07-08-2009 07:21 AM
I've finally gotten the SSL VPN working right with the new Anyconnect client and the latest IOS version on an 871 router. Everytime I try to implement the firewall however, remote VPN clients can no longer see anything on the office LAN (192.168.1.x) except the gateway and the office clients cannot access the internet. I tried using both the basic and advanced firewall wizard in the SDM with the same result. Can anyone suggest the right way to configure this or a sample code I can use to secure this setup while keeping full access to the office LAN(192.168.1.x) from the SSL tunnel and allowing full internet access for the office clients? Current config attached which works but has no firewall configured...
07-08-2009 11:47 AM
The first thing you will want to do is modify your existing configuration to support virtual-templates. This feature was added in 12.4(20)T3 and 12.4(24)T1 to address a well documented bug. Please see the attached sample config. Once this change has been made, please try to add the ZBFW config and let me know if the problem persists.
07-08-2009 12:30 PM
Thanks for your response. If I understand from your config, the line "ip unnumbered" should have the actual name of my outside(WAN) interface? Therefore my command would look like:
interface Virtual-Template1
ip unnumbered FastEthernet4
Is that correct?
07-08-2009 01:26 PM
You are correct...
07-10-2009 06:15 AM
Ok...I will try this. Curiously, how does enabling the virtual templates get the firewall working? Should I just go through the basic firewall wizard again in the SDM?
07-10-2009 06:24 AM
This is related to bug CSCsr41631 in which there were interop issues with SSL VPN and other IP features in 12.4(20)T and above.
07-16-2009 04:43 AM
Hi, I tried to implement this yesterday with no success. I added the virtual template code and then re-ran the basic firewall wizard which caused everything to stop working again. The wizard adds a rule that drops everything from the in-zone out which I manually changed to "firewall permit" so the clients could access the internet again. Remote clients trying to use the SSL VPN could connect and get an IP address but could not access any hosts on the office LAN (192.168.1.x). I tried tweaking the rules for half an hour while a client kept trying the connection and finally had to delete everything again because it was preventing them from doing work. Is there some basic firewall config you can suggest that will just get this to work properly? I've been trying to get this straightened out for serveral weeks now and need to finish it. Thanks.
07-31-2009 08:19 AM
This is still an issue...any further suggestions?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide