04-11-2009 02:36 PM - edited 03-04-2019 04:20 AM
I have been using a Cisco 837 for a while now and upgraded to an 877 on the weekend. One of my requirements is that I need to be able to connect to our work network via a IPSEC VPN tunnel using the Microsoft Windows VPN client.
On the Cisco 837 this was very simple, lock every thing else down but give full access to our works VPN server using it's public ip address.
With the 877 I thought I would implement Cisco new Zone firewall over the old access lists of the 837 but damed if I can get a tunnel to our work's VPN server established.
What I am trying to do is
1)setup to zones, 1 internal and 1 external
2)allow full access to/from server 212.55.16.234 to any computer on my VLAN zone
Without the access list 100 added I can't even see out Public VPN server, ( 212.X.X.X is not the real ip), with the entries added I can see the server but it get stuck on the âVerify user name and passwordâ
zone security vlan1
zone security internet
!
!
!
interface Dialer0
zone-member security internet
!
interface Vlan1
zone-member security vlan1
!
!
!
class-map type inspect match-any vlan1-internet-class
match protocol http
match protocol https
match protocol dns
match protocol smtp
match protocol pop3
match protocol icmp
match access-group 100
!
class-map type inspect match-any L4-internet-self-class
match protocol tcp
match protocol udp
match protocol icmp
!
class-map type inspect match-all internet-self-class
match class-map L4-internet-self-class
match access-group 100
!
!
!
policy-map type inspect internet-vlan1-policy
class class-default
drop log
!
policy-map type inspect vlan1-internet-policy
class type inspect vlan1-internet-class
inspect
class class-default
drop log
!
policy-map type inspect internet-self-policy
class type inspect internet-self-class
inspect
class class-default
drop log
!
!
!
zone-pair security internet-self source internet destination self
service-policy type inspect internet-self-policy
!
zone-pair security vlan1-internet source vlan1 destination internet
service-policy type inspect vlan1-internet-policy
!
zone-pair security internet-vlan1 source internet destination vlan1
service-policy type inspect internet-vlan1-policy
!
!
access-list 100 remark WorkIn
access-list 100 permit ip host 212.55.16.234 any
access-list 100 remark WorkOut
access-list 100 permit ip any host 212.55.16.234
Any pointers to fix this issue would be appreciate
04-11-2009 09:34 PM
Hello John,
if traffic for the VPN has to go from security zone internet to security zone vlan1 you may need to add a match access-group 100 in another classes:
this is your current internet to vlan1 policy:
policy-map type inspect internet-vlan1-policy
class class-default
drop log
I think you should create a class for inspection and to invokes it inside the above policy.
Hope to help
Giuseppe
04-14-2009 01:09 AM
Thanks Giuseppe, I'll give that a go and let you know how I get on.
On the same type of topic, what is the self Zone? I understand that a need a public and private zone but the SDM seems to also produce a self zone but I don't seem to point any interfaces to it.
04-14-2009 01:42 AM
I've been able to get this working tonight, once I have a replicated method I'll post another reply with my IOS.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: