topic Re: Unable to connect to SSL VPN website with zone firewall conf in Network Security

Unable to connect to SSL VPN website with zone firewall configured

Matthew Spire — Tue, 12 Mar 2019 02:46:45 GMT

I have recently updated my company 2911 and implemented a Zone Based Firewall. This is my first experience with this and I used Cisco Configuration Professional to build the initial firewall configuration and then edited the names to make it readable by humans. The only problem I can't solve is getting to the SSL VPN website from the outside. I can navigate to the website and connect with no problem from the inside, and even though this was useful to verify that the routing and website was working correctly that's really not what I'm going for. I'm not getting anything on the syslog server for drops due to the firewall or for any other reason but packet captures show that no reply is being received when attempting to navigate to the website from the outside. I'm currently using an IPSEC VPN client solution until I can get this working and have no issues with it. I've attached a sanitized configuration with the relevant lines included (removed ~400 lines including logging, many inspections conducted on traffic from the in-zone to out-zone, and the ipsec vpn that I've mentioned). I've searched for anything relating to this problem and no one has any issue connecting to their website, just in getting other features to work properly. Any thoughts are welcome.

Show Zone Security

zone in-zone

Member Interfaces:

GigabitEthernet0/0.15

GigabitEthernet0/0.30

GigabitEthernet0/0.35

GigabitEthernet0/0.45

zone out-zone

Member Interfaces:

GigabitEthernet0/1

zone sslvpn-zone

Member Interfaces:

Virtual-Template1

SSLVPN-VIF0

I have attempted changing the zone membership on the Virtual-Template1 interface to out-zone to no avail.

Show Zone-pair Security

Zone-pair name SSLVPN-TO-IN

Source-Zone sslvpn-zone Destination-Zone in-zone

service-policy SSLVPN-TO-IN-POLICY

Zone-pair name IN-TO-SSLVPN

Source-Zone in-zone Destination-Zone sslvpn-zone

service-policy IN-TO-SSLVPN-POLICY

Zone-pair name SELF-TO-SSLVPN

Source-Zone self Destination-Zone sslvpn-zone

service-policy SELF-TO-SSLVPN-POLICY

Zone-pair name IN->SELF

Source-Zone in-zone Destination-Zone self

service-policy IN-TO-SELF-POLICY

Zone-pair name IN->IN

Source-Zone in-zone Destination-Zone in-zone

service-policy IN-TO-IN-POLICY

Zone-pair name SELF->OUT

Source-Zone self Destination-Zone out-zone

service-policy SELF-TO-OUT-POLICY

Zone-pair name OUT->SELF

Source-Zone out-zone Destination-Zone self

service-policy OUT-TO-SELF-POLICY

Zone-pair name IN->OUT

Source-Zone in-zone Destination-Zone out-zone

service-policy ALLOW-ALL

Zone-pair name OUT->IN

Source-Zone out-zone Destination-Zone in-zone

service-policy OUT-TO-IN-POLICY

Zone-pair name SSLVPN-TO-SELF

Source-Zone sslvpn-zone Destination-Zone self

service-policy SSLVPN-TO-SELF-POLICY

I have also tried adding a zone-pair for out-zone to sslvpn-zone passing all traffic and it changes nothing.

In-zone Networks

G0/0.15

172.16.0.1 /26

G0/0.30

172.16.0.65 /26

G0/0.35

172.16.0.129 /25

G0/0.45

172.18.0.1 /28

SSL VPN Pool

172.20.0.1 - 172.20.0.14

Current IOS Version:

Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.0(1)M10, RELEASE SOFTWARE (fc1)

Unable to connect to SSL VPN website with zone firewall configur

Maykol Rojas — Fri, 04 Oct 2013 00:32:28 GMT

Hi Matthew

Would you enable the ip inspect log drop-pkt and then do term mon?

I think where the problem may reside, I just need a drop log to confirm it.

Mike

Re: Unable to connect to SSL VPN website with zone firewall conf

Matthew Spire — Fri, 04 Oct 2013 00:45:34 GMT

Thanks for taking a look at this Maykol.

I actually have that line already in and have used it to troubleshoot various issues already. On the production router I have logging and SNMPv3 configured to send everything to my NMS. When accessing the website from an outside network no packets are shown as dropped but no reply is ever received, which has been verified using a packet capture. This is the part that's really stumping me. I don't know of a debug command specific enough not to crash the router that I could use to look into this further either.

What was the thought you had? I can still look into it especially since I've run into a brick wall on this.

Re: Unable to connect to SSL VPN website with zone firewall conf

Maykol Rojas — Fri, 04 Oct 2013 00:55:16 GMT

If any debugs, the ones I would suggest are in regards to web-vpn.

Can you see the firewall listening on port 443?

Run show control-plane host open-ports and see if you catch SSL in there.

Mike

Re: Unable to connect to SSL VPN website with zone firewall conf

Maykol Rojas — Fri, 04 Oct 2013 00:55:44 GMT

More important, was it running prior putting Zone based in?

Mike

Re: Unable to connect to SSL VPN website with zone firewall conf

Matthew Spire — Fri, 04 Oct 2013 04:16:01 GMT

Unfortunately the license for SSL VPN was purchased for implementation during the outage I used to upgrade the router and implement the zone based firewall so it wasn't there beforehand. I am able to connect to the website from the inside network though. I'll verify the ports first thing tomorrow morning. Thanks.

Matt

Re: Unable to connect to SSL VPN website with zone firewall conf

Matthew Spire — Fri, 04 Oct 2013 13:59:05 GMT

The router is listening on the correct ports. I had the idea to try a static nat statement and I was finally able to receive a dropped packet message. Once I took the tcp inspection off the out-zone to self zone-pair I could access the website from the outside.

I don't know why I need the nat statement in order for the website to be reachable, especially since I haven't seen a single instance where that was used in a configuration example, but the fact remains that it's working now. I have some more research to do to see if I can't implement a more specific tcp inspection rule but it's up and working now.

Thanks for the help Mike.

Re: Unable to connect to SSL VPN website with zone firewall conf

Maykol Rojas — Fri, 04 Oct 2013 16:15:01 GMT

Glad is working now. Weird issue, no doubt.

I guess on the deployment guide stated that the firewall wont support TCP inspection to the self zone, however, nested class-maps are used to accomplish that, to be fully honest, I think it is a mess and the best thing to do is have the pass action to self for the protocols you want to and then drop the rest.

Let us know if you run into any other issue.

Mike