Many thanks for your reply.

I've removed AL 115 but still no better.

I configured the firewall with SDM as it's the first time i've used zone based. There is a bit of redudant config.

Any idea which inspect might be causing this?

Hello Rob,

I would point to the following

zone-pair security sdm-zp-in-out source in-zone destination out-zone

service-policy type inspect sdm-inspect

zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone

!

the second should be fine it has no service-policy applied

I would try to remove the application of sdm-inspect

something like

zone-pair security sdm-zp-in-out source in-zone destination out-zone

no service-policy type inspect sdm-inspect

there is no need to delete the policy definitions it is enough to remove their application to the zones.

Hope to help

Giuseppe

hi Giuseppe

Tried removing that but still can't ping the LAN.

As a test I also tried removing out-zone from VLAN2 (outside) and also access list 112 in but still no go.

When I remove "in-zone" from VLAN1 it works -

Which bit might be causing this?

Rob

There are several very odd things in access list 115. Starting with this:

access-list 115 permit udp host 87.85.165.82 host 192.168.104.6 eq non500-isakmp

access-list 115 permit udp host 87.85.165.82 host 192.168.104.6 eq isakmp

access-list 115 permit esp host 87.85.165.82 host 192.168.104.6

access-list 115 permit ahp host 87.85.165.82 host 192.168.104.6

The source address in these lines is one of your VPN peers. So how could it be in an inbound access list on the LAN interface? And the access list also has this:

access-list 115 remark IPSec Rule

access-list 115 permit ip 192.168.103.0 0.0.0.255 192.168.104.0 0.0.0.255

The comment indicates that it is for IPSec and the source address appears to be the LAN of one of your VPN peers. So how did it get inbound on your LAN interface?

HTH

Rick

Yes it's redudant now - I have removed the ACL. Unfortunaltey I inherited a lot from a previous attempts to get it working and SDM has left a real mess in there.

We have isolated the problem to be the in-zone firewall policy I think, since removing it makes it work.

If I remove this from VLAN1 it works ok - not sure what element on the sdm-inspect is causing this.

Hello Rob,

>> When I remove "in-zone" from VLAN1 it works -

Which bit might be causing this?

removing a zone classification for Vlan1 you are bypassing all the zone based inspect commands.

I think it is like NAT: NAT works if you go from a NAT inside interface to NAT outside interface.

with that simple command you have bypassed all the inspect stuff that counts for 80% of your configuration.

I would suggest to start again from stratch because there are so many strange statements and class maps that call other classes and so on.

Also I'm not sure that every inspect policy is defined and this could be the reason of the problem but again the suggestion is to clear up this configuration.

Hope to help

Giuseppe

Thanks Giuseppe.

I can probably just remove it and the config associated. It is a simple site with VPN access to the main centre with just RDP required from terminals. I could add a simple inspect if I need a SPI, ACLs should be sufficient.

I have cut the config to a bare minium but still can't set it to work. I'm not sure if my route-map NAT and redundant WAN may be causing a problem with it. It's the first time I have come across the new zone based firewall.