Cisco 1841 IOS firewall, Easy VPN Server setup problem - client connect traffic dropped by firewall

Posted on 2007-10-02
Medium Priority
Last Modified: 2012-06-21
Hi, can someone help us with our Cisco problem please?

We have a Cisco 1841 with SDSL card, AIM VPN accelerator, Adv IP services -running zone based firewall and IPS.  We are struggling with the zone based pairs, and have used SDM to configure things so far, with the intial configuration done by wizard.

We have a site to site VPN tunnel set up successfully, but now we are trying to configure the Easy VPN server, to allow clients to connect using the Cisco VPN client v.5.  The wizard appears to complete successfully, and the SDM "test VPN" button reports no errors, but when a client connects, the packets are dropped by the firewall.  This is despite the autocreation of ezvpnzones and rules on the firewall, which appear to allow traffic into the router.

We think the problem may be in the setup wizard, as it asks things which don't appear in the documentation.

1.  It asks where the virtual template should be unumbered to - should this be the loopback address or the outside interface?  If loopback, what should the address/mask be?

2.  It also unexpectedly asks us to choose interfaces to be marked as "inside" for the purpose of GRE flow thru - it presents the virtual template and the the two internal ethernet adapters (our LAN) and we ticked both to be trusted - was this a mistake?  We weren't thinking of using GRE for this, and it isn't mentioned in the documentation we have.

3. SDM appears to have created the zones and rules to allow IPsec and IKE etc into the router, but there are two categories in the firewall config.  And they didn't appear at the same time.
There is a rule set called sdm-permit-ip which allows ALL traffic into and out of the ezvpn-zone from the in-zone and the out-zone.
There is also a rule set called sdm-permit which allows particular traffic from the out-zone to self.  There is an entry in this rule set that allows all traffic to flow using a service called SDM_EASY_VPN_SERVER_TRAFFIC.  If you look at the details of this, it includes the following protocols: ISAKMP, ipsec-msft, SDM_AH, SDM_ESP.

For some reason traffic from the client is being dropped by the firewall policy, as we can see it on the syslog output.  We may have the virtual template in the wrong zone, or perhaps the GRE prompt mentioned above is causing an issue.
Any thoughts or suggestions?  
Thank you in advance!
Question by:support_ferret
1 Comment

Accepted Solution

support_ferret earned 0 total points
ID: 23711955
I eventually got the solution from Cisco, although they took some time to get to the root of the problem!

1.  the policy map for the traffic was set to "Pass".  this would allow traffic in only one direction, and would have required a similar rule to be set up in reverse.  the solution was to use the "Inspect" action, which would allow the traffic back out the other way.

2.  Initially, the clients would not connect at all to the Easy VPN server (on port 10000) TCP - the solution for this was to add the following line to the config :

crypto ctcp port 10000

Both problems were caused by SDM not adding in all the required configuration on the device.  It may be that newer IOS  and SDM versions do not have this problem.  i.e. compatibility issues with the Cisco device.

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This program is used to assist in finding and resolving common problems with wireless connections.
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question