Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!
Cisco 1812 with ZBF blocking Cisco VPN client?
Hi,
I am running a Cisco 1812 with zone based firewall.
Basic config is
inside to outside - all allowed (tcp, udp, icmp)
outside to inside - block
When I use the Cisco VPN client anywhere else I can connect to another network and ping.
When I use it inside the network with the Cisco 1812 it connects but cant ping anything.
e.g. Windows 7 PC with VPN client -> LAN -> Cisco 1812 -> Internet -> Remote Site
I have turned up the logging on the vpn client and cant see any errors.
Just sending and receiving of ISAKMP OAK INFO.
The config is fairly basic and simple.
I know it is ZBF because when I take away the zone memberships off the interfaces it works just fine.
I am running a Cisco 1812 with zone based firewall.
Basic config is
inside to outside - all allowed (tcp, udp, icmp)
outside to inside - block
When I use the Cisco VPN client anywhere else I can connect to another network and ping.
When I use it inside the network with the Cisco 1812 it connects but cant ping anything.
e.g. Windows 7 PC with VPN client -> LAN -> Cisco 1812 -> Internet -> Remote Site
I have turned up the logging on the vpn client and cant see any errors.
Just sending and receiving of ISAKMP OAK INFO.
The config is fairly basic and simple.
I know it is ZBF because when I take away the zone memberships off the interfaces it works just fine.
ip source-route
!
class-map type inspect match-any all-out
match protocol tcp
match protocol udp
match protocol icmp
!
!
policy-map type inspect InsideToOutside
class type inspect all-out
inspect
class class-default
drop
!
zone security Inside
zone security Outside
zone-pair security InsideToOutside source Inside destination Outside
service-policy type inspect InsideToOutside
!
interface FastEthernet0
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Virtual-Template1
ip unnumbered Loopback0
zone-member security Inside
!
interface Vlan1
no ip address
!
interface Vlan20
ip address 172.23.250.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security Inside
ip tcp adjust-mss 1412
!
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
zone-member security Outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
no cdp enable
!
ip forward-protocol nd
!
ip nat inside source list NAT-ACL interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended NAT-ACL
deny ip 172.23.250.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 172.23.250.0 0.0.0.255 any
!
logging esm config
dialer-list 1 protocol ip permi
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
I haven't worked much with ZBF but my first thought is that IPSec consists of protocols beyond TCP, UDP and ICMP. Some of the required IPSec ports needed to be opened are UDP, but ESP is protocol 50. I would suggest including protocol 50 in your ACL. Let us know if that makes a difference in the behavior.
only ICMP is blocking ? all the other traffic is fine ?
just enable the audit/alert option of ZBF and chack the logs while passing ICMP traffic
just enable the audit/alert option of ZBF and chack the logs while passing ICMP traffic
check the Nat traversal is confgured at the VPN server . also check whehter the transpirt tunneling option is enabled in the client
Sorry I could not connect to any resources at all including ping.
The VPN connection it self connects without any issue.
I just found a solution
In the VPN Client modify the properties of your VPN profile.
Go to the Transport Tab
Transparent Tunneling was already enabled
I Changed IPSec over UDP ( NAT / PAT ) to IPSec over TCP.
The VPN connection it self connects without any issue.
I just found a solution
In the VPN Client modify the properties of your VPN profile.
Go to the Transport Tab
Transparent Tunneling was already enabled
I Changed IPSec over UDP ( NAT / PAT ) to IPSec over TCP.
Premium Content
You need an Expert Office subscription to comment.Start Free Trial