Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
888
Views
0
Helpful
3
Replies

Allow local user access to remote VPN

Peter von Nostrand
Level 1
Level 1

‎10-04-2011 11:54 AM - edited ‎03-11-2019 02:33 PM

Hello, I have a 3845 router (12.4(13r)T10) with ZBF. On my LAN there is a user who need to access a remote IPSEC VPN server. He is able to get the tunnel but afterwards he cannot connect to any service in the remote LAN. As I'm using zbf I think that I should inspect traffic from my LAN zone to EXT zone, There is a document that describe a solution to this? What IP adressess should I use? Thanks.

Labels:
0 Helpful
3 Replies 3

Peter von Nostrand
Level 1
Level 1

‎10-05-2011 01:14 PM

OK, let's try again.

A user from my local LAN is trying to access a REMOTE SERVICE through a REMOTE VPN SERVER. Since I'm using a Zone Based Firewall, what would be the rules to permit first the connection to the REMOTE VPN SERVER (using IPSEC) and second allow traffic from LOCAL PC to REMOTE SERVICE.

What IP numbers should I use to the source address? Those provided by the REMOTE VPN SERVER or my LOCAL ones. Any pointers will be appreciated. Thanks.

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to Peter von Nostrand

‎10-05-2011 10:13 PM

Hi,

What kind of VPN are you using?

If the local PC needs to access the Remote service, it will need to connect to the IP address across the tunnel, so the remote service when replies back. 

So your zone based should have a policy allowing from the local PC to the Remote service (in-zone to outside) and then another one (Out-zone to in-zone)

Make sure that the policy is located at first, so other inspections will not hit first.

Mike.

Mike
0 Helpful

Peter von Nostrand
Level 1
Level 1
In response to Maykol Rojas

‎10-06-2011 11:17 AM

Hey, 

Maykol Rojas wrote:
Hi, 
What kind of VPN are you using?

The local user access an IPSEC VPN on the REMOTE VPN SERVER.

If the local PC needs to access the Remote service, it will need to connect to the IP address across the tunnel, so the remote service when replies back.  
So your zone based should have a policy allowing from the local PC to the Remote service (in-zone to outside) and then another one (Out-zone to in-zone)

In ZBF, returning traffic from inspected outgoing traffic is permitted, is this right? Should I allow traffic from the remote LAN although it was permited the traffic from my LAN?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card