03-02-2009 07:57 AM - edited 03-11-2019 07:59 AM
I am trying to set up a VPN using a 871 router. The VPN is to be used by a remote client who will gain remote access to a PC using NetSupport software, a product similar to PCAnywhere. I am able to establish the VPN connection but the NetSupport software at the client is unable to connect to the PC behind the router. I have not been able to figure out how to configure the router's firewall to allow NetSupport (port 5405) traffic. My attempt so far consists of the following:
I created a port to application mapping for NetSupport:
ip port-map user-NetSupport port tcp 5405
I created a class map:
class-map type inspect match-any sdm_NetSupport_traffic
match protocol user-NetSupport
I created a second class map (probably unnessary but I was trying to replicate what SDM had created for the VPN)
class-map type inspect match-all sdm_NetSupport_pt
match class-map sdm_NetSupport_traffic
I created a policy map:
policy-map type inspect sdm-permit-netsupport
class type inspect sdm_NetSupport_pt
inspect
class type inspect SDM_IP
pass
class class-default
drop
I then applied this policy to the VPN/Inzone zone pair
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-netsupport
I apologise for my lack of IOS knowledge, I have looked at all the CISCO documents on zone based firewalls and what I have done seems to make sense according to what I have read. Any help would be greatly appreciated. I have attached my running config.
03-02-2009 04:02 PM
Hi,
Besides the NetSupport traffic, are you able to see any other traffic can be communicated between the remote VPN client and the local PC?
For troubleshooting, instead of using the class-map to inspect NetSupport traffic, can you inspect all traffic (i.e. any to any) using the same policy-maps and zone-pair configs and see if that works?
Do you have a TAC case opened for this?
Thanks.
Alex Yeung
03-03-2009 10:16 AM
Hi Alex
The answer to the first question is no. I have not even been able to ping the local PC over the VPN. I tried to inspect all traffic by doing the following:
ip access-list extended SDM_ALL_TCP
remark SDM_ACL Category=1
permit tcp any any
exit
class-map type inspect match-any sdm_all_tcp_cmap
match access-group name SDM_ALL_TCP
exit
policy-map type inspect sdm_inspect_tcp_all
class type inspect sdm_all_tcp_cmap
no drop
inspect
exit
exit
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
no service-policy type inspect sdm-permit-netsupport
service-policy type inspect sdm_inspect_tcp_all
exit
but it made no difference. I have now opened a TAC case but thanks for your help anyway.
Best Regards
David
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide