Cisco 1841 IOS firewall, Easy VPN Server setup problem - client connect traffic dropped by firewall

Hi, can someone help us with our Cisco problem please?

We have a Cisco 1841 with SDSL card, AIM VPN accelerator, Adv IP services -running zone based firewall and IPS.  We are struggling with the zone based pairs, and have used SDM to configure things so far, with the intial configuration done by wizard.

We have a site to site VPN tunnel set up successfully, but now we are trying to configure the Easy VPN server, to allow clients to connect using the Cisco VPN client v.5.  The wizard appears to complete successfully, and the SDM "test VPN" button reports no errors, but when a client connects, the packets are dropped by the firewall.  This is despite the autocreation of ezvpnzones and rules on the firewall, which appear to allow traffic into the router.

We think the problem may be in the setup wizard, as it asks things which don't appear in the documentation.

1.  It asks where the virtual template should be unumbered to - should this be the loopback address or the outside interface?  If loopback, what should the address/mask be?

2.  It also unexpectedly asks us to choose interfaces to be marked as "inside" for the purpose of GRE flow thru - it presents the virtual template and the the two internal ethernet adapters (our LAN) and we ticked both to be trusted - was this a mistake?  We weren't thinking of using GRE for this, and it isn't mentioned in the documentation we have.

3. SDM appears to have created the zones and rules to allow IPsec and IKE etc into the router, but there are two categories in the firewall config.  And they didn't appear at the same time.
There is a rule set called sdm-permit-ip which allows ALL traffic into and out of the ezvpn-zone from the in-zone and the out-zone.
There is also a rule set called sdm-permit which allows particular traffic from the out-zone to self.  There is an entry in this rule set that allows all traffic to flow using a service called SDM_EASY_VPN_SERVER_TRAFFIC.  If you look at the details of this, it includes the following protocols: ISAKMP, ipsec-msft, SDM_AH, SDM_ESP.

For some reason traffic from the client is being dropped by the firewall policy, as we can see it on the syslog output.  We may have the virtual template in the wrong zone, or perhaps the GRE prompt mentioned above is causing an issue.
Any thoughts or suggestions?  
Thank you in advance!
Who is Participating?
support_ferretConnect With a Mentor Author Commented:
I eventually got the solution from Cisco, although they took some time to get to the root of the problem!

1.  the policy map for the traffic was set to "Pass".  this would allow traffic in only one direction, and would have required a similar rule to be set up in reverse.  the solution was to use the "Inspect" action, which would allow the traffic back out the other way.

2.  Initially, the clients would not connect at all to the Easy VPN server (on port 10000) TCP - the solution for this was to add the following line to the config :

crypto ctcp port 10000

Both problems were caused by SDM not adding in all the required configuration on the device.  It may be that newer IOS  and SDM versions do not have this problem.  i.e. compatibility issues with the Cisco device.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.