10-03-2013 05:58 AM - edited 03-11-2019 07:46 PM
I have recently updated my company 2911 and implemented a Zone Based Firewall. This is my first experience with this and I used Cisco Configuration Professional to build the initial firewall configuration and then edited the names to make it readable by humans. The only problem I can't solve is getting to the SSL VPN website from the outside. I can navigate to the website and connect with no problem from the inside, and even though this was useful to verify that the routing and website was working correctly that's really not what I'm going for. I'm not getting anything on the syslog server for drops due to the firewall or for any other reason but packet captures show that no reply is being received when attempting to navigate to the website from the outside. I'm currently using an IPSEC VPN client solution until I can get this working and have no issues with it. I've attached a sanitized configuration with the relevant lines included (removed ~400 lines including logging, many inspections conducted on traffic from the in-zone to out-zone, and the ipsec vpn that I've mentioned). I've searched for anything relating to this problem and no one has any issue connecting to their website, just in getting other features to work properly. Any thoughts are welcome.
Show Zone Security
zone in-zone
Member Interfaces:
GigabitEthernet0/0.15
GigabitEthernet0/0.30
GigabitEthernet0/0.35
GigabitEthernet0/0.45
zone out-zone
Member Interfaces:
GigabitEthernet0/1
zone sslvpn-zone
Member Interfaces:
Virtual-Template1
SSLVPN-VIF0
I have attempted changing the zone membership on the Virtual-Template1 interface to out-zone to no avail.
Show Zone-pair Security
Zone-pair name SSLVPN-TO-IN
Source-Zone sslvpn-zone Destination-Zone in-zone
service-policy SSLVPN-TO-IN-POLICY
Zone-pair name IN-TO-SSLVPN
Source-Zone in-zone Destination-Zone sslvpn-zone
service-policy IN-TO-SSLVPN-POLICY
Zone-pair name SELF-TO-SSLVPN
Source-Zone self Destination-Zone sslvpn-zone
service-policy SELF-TO-SSLVPN-POLICY
Zone-pair name IN->SELF
Source-Zone in-zone Destination-Zone self
service-policy IN-TO-SELF-POLICY
Zone-pair name IN->IN
Source-Zone in-zone Destination-Zone in-zone
service-policy IN-TO-IN-POLICY
Zone-pair name SELF->OUT
Source-Zone self Destination-Zone out-zone
service-policy SELF-TO-OUT-POLICY
Zone-pair name OUT->SELF
Source-Zone out-zone Destination-Zone self
service-policy OUT-TO-SELF-POLICY
Zone-pair name IN->OUT
Source-Zone in-zone Destination-Zone out-zone
service-policy ALLOW-ALL
Zone-pair name OUT->IN
Source-Zone out-zone Destination-Zone in-zone
service-policy OUT-TO-IN-POLICY
Zone-pair name SSLVPN-TO-SELF
Source-Zone sslvpn-zone Destination-Zone self
service-policy SSLVPN-TO-SELF-POLICY
I have also tried adding a zone-pair for out-zone to sslvpn-zone passing all traffic and it changes nothing.
In-zone Networks
G0/0.15
172.16.0.1 /26
G0/0.30
172.16.0.65 /26
G0/0.35
172.16.0.129 /25
G0/0.45
172.18.0.1 /28
SSL VPN Pool
172.20.0.1 - 172.20.0.14
Current IOS Version:
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.0(1)M10, RELEASE SOFTWARE (fc1)
Solved! Go to Solution.
10-04-2013 09:15 AM
Glad is working now. Weird issue, no doubt.
I guess on the deployment guide stated that the firewall wont support TCP inspection to the self zone, however, nested class-maps are used to accomplish that, to be fully honest, I think it is a mess and the best thing to do is have the pass action to self for the protocols you want to and then drop the rest.
Let us know if you run into any other issue.
Mike
10-03-2013 05:32 PM
Hi Matthew
Would you enable the ip inspect log drop-pkt and then do term mon?
I think where the problem may reside, I just need a drop log to confirm it.
Mike
10-03-2013 05:45 PM
Thanks for taking a look at this Maykol.
I actually have that line already in and have used it to troubleshoot various issues already. On the production router I have logging and SNMPv3 configured to send everything to my NMS. When accessing the website from an outside network no packets are shown as dropped but no reply is ever received, which has been verified using a packet capture. This is the part that's really stumping me. I don't know of a debug command specific enough not to crash the router that I could use to look into this further either.
What was the thought you had? I can still look into it especially since I've run into a brick wall on this.
10-03-2013 05:55 PM
If any debugs, the ones I would suggest are in regards to web-vpn.
Can you see the firewall listening on port 443?
Run show control-plane host open-ports and see if you catch SSL in there.
Mike
10-03-2013 05:55 PM
More important, was it running prior putting Zone based in?
Mike
10-03-2013 09:16 PM
Unfortunately the license for SSL VPN was purchased for implementation during the outage I used to upgrade the router and implement the zone based firewall so it wasn't there beforehand. I am able to connect to the website from the inside network though. I'll verify the ports first thing tomorrow morning. Thanks.
Matt
10-04-2013 06:59 AM
The router is listening on the correct ports. I had the idea to try a static nat statement and I was finally able to receive a dropped packet message. Once I took the tcp inspection off the out-zone to self zone-pair I could access the website from the outside.
I don't know why I need the nat statement in order for the website to be reachable, especially since I haven't seen a single instance where that was used in a configuration example, but the fact remains that it's working now. I have some more research to do to see if I can't implement a more specific tcp inspection rule but it's up and working now.
Thanks for the help Mike.
10-04-2013 09:15 AM
Glad is working now. Weird issue, no doubt.
I guess on the deployment guide stated that the firewall wont support TCP inspection to the self zone, however, nested class-maps are used to accomplish that, to be fully honest, I think it is a mess and the best thing to do is have the pass action to self for the protocols you want to and then drop the rest.
Let us know if you run into any other issue.
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide