以下の通りです。
[R4]
ip vrf VPN_A
rd 100:1
route-target export 100:1
route-target import 100:1
!
interface Loopback0
ip address 150.7.4.4 255.255.255.0
!
interface Loopback100
ip address 150.7.44.44 255.255.255.0
!
interface Tunnel0
ip address 141.7.46.4 255.255.255.0
mpls ip
tunnel source Loopback0
tunnel destination 150.7.6.6
!
interface FastEthernet0/0
ip address 141.7.145.4 255.255.255.0
!
interface FastEthernet0/1
ip vrf forwarding VPN_A
ip address 204.12.7.4 255.255.255.0
!
router rip
version 2
no auto-summary
!
address-family ipv4 vrf VPN_A
redistribute bgp 400 metric transparent
network 204.12.7.0
no auto-summary
exit-address-family
!
router bgp 400
bgp log-neighbor-changes
neighbor 150.7.5.5 remote-as 300
neighbor 150.7.5.5 ebgp-multihop 255
neighbor 150.7.5.5 update-source Loopback0
neighbor 150.7.66.66 remote-as 100
neighbor 150.7.66.66 ebgp-multihop 255
neighbor 150.7.66.66 update-source Loopback100
!
address-family ipv4
neighbor 150.7.5.5 activate
no neighbor 150.7.66.66 activate
no auto-summary
no synchronization
exit-address-family
!
address-family vpnv4
neighbor 150.7.66.66 activate
neighbor 150.7.66.66 send-community extended
exit-address-family
!
address-family ipv4 vrf VPN_A
redistribute rip
neighbor 204.12.7.254 remote-as 54
neighbor 204.12.7.254 local-as 100 no-prepend replace-as
neighbor 204.12.7.254 activate
no synchronization
exit-address-family
!
mpls ldp router-id Loopback100 force
[R6]
ip vrf VPN_A
rd 100:1
route-target export 100:1
route-target import 100:1
!
interface Loopback0
ip address 150.7.6.6 255.255.255.0
!
interface Loopback100
ip address 150.7.66.66 255.255.255.0
!
interface Tunnel0
ip address 141.7.46.6 255.255.255.0
mpls ip
tunnel source Loopback0
tunnel destination 150.7.4.4
!
interface FastEthernet0/0
ip address 141.7.36.6 255.255.255.0
!
interface Serial0/0/0
ip vrf forwarding VPN_A
ip address 54.7.1.6 255.255.255.0
encapsulation frame-relay
!
router rip
version 2
passive-interface default
no passive-interface FastEthernet0/0
network 141.7.0.0
network 150.7.0.0
no auto-summary
!
address-family ipv4 vrf VPN_A
redistribute bgp 100 metric transparent
offset-list 41 in 9
network 54.0.0.0
no auto-summary
exit-address-family
!
router bgp 100
bgp log-neighbor-changes
neighbor 141.7.123.2 remote-as 200
neighbor 141.7.123.2 ebgp-multihop 255
neighbor 150.7.44.44 remote-as 400
neighbor 150.7.44.44 ebgp-multihop 255
neighbor 150.7.44.44 update-source Loopback100
!
address-family ipv4
neighbor 141.7.123.2 activate
neighbor 150.7.44.44 activate
no auto-summary
no synchronization
exit-address-family
!
address-family vpnv4
neighbor 150.7.44.44 activate
neighbor 150.7.44.44 send-community extended
exit-address-family
!
address-family ipv4 vrf VPN_A
redistribute rip
neighbor 54.7.1.254 remote-as 54
neighbor 54.7.1.254 activate
neighbor 54.7.1.254 as-override
no synchronization
exit-address-family
!
mpls ldp router-id Loopback100 force
設定全文は下記ファイルを参照下さい。
R4 初期設定
!
! Last configuration change at 19:17:29 UTC Wed Sep 12 2012
! NVRAM config last updated at 19:54:38 UTC Wed Sep 12 2012
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Rack7R4
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable password cisco
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
ip vrf VPN_A
rd 100:1
route-target export 100:1
route-target import 100:1
!
ip multicast-routing
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
username Rack7R5 password 0 CISCO
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface Loopback0
ip address 150.7.4.4 255.255.255.0
!
interface Loopback100
ip address 150.7.44.44 255.255.255.0
!
interface Tunnel0
ip address 141.7.46.4 255.255.255.0
mpls ip
tunnel source Loopback0
tunnel destination 150.7.6.6
!
interface FastEthernet0/0
ip address 141.7.145.4 255.255.255.0
ip pim sparse-mode
duplex auto
speed auto
!
interface FastEthernet0/1
ip vrf forwarding VPN_A
ip address 204.12.7.4 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
ip address 141.7.54.4 255.255.255.0
ip pim sparse-mode
encapsulation frame-relay
ip ospf network point-to-point
frame-relay map ip 141.7.54.5 405 broadcast
no frame-relay inverse-arp
!
interface Serial0/1/0
ip address 141.7.45.4 255.255.255.0
encapsulation ppp
clock rate 64000
ppp authentication pap
!
router ospf 1
log-adjacency-changes
network 141.7.45.4 0.0.0.0 area 2
network 141.7.54.4 0.0.0.0 area 2
network 141.7.145.4 0.0.0.0 area 2
network 150.7.4.4 0.0.0.0 area 2
!
router rip
version 2
no auto-summary
!
address-family ipv4 vrf VPN_A
redistribute bgp 400 metric transparent
network 204.12.7.0
no auto-summary
exit-address-family
!
router bgp 400
bgp log-neighbor-changes
neighbor 150.7.5.5 remote-as 300
neighbor 150.7.5.5 ebgp-multihop 255
neighbor 150.7.5.5 update-source Loopback0
neighbor 150.7.66.66 remote-as 100
neighbor 150.7.66.66 ebgp-multihop 255
neighbor 150.7.66.66 update-source Loopback100
!
address-family ipv4
neighbor 150.7.5.5 activate
no neighbor 150.7.66.66 activate
no auto-summary
no synchronization
exit-address-family
!
address-family vpnv4
neighbor 150.7.66.66 activate
neighbor 150.7.66.66 send-community extended
exit-address-family
!
address-family ipv4 vrf VPN_A
redistribute rip
neighbor 204.12.7.254 remote-as 54
neighbor 204.12.7.254 local-as 100 no-prepend replace-as
neighbor 204.12.7.254 activate
no synchronization
exit-address-family
!
ip forward-protocol nd
ip route 150.7.66.0 255.255.255.0 141.7.46.6
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
mpls ldp router-id Loopback100 force
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous level 0 limit 20
line aux 0
exec-timeout 0 0
privilege level 15
line vty 0 4
password cisco
login
!
scheduler allocate 20000 1000
end
R6 初期設定
!
! Last configuration change at 19:56:06 UTC Wed Sep 12 2012
! NVRAM config last updated at 19:56:08 UTC Wed Sep 12 2012
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Rack7R6
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable password cisco
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
ip vrf VPN_A
rd 100:1
route-target export 100:1
route-target import 100:1
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface Loopback0
ip address 150.7.6.6 255.255.255.0
!
interface Loopback100
ip address 150.7.66.66 255.255.255.0
!
interface Tunnel0
ip address 141.7.46.6 255.255.255.0
mpls ip
tunnel source Loopback0
tunnel destination 150.7.4.4
!
interface FastEthernet0/0
ip address 141.7.36.6 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 141.7.6.6 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
ip vrf forwarding VPN_A
ip address 54.7.1.6 255.255.255.0
encapsulation frame-relay
frame-relay map ip 54.7.1.254 101 broadcast
no frame-relay inverse-arp
!
router rip
version 2
passive-interface default
no passive-interface FastEthernet0/0
network 141.7.0.0
network 150.7.0.0
no auto-summary
!
address-family ipv4 vrf VPN_A
redistribute bgp 100 metric transparent
offset-list 41 in 9
network 54.0.0.0
no auto-summary
exit-address-family
!
router bgp 100
bgp log-neighbor-changes
neighbor 141.7.123.2 remote-as 200
neighbor 141.7.123.2 ebgp-multihop 255
neighbor 150.7.44.44 remote-as 400
neighbor 150.7.44.44 ebgp-multihop 255
neighbor 150.7.44.44 update-source Loopback100
!
address-family ipv4
neighbor 141.7.123.2 activate
neighbor 150.7.44.44 activate
no auto-summary
no synchronization
exit-address-family
!
address-family vpnv4
neighbor 150.7.44.44 activate
neighbor 150.7.44.44 send-community extended
exit-address-family
!
address-family ipv4 vrf VPN_A
redistribute rip
neighbor 54.7.1.254 remote-as 54
neighbor 54.7.1.254 activate
neighbor 54.7.1.254 as-override
no synchronization
exit-address-family
!
ip forward-protocol nd
ip route 150.7.44.0 255.255.255.0 141.7.46.4
no ip http server
no ip http secure-server
!
!
!
access-list 41 permit 0.0.0.0 255.255.254.255
!
!
!
!
!
mpls ldp router-id Loopback100 force
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous level 0 limit 20
line aux 0
exec-timeout 0 0
privilege level 15
line vty 0 4
password cisco
login
!
scheduler allocate 20000 1000
end
HAIRPIN interfaceの作成
このようなCE間のパケットはMPLS網を経由して通信されます。つまり、MPLSでカプセル化されるため、tunnel 0をinside interfaceとしてFirewallを定義してもパケットの中身を把握する事ができずFirewallとして機能しません。
そこで、以下のようにHAIRPINとなるVRFを定義し、強引にinside interaceを作成してしまいます。
OUTSIDE INSIDE
+--------+ FW_HAIRPIN+------------+FW_HAIRPIN VPN_A+--------+ +--------+VPN_A +--------+
| CE | s0/0/0| PE | tu201 tu202| PE | tu0 tu0| PE | f0/1 | CE |
| BB1 +--------------+ R6 +--------------------+ R6 +----------+ R4 +----------+ BB3 |
| | .6| VPN_HAIPIN| .1 .2| VPN_A| .6 .4| | .4 | |
+--------+ +------------+ +--------+ +--------+ +--------+
54.7.1.6/24 200.200.200.0/24 141.7.46.0/24 204.12.7.0/24
Loopback100 Loopback100
150.7.66.66/24 150.7.44.44/24
設定例は以下の通りです。
[R6]
ip vrf FW_HAIRPIN
!
interface Loopback201
ip address 6.6.6.6 255.255.255.255
!
interface Loopback202
ip address 66.66.66.66 255.255.255.255
!
interface Tunnel201
ip vrf forwarding FW_HAIRPIN
ip address 200.200.200.1 255.255.255.0
tunnel source Loopback201
tunnel destination 66.66.66.66
!
interface Tunnel202
ip vrf forwarding VPN_A
ip address 200.200.200.2 255.255.255.0
tunnel source Loopback202
tunnel destination 6.6.6.6
!
interface Serial0/0/0
no ip vrf forwarding VPN_A
ip vrf forwarding FW_HAIRPIN
ip address 54.7.1.6 255.255.255.0
念のため、疎通確認を行います。
[R6]
Rack7R6#ping vrf FW_HAIRPIN 200.200.200.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.200.200.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
Rack7R6#
Rack7R6#
Rack7R6#ping vrf VPN_A 200.200.200.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.200.200.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Rack7R6#
routing 修正
HAIRPINの作成により、routing設定が壊れてしまいました。HAIRPINに合わせてroutingも適宜変更します。RIPの設定変更は以下の通りです。
[R6]
no router rip
router rip
version 2
passive-interface default
no passive-interface FastEthernet0/0
no passive-interface Tunnel201
no passive-interface Tunnel202
network 141.7.0.0
network 150.7.0.0
no auto-summary
!
address-family ipv4 vrf VPN_A
redistribute bgp 100 metric transparent
offset-list 41 in 9
network 200.200.200.0
no auto-summary
exit-address-family
!
address-family ipv4 vrf FW_HAIRPIN
network 54.0.0.0
network 200.200.200.0
no auto-summary
exit-address-family
RIPのルートを確認します。
[R6]
Rack7R6#show ip route vrf VPN_A rip
54.0.0.0/24 is subnetted, 1 subnets
R 54.7.1.0 [120/1] via 200.200.200.1, 00:00:12, Tunnel202
R 212.18.1.0/24 [120/2] via 200.200.200.1, 00:00:12, Tunnel202
R 212.18.0.0/24 [120/11] via 200.200.200.1, 00:00:12, Tunnel202
R 212.18.3.0/24 [120/2] via 200.200.200.1, 00:00:12, Tunnel202
R 212.18.2.0/24 [120/11] via 200.200.200.1, 00:00:12, Tunnel202
Rack7R6#
BGPの設定変更は以下の通りです。
router bgp 100
bgp router-id 150.7.6.6
bgp log-neighbor-changes
neighbor 141.7.123.2 remote-as 200
neighbor 141.7.123.2 ebgp-multihop 255
neighbor 150.7.44.44 remote-as 400
neighbor 150.7.44.44 ebgp-multihop 255
neighbor 150.7.44.44 update-source Loopback100
!
address-family ipv4
neighbor 141.7.123.2 activate
neighbor 150.7.44.44 activate
no auto-summary
no synchronization
exit-address-family
!
address-family vpnv4
neighbor 150.7.44.44 activate
neighbor 150.7.44.44 send-community extended
exit-address-family
!
address-family ipv4 vrf VPN_A
neighbor 200.200.200.1 remote-as 100
neighbor 200.200.200.1 update-source Tunnel202
neighbor 200.200.200.1 activate
neighbor 200.200.200.1 next-hop-self
no synchronization
bgp router-id 200.200.200.1
exit-address-family
!
address-family ipv4 vrf FW_HAIRPIN
neighbor 54.7.1.254 remote-as 54
neighbor 54.7.1.254 activate
neighbor 54.7.1.254 as-override
neighbor 200.200.200.2 remote-as 100
neighbor 200.200.200.2 update-source Tunnel201
neighbor 200.200.200.2 activate
neighbor 200.200.200.2 next-hop-self
no synchronization
bgp router-id 200.200.200.2
exit-address-family
ipv4 vrfについて、neighborが確立されたかどうかを確認するshowコマンドが存在しないので(私の探し方が悪い可能性が高いですが)、consoleに出力されるメッセージを元にneighborが確立されたかどうかを判断します。
[R6]
Rack7R6(config-router)#
Sep 12 21:34:00.694: %BGP-5-ADJCHANGE: neighbor 54.7.1.254 vpn vrf FW_HAIRPIN Up
Sep 12 21:34:01.638: %BGP-5-ADJCHANGE: neighbor 200.200.200.1 vpn vrf VPN_A Up
Sep 12 21:34:01.642: %BGP-5-ADJCHANGE: neighbor 200.200.200.2 vpn vrf FW_HAIRPIN Up
Rack7R6(config-router)#
Sep 12 21:34:01.722: %BGP-5-ADJCHANGE: neighbor 141.7.123.2 Up
Sep 12 21:34:01.766: %BGP-5-ADJCHANGE: neighbor 150.7.44.44 Up
Rack7R6(config-router)#
CEルータ間でBGPルートを交換できている事を確認します。
[BB1]
RS.7.7.BB1>show ip bgp
BGP table version is 40, local router ID is 212.18.3.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*>i28.119.16.0/24 172.16.4.3 0 100 0 i
*>i28.119.17.0/24 172.16.4.3 0 100 0 i
* 30.0.0.0/16 54.7.1.6 0 100 400 ?
*>i 172.16.4.3 1 100 0 100 ?
* 30.1.0.0/16 54.7.1.6 0 100 400 ?
*>i 172.16.4.3 1 100 0 100 ?
* 30.2.0.0/16 54.7.1.6 0 100 400 ?
*>i 172.16.4.3 1 100 0 100 ?
* 30.3.0.0/16 54.7.1.6 0 100 400 ?
<omitted>
Zone Based Firewall
ここまで出来れば後は簡単です。通常のFirewallと同じように設定します。
[R6]
ip access-list extended ACL_OUTSIDE_TO_INSIDE_HTTP
permit tcp any host 204.12.7.100
!
class-map type inspect match-any CMAP_INSIDE_TO_OUTSIDE
match protocol udp
match protocol tcp
match protocol icmp
class-map type inspect match-any CMAP_HTTP_HTTPS
match protocol http
match protocol https
class-map type inspect match-any CMAP_OTHER_ROTOCOLS
match protocol dns
match protocol icmp
class-map type inspect match-all CMAP_OUTSIDE_TO_INSIDE_HTTP
match access-group name ACL_OUTSIDE_TO_INSIDE_HTTP
match class-map CMAP_HTTP_HTTPS
!
policy-map type inspect PMAP_OUTSIDE_TO_INSIDE
class type inspect CMAP_OUTSIDE_TO_INSIDE_HTTP
inspect
class type inspect CMAP_OTHER_ROTOCOLS
inspect
police rate 128000 burst 8000
policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
class type inspect CMAP_INSIDE_TO_OUTSIDE
inspect
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security ZP_INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect PMAP_INSIDE_TO_OUTSIDE
zone-pair security ZP_OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
service-policy type inspect PMAP_INSIDE_TO_OUTSIDE
!
interface Serial0/0/0
zone-member security OUTSIDE
interface Tunnel201
zone-member security INSIDE
最終的な設定は以下の通りです。
R4 最終設定
!
! Last configuration change at 19:17:29 UTC Wed Sep 12 2012
! NVRAM config last updated at 19:54:38 UTC Wed Sep 12 2012
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Rack7R4
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable password cisco
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
ip vrf VPN_A
rd 100:1
route-target export 100:1
route-target import 100:1
!
ip multicast-routing
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
username Rack7R5 password 0 CISCO
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface Loopback0
ip address 150.7.4.4 255.255.255.0
!
interface Loopback100
ip address 150.7.44.44 255.255.255.0
!
interface Tunnel0
ip address 141.7.46.4 255.255.255.0
mpls ip
tunnel source Loopback0
tunnel destination 150.7.6.6
!
interface FastEthernet0/0
ip address 141.7.145.4 255.255.255.0
ip pim sparse-mode
duplex auto
speed auto
!
interface FastEthernet0/1
ip vrf forwarding VPN_A
ip address 204.12.7.4 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
ip address 141.7.54.4 255.255.255.0
ip pim sparse-mode
encapsulation frame-relay
ip ospf network point-to-point
frame-relay map ip 141.7.54.5 405 broadcast
no frame-relay inverse-arp
!
interface Serial0/1/0
ip address 141.7.45.4 255.255.255.0
encapsulation ppp
clock rate 64000
ppp authentication pap
!
router ospf 1
log-adjacency-changes
network 141.7.45.4 0.0.0.0 area 2
network 141.7.54.4 0.0.0.0 area 2
network 141.7.145.4 0.0.0.0 area 2
network 150.7.4.4 0.0.0.0 area 2
!
router rip
version 2
no auto-summary
!
address-family ipv4 vrf VPN_A
redistribute bgp 400 metric transparent
network 204.12.7.0
no auto-summary
exit-address-family
!
router bgp 400
bgp log-neighbor-changes
neighbor 150.7.5.5 remote-as 300
neighbor 150.7.5.5 ebgp-multihop 255
neighbor 150.7.5.5 update-source Loopback0
neighbor 150.7.66.66 remote-as 100
neighbor 150.7.66.66 ebgp-multihop 255
neighbor 150.7.66.66 update-source Loopback100
!
address-family ipv4
neighbor 150.7.5.5 activate
no neighbor 150.7.66.66 activate
no auto-summary
no synchronization
exit-address-family
!
address-family vpnv4
neighbor 150.7.66.66 activate
neighbor 150.7.66.66 send-community extended
exit-address-family
!
address-family ipv4 vrf VPN_A
redistribute rip
neighbor 204.12.7.254 remote-as 54
neighbor 204.12.7.254 local-as 100 no-prepend replace-as
neighbor 204.12.7.254 activate
no synchronization
exit-address-family
!
ip forward-protocol nd
ip route 150.7.66.0 255.255.255.0 141.7.46.6
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
mpls ldp router-id Loopback100 force
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous level 0 limit 20
line aux 0
exec-timeout 0 0
privilege level 15
line vty 0 4
password cisco
login
!
scheduler allocate 20000 1000
end
R6 最終設定
!
! Last configuration change at 22:08:20 UTC Wed Sep 12 2012
! NVRAM config last updated at 19:56:08 UTC Wed Sep 12 2012
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Rack7R6
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable password cisco
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
ip vrf FW_HAIRPIN
rd 100:100
!
ip vrf VPN_A
rd 100:1
route-target export 100:1
route-target import 100:1
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
class-map type inspect match-any CMAP_INSIDE_TO_OUTSIDE
match protocol udp
match protocol tcp
match protocol icmp
class-map type inspect match-any CMAP_HTTP_HTTPS
match protocol http
match protocol https
class-map type inspect match-any CMAP_OTHER_ROTOCOLS
match protocol dns
match protocol icmp
class-map type inspect match-all CMAP_OUTSIDE_TO_INSIDE_HTTP
match access-group name ACL_OUTSIDE_TO_INSIDE_HTTP
match class-map CMAP_HTTP_HTTPS
!
!
policy-map type inspect PMAP_OUTSIDE_TO_INSIDE
class type inspect CMAP_OUTSIDE_TO_INSIDE_HTTP
inspect
class type inspect CMAP_OTHER_ROTOCOLS
inspect
police rate 128000 burst 8000
policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
class type inspect CMAP_INSIDE_TO_OUTSIDE
inspect
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security ZP_INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect PMAP_INSIDE_TO_OUTSIDE
zone-pair security ZP_OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
service-policy type inspect PMAP_INSIDE_TO_OUTSIDE
!
!
!
interface Loopback0
ip address 150.7.6.6 255.255.255.0
!
interface Loopback100
ip address 150.7.66.66 255.255.255.0
!
interface Loopback201
ip address 6.6.6.6 255.255.255.255
!
interface Loopback202
ip address 66.66.66.66 255.255.255.255
!
interface Tunnel0
ip address 141.7.46.6 255.255.255.0
mpls ip
tunnel source Loopback0
tunnel destination 150.7.4.4
!
interface Tunnel201
ip vrf forwarding FW_HAIRPIN
ip address 200.200.200.1 255.255.255.0
zone-member security INSIDE
tunnel source Loopback201
tunnel destination 66.66.66.66
!
interface Tunnel202
ip vrf forwarding VPN_A
ip address 200.200.200.2 255.255.255.0
tunnel source Loopback202
tunnel destination 6.6.6.6
!
interface FastEthernet0/0
ip address 141.7.36.6 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 141.7.6.6 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
ip vrf forwarding FW_HAIRPIN
ip address 54.7.1.6 255.255.255.0
zone-member security OUTSIDE
encapsulation frame-relay
frame-relay map ip 54.7.1.254 101 broadcast
no frame-relay inverse-arp
!
router rip
version 2
passive-interface default
no passive-interface FastEthernet0/0
no passive-interface Tunnel201
no passive-interface Tunnel202
network 141.7.0.0
network 150.7.0.0
no auto-summary
!
address-family ipv4 vrf VPN_A
offset-list 41 in 9
network 200.200.200.0
no auto-summary
exit-address-family
!
address-family ipv4 vrf FW_HAIRPIN
network 54.0.0.0
network 200.200.200.0
no auto-summary
exit-address-family
!
router bgp 100
bgp router-id 150.7.6.6
bgp log-neighbor-changes
neighbor 141.7.123.2 remote-as 200
neighbor 141.7.123.2 ebgp-multihop 255
neighbor 150.7.44.44 remote-as 400
neighbor 150.7.44.44 ebgp-multihop 255
neighbor 150.7.44.44 update-source Loopback100
!
address-family ipv4
neighbor 141.7.123.2 activate
neighbor 150.7.44.44 activate
no auto-summary
no synchronization
exit-address-family
!
address-family vpnv4
neighbor 150.7.44.44 activate
neighbor 150.7.44.44 send-community extended
exit-address-family
!
address-family ipv4 vrf VPN_A
neighbor 200.200.200.1 remote-as 100
neighbor 200.200.200.1 update-source Tunnel202
neighbor 200.200.200.1 activate
neighbor 200.200.200.1 next-hop-self
no synchronization
bgp router-id 200.200.200.1
exit-address-family
!
address-family ipv4 vrf FW_HAIRPIN
neighbor 54.7.1.254 remote-as 54
neighbor 54.7.1.254 activate
neighbor 54.7.1.254 as-override
neighbor 200.200.200.2 remote-as 100
neighbor 200.200.200.2 update-source Tunnel201
neighbor 200.200.200.2 activate
neighbor 200.200.200.2 next-hop-self
no synchronization
bgp router-id 200.200.200.2
exit-address-family
!
ip forward-protocol nd
ip route 150.7.44.0 255.255.255.0 141.7.46.4
no ip http server
no ip http secure-server
!
!
!
ip access-list extended ACL_OUTSIDE_TO_INSIDE_HTTP
permit tcp any host 204.12.7.100
!
access-list 41 permit 0.0.0.0 255.255.254.255
!
!
!
!
!
mpls ldp router-id Loopback100 force
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous level 0 limit 20
line aux 0
exec-timeout 0 0
privilege level 15
line vty 0 4
password cisco
login
!
scheduler allocate 20000 1000
end
