Cisco 1841 IOS firewall, Easy VPN Server setup problem - client connect traffic dropped by firewall

Posted on 2007-10-02
Last Modified: 2012-06-21
Hi, can someone help us with our Cisco problem please?

We have a Cisco 1841 with SDSL card, AIM VPN accelerator, Adv IP services -running zone based firewall and IPS.  We are struggling with the zone based pairs, and have used SDM to configure things so far, with the intial configuration done by wizard.

We have a site to site VPN tunnel set up successfully, but now we are trying to configure the Easy VPN server, to allow clients to connect using the Cisco VPN client v.5.  The wizard appears to complete successfully, and the SDM "test VPN" button reports no errors, but when a client connects, the packets are dropped by the firewall.  This is despite the autocreation of ezvpnzones and rules on the firewall, which appear to allow traffic into the router.

We think the problem may be in the setup wizard, as it asks things which don't appear in the documentation.

1.  It asks where the virtual template should be unumbered to - should this be the loopback address or the outside interface?  If loopback, what should the address/mask be?

2.  It also unexpectedly asks us to choose interfaces to be marked as "inside" for the purpose of GRE flow thru - it presents the virtual template and the the two internal ethernet adapters (our LAN) and we ticked both to be trusted - was this a mistake?  We weren't thinking of using GRE for this, and it isn't mentioned in the documentation we have.

3. SDM appears to have created the zones and rules to allow IPsec and IKE etc into the router, but there are two categories in the firewall config.  And they didn't appear at the same time.
There is a rule set called sdm-permit-ip which allows ALL traffic into and out of the ezvpn-zone from the in-zone and the out-zone.
There is also a rule set called sdm-permit which allows particular traffic from the out-zone to self.  There is an entry in this rule set that allows all traffic to flow using a service called SDM_EASY_VPN_SERVER_TRAFFIC.  If you look at the details of this, it includes the following protocols: ISAKMP, ipsec-msft, SDM_AH, SDM_ESP.

For some reason traffic from the client is being dropped by the firewall policy, as we can see it on the syslog output.  We may have the virtual template in the wrong zone, or perhaps the GRE prompt mentioned above is causing an issue.
Any thoughts or suggestions?  
Thank you in advance!
Question by:support_ferret
    1 Comment
    LVL 1

    Accepted Solution

    I eventually got the solution from Cisco, although they took some time to get to the root of the problem!

    1.  the policy map for the traffic was set to "Pass".  this would allow traffic in only one direction, and would have required a similar rule to be set up in reverse.  the solution was to use the "Inspect" action, which would allow the traffic back out the other way.

    2.  Initially, the clients would not connect at all to the Easy VPN server (on port 10000) TCP - the solution for this was to add the following line to the config :

    crypto ctcp port 10000

    Both problems were caused by SDM not adding in all the required configuration on the device.  It may be that newer IOS  and SDM versions do not have this problem.  i.e. compatibility issues with the Cisco device.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Suggested Solutions

    If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
    Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now