We help IT Professionals succeed at work.
Get Started

Cisco 1812 with ZBF blocking Cisco VPN client?

Eirejp
Eirejp asked
on
1,356 Views
Last Modified: 2012-05-11
Hi,

I am running a Cisco 1812 with zone based firewall.

Basic config is
inside to outside - all allowed (tcp, udp, icmp)
outside to inside - block

When I use the Cisco VPN client anywhere else I can connect to another network and ping.

When I use it inside the network with the Cisco 1812 it connects but cant ping anything.

e.g. Windows 7 PC with VPN client -> LAN -> Cisco 1812 -> Internet -> Remote Site

I have turned up the logging on the vpn client and cant see any errors.
Just sending and receiving of ISAKMP OAK INFO.

The config is fairly basic and simple.

I know it is ZBF because when I take away the zone memberships off the interfaces it works just fine.
ip source-route
!
class-map type inspect match-any all-out
 match protocol tcp
 match protocol udp
 match protocol icmp
!
!
policy-map type inspect InsideToOutside
 class type inspect all-out
  inspect
 class class-default
  drop
!
zone security Inside
zone security Outside
zone-pair security InsideToOutside source Inside destination Outside
 service-policy type inspect InsideToOutside
!
interface FastEthernet0
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Virtual-Template1
 ip unnumbered Loopback0
 zone-member security Inside
!
interface Vlan1
 no ip address
!
interface Vlan20
 ip address 172.23.250.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security Inside
 ip tcp adjust-mss 1412
!
interface Dialer0
 ip address negotiated
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly in
 zone-member security Outside
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 no cdp enable
!
ip forward-protocol nd
!
ip nat inside source list NAT-ACL interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended NAT-ACL
 deny   ip 172.23.250.0 0.0.0.255 192.168.0.0 0.0.0.255
 permit ip 172.23.250.0 0.0.0.255 any
!
logging esm config
dialer-list 1 protocol ip permi

Open in new window

Comment
Watch Question
Top Expert 2010
Commented:
This problem has been solved!
Unlock 1 Answer and 7 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE