Robert Davis
asked on
Allow Cisco Any-Connect VPN traffic through Firewall to Internal Network?
We have a Cisco 1811 Integrated Router running Cisco Any-Connect VPN. I can connect just fine, and as long as no firewall policies are applied to the interfaces I can connect to local intranet recoures (through RDP, SMB, ICMP, etc.). However, the second I enable the firewall (wether via ACLs or the current zone-member policy) I can no longer access intranet resources. I can still connect to VPN, and ping and SSH into the router's inside interface...but I can no longer ping past the routers inside interface or access intranet resoruces via RDP, SMB, SSH, ICMP, etc.
I have placed a rule to allow all traffic from the VPN subnet to the Intranet subnet, but it seems to be ignoring this. I know it's not a routing issue since traffic works fine when the Firewall is removed from the outside/inside interfaces.
I have enabled logging, and the log shows when packets are dropped due to an ACL...but I do not see any dropped packets or any notices at all in the log when I initiate VPN->intranet traffic with the firewall enabled.
Suggestions on where to start? Any help would be greatly appreciated! Config is attached....
Thanks,
Robert
I have placed a rule to allow all traffic from the VPN subnet to the Intranet subnet, but it seems to be ignoring this. I know it's not a routing issue since traffic works fine when the Firewall is removed from the outside/inside interfaces.
I have enabled logging, and the log shows when packets are dropped due to an ACL...but I do not see any dropped packets or any notices at all in the log when I initiate VPN->intranet traffic with the firewall enabled.
Suggestions on where to start? Any help would be greatly appreciated! Config is attached....
Thanks,
Robert
Building configuration...
Current configuration : 17620 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Cisco1811
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
!--snipped--
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone PCTime -8
!
crypto pki trustpoint TP-self-signed-3686776916
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3686776916
revocation-check none
rsakeypair TP-self-signed-3686776916
!
!
crypto pki certificate chain TP-self-signed-3686776916
certificate self-signed 01
30820254 308201BD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33363836 37373639 3136301E 170D3130 30343039 32323237
31305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 36383637
37363931 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C25B 00F5DB0A C1BEDA0C D25027E8 E96F98C1 15BFCB4F E0B7A61C 74BF4B6E
26D79D81 30EBBE7B 0ACC8E15 5D47E1A1 BB7E406A 017F28EE 7CA381DD 5F2CB373
610CFB24 F6EFA618 56CB66FA ADA37FB9 EAC3ED65 FA414947 7C355606 1A64222F
8445E259 CE5C84B2 1F009152 FBAF091F FD4CDF66 DEE20AA7 5DD3CA68 C805455A
DE610203 010001A3 7C307A30 0F060355 1D130101 FF040530 030101FF 30270603
551D1104 20301E82 1C436973 636F3138 31312E65 632E7465 63686675 74757265
732E6F72 67301F06 03551D23 04183016 801474B4 A45571BF D040D764 D3A63752
C6F25B60 BF1A301D 0603551D 0E041604 1474B4A4 5571BFD0 40D764D3 A63752C6
F25B60BF 1A300D06 092A8648 86F70D01 01040500 03818100 0A2365CB B259676E
DCACE9CC 17CAC824 AACCFA44 75383EBC 1DF32AC0 5E4836B9 2030D128 FF28AE7D
1E41CDCC 180833B5 ABE0097F C9BCB1D5 C6F8B1CE 5416F24E 3665AA5A 7CE956FA
1DBBFFC6 B8B95D9D 6FD0C781 7A668C22 32ED7A90 86728782 658BCE49 49FB5AC0
F092C8BD 9E9B4E99 60EB911F 0483EC41 1CAC7269 1FB0044E
quit
dot11 syslog
no ip source-route
!
!
!
!
ip cef
no ip bootp server
ip domain name --snipped--
ip name-server internal.sub.net.7
ip name-server internal.sub.net.6
ip port-map http port tcp 7880 description PowerSchool
ip port-map user-protocol--1 port tcp 1337
ip port-map user-smtps port tcp 465 description Secure SMTP
ip port-map https port tcp from 2082 to 2087 description cPanel/WHM
ip port-map https port tcp 2222 8888 description DirectAdmin
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!--Users Snipped--
!
!
!
archive
log config
hidekeys
!
!
!
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 103
match protocol user-protocol--1
class-map type inspect match-any SDM_WEBVPN
match access-group name SDM_WEBVPN
class-map type inspect match-all SDM_WEBVPN_TRAFFIC
match class-map SDM_WEBVPN
match access-group 104
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any ICMP
match protocol icmp
class-map type inspect match-any IP
match protocol tcp
match protocol udp
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any DHCP
match protocol bootpc
match protocol bootps
match protocol dhcp-failover
class-map type inspect match-any Remote-Access
match protocol ssh
match protocol shell
match protocol telnet
class-map type inspect match-any P2PIM
match protocol aol
match protocol msnmsgr
match protocol ymsgr
match protocol bittorrent
match protocol directconnect
match protocol edonkey
match protocol fasttrack
match protocol gnutella
match protocol kazaa2
match protocol winmx
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any DNS
match protocol dns
match protocol ddns-v3
class-map type inspect match-all sdm-cls-sdm-inspect-2
match class-map DNS
match access-group name DNS
class-map type inspect match-any EMail
match protocol smtp
match protocol imap
match protocol imaps
match protocol imap3
match protocol pop3
match protocol pop3s
class-map type inspect match-all sdm-cls-sdm-inspect-3
match class-map EMail
match access-group name EMail
class-map type inspect match-any sdm-service-sdm-inspect-1
match protocol http
match protocol https
class-map type inspect match-any FTP
match protocol ftp
match protocol ftps
class-map type inspect match-all sdm-cls-sdm-inspect-1
match class-map FTP
match access-group name FTP
class-map type inspect match-any AnyIP
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-cls-sdm-inspect-6
match class-map AnyIP
match access-group name VPNIn
class-map type inspect match-any smtps
match protocol user-smtps
class-map type inspect match-all sdm-cls-sdm-inspect-7
match class-map smtps
match access-group name smtps
class-map type inspect match-any ntp
match protocol ntp
class-map type inspect match-all sdm-cls-sdm-inspect-4
match class-map ntp
match access-group name NTP
class-map type inspect match-all sdm-cls-sdm-inspect-5
match class-map IP
match access-group name VPNOut
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
match class-map sdm-service-sdm-inspect-1
match access-group name outbound
class-map type inspect match-any any
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-user-protocol--1-1
inspect
class class-default
drop
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-cls-sdm-inspect-6
inspect
class type inspect sdm-cls-sdm-inspect-5
inspect
class type inspect ICMP
inspect
class type inspect DHCP
inspect
class type inspect Remote-Access
drop log
class type inspect P2PIM
class type inspect sdm-cls-sdm-inspect-4
inspect
class type inspect sdm-cls-sdm-inspect-2
inspect
class type inspect sdm-cls-sdm-inspect-1
inspect
class type inspect sdm-protocol-http
inspect
class type inspect sdm-cls-sdm-inspect-3
inspect
class type inspect sdm-cls-sdm-inspect-7
inspect
class type inspect SDM-Voice-permit
inspect
class class-default
drop log
policy-map type inspect sdm-permit
class type inspect SDM_WEBVPN_TRAFFIC
inspect
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!
!
interface FastEthernet0
description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
ip address isp.sub.net.45 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
!
interface FastEthernet1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
!
interface FastEthernet2
description TFEC
switchport mode trunk
!
interface FastEthernet3
description Gaucholan
switchport access vlan 28
shutdown
!
interface FastEthernet4
shutdown
!
interface FastEthernet5
shutdown
!
interface FastEthernet6
shutdown
!
interface FastEthernet7
shutdown
!
interface FastEthernet8
shutdown
!
interface FastEthernet9
shutdown
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
ip address internal.sub.net.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
interface Vlan20
description VoIP
ip address 192.168.111.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
shutdown
!
ip local pool vpn_pool1 vpn.sub.net.2 vpn.sub.net.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 isp.sub.net.46
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat pool pool1 internal.sub.net.0 vpn.sub.net.0 netmask 0.0.0.255
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source static tcp internal.sub.net.7 1337 isp.sub.net.45 1337 extendable
!
ip access-list extended DNS
remark SDM_ACL Category=128
permit ip internal.sub.net.0 0.0.0.255 any
ip access-list extended EMail
remark SDM_ACL Category=128
permit ip internal.sub.net.0 0.0.0.255 any
ip access-list extended FTP
remark SDM_ACL Category=128
permit ip internal.sub.net.0 0.0.0.255 any
ip access-list extended NTP
remark SDM_ACL Category=128
permit ip internal.sub.net.0 0.0.0.255 any
ip access-list extended SDM_WEBVPN
remark CCP_ACL Category=1
remark SDM_ACL Category=17
permit tcp any any eq 443
ip access-list extended VPNIn
remark SDM_ACL Category=128
permit ip vpn.sub.net.0 0.0.0.255 internal.sub.net.0 0.0.0.255
ip access-list extended VPNOut
remark SDM_ACL Category=128
permit ip internal.sub.net.0 0.0.0.255 vpn.sub.net.0 0.0.0.255
ip access-list extended outbound
remark SDM_ACL Category=128
permit ip internal.sub.net.0 0.0.0.255 any
ip access-list extended smtps
remark SDM_ACL Category=128
permit ip internal.sub.net.0 0.0.0.255 any
!
logging trap debugging
logging internal.sub.net.19
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit internal.sub.net.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit experimental.sub.net.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip isp.sub.net.44 0.0.0.3 any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark ssh
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq 22
access-list 101 remark DHCP
access-list 101 permit udp any any eq bootpc
access-list 101 remark DHCP
access-list 101 permit udp any any eq bootps
access-list 101 remark Web HTTP
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq www
access-list 101 remark SSL HTTPS
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq 443
access-list 101 remark DNS
access-list 101 permit udp internal.sub.net.0 0.0.0.255 any eq domain
access-list 101 remark DNS
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq domain
access-list 101 remark POP3
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq pop3
access-list 101 remark POP3 SSL
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq 995
access-list 101 remark SMTP
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq 465
access-list 101 remark SMTP SSL
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq 587
access-list 101 remark SMTP
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq smtp
access-list 101 remark IMAP
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq 143
access-list 101 remark IMAP SSL
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq 993
access-list 101 remark PowerSchool
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq 7880
access-list 101 remark FTP
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any eq ftp
access-list 101 remark FTP PASV
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any range 35000 36000
access-list 101 remark cPanel/WHM
access-list 101 permit tcp internal.sub.net.0 0.0.0.255 any range 2082 2087
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 remark SSH
access-list 102 permit tcp any eq 22 internal.sub.net.0 0.0.0.255
access-list 102 remark DHCP
access-list 102 permit udp any eq bootps any
access-list 102 remark DHCP
access-list 102 permit udp any eq bootpc any
access-list 102 remark Web HTTP
access-list 102 permit tcp any eq www internal.sub.net.0 0.0.0.255
access-list 102 remark SSL HTTPS
access-list 102 permit tcp any eq 443 internal.sub.net.0 0.0.0.255
access-list 102 remark DNS
access-list 102 permit udp any eq domain internal.sub.net.0 0.0.0.255
access-list 102 remark DNS
access-list 102 permit tcp any eq domain internal.sub.net.0 0.0.0.255
access-list 102 remark POP3
access-list 102 permit tcp internal.sub.net.0 0.0.0.255 any eq pop3
access-list 102 remark POP3 SSL
access-list 102 permit tcp internal.sub.net.0 0.0.0.255 any eq 995
access-list 102 remark SMTP
access-list 102 permit tcp internal.sub.net.0 0.0.0.255 any eq 465
access-list 102 remark SMTP SSL
access-list 102 permit tcp internal.sub.net.0 0.0.0.255 any eq 587
access-list 102 remark SMTP
access-list 102 permit tcp internal.sub.net.0 0.0.0.255 any eq smtp
access-list 102 remark IMAP
access-list 102 permit tcp internal.sub.net.0 0.0.0.255 any eq 143
access-list 102 remark IMAP SSL
access-list 102 permit tcp internal.sub.net.0 0.0.0.255 any eq 993
access-list 102 remark FTP
access-list 102 permit tcp any internal.sub.net.0 0.0.0.255 eq ftp
access-list 102 remark PowerSchool
access-list 102 permit tcp any eq 7880 internal.sub.net.0 0.0.0.255
access-list 102 remark FTP PASV
access-list 102 permit tcp any range 35000 36000 internal.sub.net.0 0.0.0.255
access-list 102 remark cPanel/WHM
access-list 102 permit tcp any range 2082 2087 internal.sub.net.0 0.0.0.255
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host internal.sub.net.7
access-list 104 remark SDM_ACL Category=128
access-list 104 permit ip any host isp.sub.net.45
access-list 105 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
no cdp run
!
!
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
banner motd ^CCCC
---------------------------------------------------------------------------
ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.
This computer system is for authorized users only. All activity is logged and
regularly checked by systems personnel. Individuals using this system without
authority or in excess of their authority are subject to having all their
services revoked. Any illegal services run by user or attempts to take down
this server or its services will be reported to local law enforcement, and
said user will be punished to the full extent of the law. Anyone using this
system consents to these terms.
Warning - unauthorized access, attempted access, or use of any State computing
system is a violation of Section 502 of the CaliforniaPenal and/or applicable Federal Laws.
---------------------------------------------------------------------------
^C
!
line con 0
transport output telnet
line 1
modem InOut
stopbits 1
flowcontrol hardware
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
scheduler interval 500
!
webvpn gateway gateway_1
ip address isp.sub.net.45 port 443
http-redirect port 80
ssl trustpoint TP-self-signed-3686776916
inservice
!
webvpn install svc flash:/webvpn/anyconnect-win-2.3.0254-k9.pkg sequence 1
!
webvpn context TFVPN
secondary-color white
title-color #FF9900
text-color black
ssl authenticate verify all
!
url-list "Intranet"
heading "Intranet Sites"
url-text "Stewie" url-value "http://internal.sub.net.19/"
!
!
policy group policy_1
url-list "Intranet"
functions svc-enabled
mask-urls
svc address-pool "vpn_pool1"
svc default-domain "ec.techfutures.org."
svc keep-client-installed
svc split dns "ec.techfutures.org."
svc split include internal.sub.net.0 255.255.255.0
svc split include experimental.sub.net.0 255.255.255.0
svc dns-server primary internal.sub.net.6
svc dns-server secondary internal.sub.net.7
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_1
gateway gateway_1 domain tfvpn
max-users 5
inservice
!
end
Re-read your issue after reviewing the config. I see where you say it is doing this no matter whether using ACL or zone based. Which ACL were you trying to use?
ASKER
I applied an ACL previously but since that went nowhere I applied the zone-member based policies in SDM. So now the question is, using the zone based policies (out-zone and in-zone), what do I need to change. I tried an explicit allow via both and neither work. I did have the ACLs applied when I was using them, I just left them in the config for reference.
Regards,
Robert
Regards,
Robert
ASKER
That link gets me this:
The Page You Have Requested Is Not Available
Sorry to leave you hanging so long...
Here is the link I was trying to send you. Shows an example config of what you are trying to do with the zones you need to setup for the VPN
http://www.cisco.com/en/US/partner/products/ps8411/products_configuration_example09186a0080b25941.shtml
Let me know if this helps. If not I would recommend going back to the ACL setup as I think its a bit simpler and cleaner.
Here is the link I was trying to send you. Shows an example config of what you are trying to do with the zones you need to setup for the VPN
http://www.cisco.com/en/US/partner/products/ps8411/products_configuration_example09186a0080b25941.shtml
Let me know if this helps. If not I would recommend going back to the ACL setup as I think its a bit simpler and cleaner.
Also take note of the virtual interface they setup as that is a crucial piece of this config.
ASKER
Also take note of the virtual interface they setup as that is a crucial piece of this config.
Suggestions?
Thanks,
Robert
I was referring to the virtual interface shown in the document I linked for you. I would do it exactly the same as shown.
ASKER
I cna't read the document you sent me...my CCO account doesn't give me access...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Awesome! I did exactly as the guide said and and nothing more and it works PERFECTLY. I also took out my explicit 101 to 100 allow in the in-zone config. Here's what I ran:
All done! Thank you!
config t
interface Virtual-Template1
ip unnumbered Loopback0
zone-member security in-zone
!
exit
!
webvpn context TFVPN
virtual-template 1
All done! Thank you!
ASKER
Config flagged as answer
http://www.cisco.com/en/US/products/ps8411products_configuration_example09186a0080b25941.shtml