troubleshooting Question

Cisco 1812 with ZBF blocking Cisco VPN client?

Avatar of Eirejp
EirejpFlag for Japan asked on
RoutersVPN
7 Comments1 Solution1358 ViewsLast Modified:
Hi,

I am running a Cisco 1812 with zone based firewall.

Basic config is
inside to outside - all allowed (tcp, udp, icmp)
outside to inside - block

When I use the Cisco VPN client anywhere else I can connect to another network and ping.

When I use it inside the network with the Cisco 1812 it connects but cant ping anything.

e.g. Windows 7 PC with VPN client -> LAN -> Cisco 1812 -> Internet -> Remote Site

I have turned up the logging on the vpn client and cant see any errors.
Just sending and receiving of ISAKMP OAK INFO.

The config is fairly basic and simple.

I know it is ZBF because when I take away the zone memberships off the interfaces it works just fine.
ip source-route
!
class-map type inspect match-any all-out
 match protocol tcp
 match protocol udp
 match protocol icmp
!
!
policy-map type inspect InsideToOutside
 class type inspect all-out
  inspect
 class class-default
  drop
!
zone security Inside
zone security Outside
zone-pair security InsideToOutside source Inside destination Outside
 service-policy type inspect InsideToOutside
!
interface FastEthernet0
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Virtual-Template1
 ip unnumbered Loopback0
 zone-member security Inside
!
interface Vlan1
 no ip address
!
interface Vlan20
 ip address 172.23.250.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security Inside
 ip tcp adjust-mss 1412
!
interface Dialer0
 ip address negotiated
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly in
 zone-member security Outside
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 no cdp enable
!
ip forward-protocol nd
!
ip nat inside source list NAT-ACL interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended NAT-ACL
 deny   ip 172.23.250.0 0.0.0.255 192.168.0.0 0.0.0.255
 permit ip 172.23.250.0 0.0.0.255 any
!
logging esm config
dialer-list 1 protocol ip permi

Open in new window

ASKER CERTIFIED SOLUTION
anoopkmr
Network and Security InfraSepcialist

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Top Expert 2010

The Distinguished Expert awards are presented to the top veteran and rookie experts to earn the most points in the top 50 topics.

Join our community to see this answer!
Unlock 1 Answer and 7 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 7 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros