Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
922
Views
0
Helpful
1
Replies

VPN issue after configuring the Firewall by using CCP on Cisco 881 router

Go to solution
phyopaingag
Level 1
Level 1

‎07-26-2011 07:21 AM - edited ‎03-11-2019 02:03 PM

Hi,

I have got a problem to access to the servers inside the LAN through VPN tunnel after setting up the firewall on the Cisco 881-K9 router.

The configuration, attached file (RunningConfig_with_vpn_before_firewall_enabled.txt), is working fine for VPN users to access to the LAN servers.

I used the CLI when I was doing that configuration.

But for firewall, I used the Cisco Configuration Professional. After setting up the firewall by using CCP, the problem occured like, VPN connection from the client machine to the server is still OK to connect. NAT is still working fine. E-mail traffic to the Mail Server don't get problem. Still can use Outlook Web Access.

But vpn users can ping only to one server which is mail server. Actually there are 2 more servers and vpn users can't get to these 2 servers.

Please someone check my configuration files attached and advise me back.

Thanks a lot in advance.

Labels:
110526-RunningConfig_with_vpn_before_firewall_enabled.txt.zip
110525-RunningConfig_after_firewall_enabled_and_added_HQ_office_IP..txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Atul Singh
Level 1
Level 1

‎08-03-2011 03:07 PM

Hi Phyo,

I think, with this config they are able to reach only 192.168.1.2. VPN users also fall in the outside zone and you should inspect the traffic from VPN users to Internal n/w (Or servers) in out-in zone pair.

Something like this:

access-list 199 permit ip

!

class-map type inspect vpn-inbound

match access-group 199

!

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect vpn-inbound

inspect

!

-Atul

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Atul Singh
Level 1
Level 1

‎08-03-2011 03:07 PM

Hi Phyo,

I think, with this config they are able to reach only 192.168.1.2. VPN users also fall in the outside zone and you should inspect the traffic from VPN users to Internal n/w (Or servers) in out-in zone pair.

Something like this:

access-list 199 permit ip

!

class-map type inspect vpn-inbound

match access-group 199

!

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect vpn-inbound

inspect

!

-Atul

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card