07-28-2011 12:18 PM
Hello,
I have just deployed a 881 router at a clients site & configured it to allow remote IPSec VPN connections using the Cisco VPN Client software.
The router works fine except for the remote VPN connections.
Client VPN connections are not being allowed and I am sure the problem is the zone based firewall. I have had very little experience with this, most of my experience is with ACL based security.
Can someone please tell me what I am doing wrong? Sanitized config is attached.
Please help, I need to get this running today!
Thank you for your help!
Mitchell
08-03-2011 04:42 PM
Hi,
You need to inspect the traffic from VPN clients to internal networks in out-zone to in-zone to allow inbound connections from VPN clients.
access-list 199 permit ip 192.168.1.160 0.0.0.15 192.168.1.0 0.0.0.255
!
class-map type inspect vpn-inbound
match access-group 199
!
policy-map type inspect out-in-pol
class type inspect vpn-inbound
inspect
!
zone-pair security ccp-zp-out-in source out-zone destination in-zone
service-policy type inspect out-in-pol
!
-Atul
08-04-2011 07:13 PM
Hello Atul,
Thank you for your reply.
I had to get this working quickly so I removed the zone based firewall and went back to the classic firewall using ACL's and it worked.
Your solution looks good, I will try it in our lab on a test router before I deploy another of these.
Thanks for your help.
Mitchell Smith
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide