cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
787
Views
0
Helpful
4
Replies

Cisco Integrated VPN Client firewall - pushed policy

bronning
Level 1
Level 1

I cannot get the Cisco Intergrated Client firewall to work as I believe it should.

I am using client version 3.6.3 connecting the VPN 3060 concentrator running 3.6.7. I have configured client FW tab in user mgmt/group config to "firewall required" and to use CPP witrh the default firewall filter for VPN client.

The firewall policy as defined in the filter is correctly pushed, ie I can see the settings in the firewall tab of the client. They do correctly reflect the settings I define in the Client firewall filter.

I have also configure split tunnelling for 2 specific hosts (exclude from tunnel). The split tunnelling policy also appears to be correctly pushed to the client.

The problem is that the firewall settings seem to have no effect, or at least the wrong effect.

I make the following assumptions..

- the pushed firewall settings affect only non tunnel traffic

- reply traffic is permitted as per standard stateful firewall operation

Lets take the default filter as an example. This allows any outgoing. All unsolicited incoming traffic should be dropped. The client correctly receives this config, however I can still ping the client's "real" (untunneled) address from the "split" hosts. I can even ftp to it.

In a nutshell.. the client firewall does nothing.

Has anyone got this to work?

4 Replies 4

mchin345
Level 6
Level 6

Try pinging the client's tunneled address, I think if this works, then there is some problem. Otherwise I suspect the errors in your config if I am not wrong.

If I ping the client's tunnel address from a host that is configured as untunnelled (via spliut tunnelling), the ping works but the response is from the client "real" address.

If I ping the client's tunnel address from any other host then I get a normal repsonse from that address.

These are exactly the results I would expect.

Configuring split tunneling and client firewall is not difficult.

http://www.cisco.com/warp/customer/471/vpn35-split.html

confirms the steps I followed. The client firewall policy is sucessfully pushed as seen on the client.. It just doesn't do anything.

Difficult to say what's going on without seeing a screen shot of your client firewall policy. Do you definately have a Drop Any as the last line in the policy? Can you verify that the default action for the default client filter is to Drop, not Forward?

You're correct in stating that this filter only applies to non-tunnelled traffic, so pinging this host from an outside PC should result in the packets being dropped. Are you pinging from a host on the private interface of the concentrator, or from a host on the Public? You mention that you were able to ping the VPN address of this PC from an outside host, but I doubt you could do that unless you were pinging from inside the VPN concentrator.

Are you sure the split tunnelling that you've set up is to include only those particular hosts, not exclude them and send everything else over the tunnel? You should have "only tunnel networks in list" selected under the split tunnelling section.

The concentrator is connected to a PIX firewall. The firewall outside interface is effectively "public". The concentrator public and private interfaces are each connected to two other PIX interfaces. The PIX inside interface is connected to the inside network. ie, the PIX is using 4 interfaces with 2 of them connected driectly (and only) to the concentrator. Actually it's a bit more complex than that as there are 2xVPN3060's and 2 x PIX's in a load balanced (for the VPN)/failover (for the PIX) configuration.

Any traffic from inside (such as a ping) to outside to the "real" client addresses goes via the PIX but not the concentrator. A ping to a VPN address is routed to the concentrator and then (via IPSec) to the client.

The public network is not the internet but a private WAN which when fully commisioned will be some 1000 sites.

The client firewall config as shown on the client status screen shows (i'm working from memory here as I'm not presently onsite)..

- First 2 lines are always forward any local in and forward local any out. It's not clear but I found in documentation that these lines always refer to VPN traffic and never change.

- Last line is Drop any any. Doco says this is the default action. This matches the default action for the filter.

- Any lines in between correspond to the firewall filter rules I have configured. eg. Forward out local any (the default rule)

My split tunneling setup is to tunnel everything, but exclude networks in list. The list contains 2 host entries and 1 class C network. Again the client status correctly reflects these settings. The results for pings etc from tunneled/untunneled hosts are as expected, ie only untunnelled hosts are able to see the "real" address. The untunnelled hosts/networks are also inside. Split tunnelling is used for network management so that management tools can perceive an accurate network topology.