cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2370
Views
25
Helpful
7
Replies

Unable to connect to SSL VPN website with zone firewall configured

Matthew Spire
Level 1
Level 1

I have recently updated my company 2911 and implemented a Zone Based Firewall.  This is my first experience with this and I used Cisco Configuration Professional to build the initial firewall configuration and then edited the names to make it readable by humans.  The only problem I can't solve is getting to the SSL VPN website from the outside.  I can navigate to the website and connect with no problem from the inside, and even though this was useful to verify that the routing and website was working correctly that's really not what I'm going for.  I'm not getting anything on the syslog server for drops due to the firewall or for any other reason but packet captures show that no reply is being received when attempting to navigate to the website from the outside.  I'm currently using an IPSEC VPN client solution until I can get this working and have no issues with it.  I've attached a sanitized configuration with the relevant lines included (removed ~400 lines including logging, many inspections conducted on traffic from the in-zone to out-zone, and the ipsec vpn that I've mentioned).  I've searched for anything relating to this problem and no one has any issue connecting to their website, just in getting other features to work properly.  Any thoughts are welcome.

Show Zone Security

zone in-zone

   Member Interfaces:

     GigabitEthernet0/0.15

     GigabitEthernet0/0.30

     GigabitEthernet0/0.35

     GigabitEthernet0/0.45

zone out-zone

   Member Interfaces:

     GigabitEthernet0/1

zone sslvpn-zone

   Member Interfaces:

     Virtual-Template1

     SSLVPN-VIF0

I have attempted changing the zone membership on the Virtual-Template1 interface to out-zone to no avail.

Show Zone-pair Security

Zone-pair name SSLVPN-TO-IN

    Source-Zone sslvpn-zone  Destination-Zone in-zone

    service-policy SSLVPN-TO-IN-POLICY

Zone-pair name IN-TO-SSLVPN

    Source-Zone in-zone  Destination-Zone sslvpn-zone

    service-policy IN-TO-SSLVPN-POLICY

Zone-pair name SELF-TO-SSLVPN

    Source-Zone self  Destination-Zone sslvpn-zone

    service-policy SELF-TO-SSLVPN-POLICY

Zone-pair name IN->SELF

    Source-Zone in-zone  Destination-Zone self

    service-policy IN-TO-SELF-POLICY

Zone-pair name IN->IN

    Source-Zone in-zone  Destination-Zone in-zone

    service-policy IN-TO-IN-POLICY

Zone-pair name SELF->OUT

    Source-Zone self  Destination-Zone out-zone

    service-policy SELF-TO-OUT-POLICY

Zone-pair name OUT->SELF

    Source-Zone out-zone  Destination-Zone self

    service-policy OUT-TO-SELF-POLICY

Zone-pair name IN->OUT

    Source-Zone in-zone  Destination-Zone out-zone

    service-policy ALLOW-ALL

Zone-pair name OUT->IN

    Source-Zone out-zone  Destination-Zone in-zone

    service-policy OUT-TO-IN-POLICY

Zone-pair name SSLVPN-TO-SELF

    Source-Zone sslvpn-zone  Destination-Zone self

    service-policy SSLVPN-TO-SELF-POLICY

I have also tried adding a zone-pair for out-zone to sslvpn-zone passing all traffic and it changes nothing.

In-zone Networks

G0/0.15

      172.16.0.1 /26

G0/0.30

      172.16.0.65 /26

G0/0.35

      172.16.0.129 /25

G0/0.45

      172.18.0.1 /28

SSL VPN Pool

     172.20.0.1 - 172.20.0.14

Current IOS Version:

      Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.0(1)M10, RELEASE SOFTWARE (fc1)

1 Accepted Solution

Accepted Solutions

Glad is working now. Weird issue, no doubt.

I guess on the deployment guide stated that the firewall wont support TCP inspection to the self zone, however, nested class-maps are used to accomplish that, to be fully honest, I think it is a mess and the best thing to do is have the pass action to self for the protocols you want to and then drop the rest.

Let us know if you run into any other issue.

Mike

Mike

View solution in original post

7 Replies 7

Maykol Rojas
Cisco Employee
Cisco Employee

Hi Matthew

Would you enable the ip inspect log drop-pkt and then do term mon?

I think where the problem may reside, I just need a drop log to confirm it.

Mike

Mike

Thanks for taking a look at this Maykol.
           

I actually have that line already in and have used it to troubleshoot various issues already.  On the production router I have logging and SNMPv3 configured to send everything to my NMS.  When accessing the website from an outside network no packets are shown as dropped but no reply is ever received, which has been verified using a packet capture.  This is the part that's really stumping me.  I don't know of a debug command specific enough not to crash the router that I could use to look into this further either.

What was the thought you had?  I can still look into it especially since I've run into a brick wall on this.

If any debugs, the ones I would suggest are in regards to web-vpn.

Can you see the firewall listening on port 443?

Run show control-plane host open-ports and see if you catch SSL in there.

Mike

Mike

More important, was it running prior putting Zone based in?

Mike

Mike

Unfortunately the license for SSL VPN was purchased for implementation during the outage I used to upgrade the router and implement the zone based firewall so it wasn't there beforehand.  I am able to connect to the website from the inside network though.  I'll verify the ports first thing tomorrow morning.  Thanks.

Matt

The router is listening on the correct ports.  I had the idea to try a static nat statement and I was finally able to receive a dropped packet message.  Once I took the tcp inspection off the out-zone to self zone-pair I could access the website from the outside.

I don't know why I need the nat statement in order for the website to be reachable, especially since I haven't seen a single instance where that was used in a configuration example, but the fact remains that it's working now.  I have some more research to do to see if I can't implement a more specific tcp inspection rule but it's up and working now.

Thanks for the help Mike.

Glad is working now. Weird issue, no doubt.

I guess on the deployment guide stated that the firewall wont support TCP inspection to the self zone, however, nested class-maps are used to accomplish that, to be fully honest, I think it is a mess and the best thing to do is have the pass action to self for the protocols you want to and then drop the rest.

Let us know if you run into any other issue.

Mike

Mike
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: