Avatar of Eirejp
EirejpFlag for Japan

asked on 

Cisco 1812 with ZBF blocking Cisco VPN client?

Hi,

I am running a Cisco 1812 with zone based firewall.

Basic config is
inside to outside - all allowed (tcp, udp, icmp)
outside to inside - block

When I use the Cisco VPN client anywhere else I can connect to another network and ping.

When I use it inside the network with the Cisco 1812 it connects but cant ping anything.

e.g. Windows 7 PC with VPN client -> LAN -> Cisco 1812 -> Internet -> Remote Site

I have turned up the logging on the vpn client and cant see any errors.
Just sending and receiving of ISAKMP OAK INFO.

The config is fairly basic and simple.

I know it is ZBF because when I take away the zone memberships off the interfaces it works just fine.
ip source-route
!
class-map type inspect match-any all-out
 match protocol tcp
 match protocol udp
 match protocol icmp
!
!
policy-map type inspect InsideToOutside
 class type inspect all-out
  inspect
 class class-default
  drop
!
zone security Inside
zone security Outside
zone-pair security InsideToOutside source Inside destination Outside
 service-policy type inspect InsideToOutside
!
interface FastEthernet0
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Virtual-Template1
 ip unnumbered Loopback0
 zone-member security Inside
!
interface Vlan1
 no ip address
!
interface Vlan20
 ip address 172.23.250.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security Inside
 ip tcp adjust-mss 1412
!
interface Dialer0
 ip address negotiated
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly in
 zone-member security Outside
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 no cdp enable
!
ip forward-protocol nd
!
ip nat inside source list NAT-ACL interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended NAT-ACL
 deny   ip 172.23.250.0 0.0.0.255 192.168.0.0 0.0.0.255
 permit ip 172.23.250.0 0.0.0.255 any
!
logging esm config
dialer-list 1 protocol ip permi

Open in new window

RoutersVPN

Avatar of undefined
Last Comment
Eirejp
Avatar of John Meggers
John Meggers
Flag of United States of America image

I haven't worked much with ZBF but my first thought is that IPSec consists of protocols beyond TCP, UDP and ICMP.  Some of the required IPSec ports needed to be opened are UDP, but ESP is protocol 50.  I would suggest including protocol 50 in your ACL.  Let us know if that makes a difference in the behavior.
Avatar of anoopkmr
anoopkmr
Flag of United States of America image

only ICMP is blocking ? all the other traffic is fine ?

just enable the audit/alert option of  ZBF and chack the logs while passing ICMP  traffic
Avatar of John Meggers
John Meggers
Flag of United States of America image

Oops, my bad.  I missed the line that the VPN was actually connecting.
ASKER CERTIFIED SOLUTION
Avatar of anoopkmr
anoopkmr
Flag of United States of America image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of Eirejp
Eirejp
Flag of Japan image

ASKER

Sorry I could not connect to any resources at all including ping.
The VPN connection it self connects without any issue.

I just found a solution


In the VPN Client modify the properties of your VPN profile.
Go to the Transport Tab
Transparent Tunneling was already enabled
I Changed IPSec over UDP ( NAT / PAT ) to IPSec over TCP.

Avatar of anoopkmr
anoopkmr
Flag of United States of America image

great
Avatar of Eirejp
Eirejp
Flag of Japan image

ASKER

This help me in the right direction.
Routers
Routers

A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.

49K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo