Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
291
Views
0
Helpful
3
Replies

Can't connect to our works VPN server using Zone Firewalling

john230873
Level 1
Level 1

‎04-11-2009 02:36 PM - edited ‎03-04-2019 04:20 AM

I have been using a Cisco 837 for a while now and upgraded to an 877 on the weekend. One of my requirements is that I need to be able to connect to our work network via a IPSEC VPN tunnel using the Microsoft Windows VPN client.

On the Cisco 837 this was very simple, lock every thing else down but give full access to our works VPN server using it's public ip address.

With the 877 I thought I would implement Cisco new Zone firewall over the old access lists of the 837 but damed if I can get a tunnel to our work's VPN server established.

What I am trying to do is

1)setup to zones, 1 internal and 1 external

2)allow full access to/from server 212.55.16.234 to any computer on my VLAN zone

Without the access list 100 added I can't even see out Public VPN server, ( 212.X.X.X is not the real ip), with the entries added I can see the server but it get stuck on the “Verify user name and password”

zone security vlan1

zone security internet

!

!

!

interface Dialer0

zone-member security internet

!

interface Vlan1

zone-member security vlan1

!

!

!

class-map type inspect match-any vlan1-internet-class

match protocol http

match protocol https

match protocol dns

match protocol smtp

match protocol pop3

match protocol icmp

match access-group 100

!

class-map type inspect match-any L4-internet-self-class

match protocol tcp

match protocol udp

match protocol icmp

!

class-map type inspect match-all internet-self-class

match class-map L4-internet-self-class

match access-group 100

!

!

!

policy-map type inspect internet-vlan1-policy

class class-default

drop log

!

policy-map type inspect vlan1-internet-policy

class type inspect vlan1-internet-class

inspect

class class-default

drop log

!

policy-map type inspect internet-self-policy

class type inspect internet-self-class

inspect

class class-default

drop log

!

!

!

zone-pair security internet-self source internet destination self

service-policy type inspect internet-self-policy

!

zone-pair security vlan1-internet source vlan1 destination internet

service-policy type inspect vlan1-internet-policy

!

zone-pair security internet-vlan1 source internet destination vlan1

service-policy type inspect internet-vlan1-policy

!

!

access-list 100 remark WorkIn

access-list 100 permit ip host 212.55.16.234 any

access-list 100 remark WorkOut

access-list 100 permit ip any host 212.55.16.234

Any pointers to fix this issue would be appreciate

Labels:
0 Helpful
3 Replies 3

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎04-11-2009 09:34 PM

Hello John,

if traffic for the VPN has to go from security zone internet to security zone vlan1 you may need to add a match access-group 100 in another classes:

this is your current internet to vlan1 policy:

policy-map type inspect internet-vlan1-policy

class class-default

drop log

I think you should create a class for inspection and to invokes it inside the above policy.

Hope to help

Giuseppe

0 Helpful

john230873
Level 1
Level 1
In response to Giuseppe Larosa

‎04-14-2009 01:09 AM

Thanks Giuseppe, I'll give that a go and let you know how I get on.

On the same type of topic, what is the self Zone? I understand that a need a public and private zone but the SDM seems to also produce a self zone but I don't seem to point any interfaces to it.

0 Helpful

john230873
Level 1
Level 1
In response to john230873

‎04-14-2009 01:42 AM

I've been able to get this working tonight, once I have a replicated method I'll post another reply with my IOS.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card