cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
824
Views
0
Helpful
2
Replies

Problem with VPN Client & Zone based firewall on a 881

Hello,

I have just deployed a 881 router at a clients site & configured it to allow remote IPSec VPN connections using the Cisco VPN Client software.

The router works fine except for the remote VPN connections.

Client VPN connections are not being allowed and I am sure the problem is the zone based firewall.  I have had very little experience with this, most of my experience is with ACL based security.

Can someone please tell me what I am doing wrong?  Sanitized config is attached.

Please help, I need to get this running today!

Thank you for your help!

Mitchell

2 Replies 2

Atul Singh
Level 1
Level 1

Hi,

You need to inspect the traffic from VPN clients to internal networks in out-zone to in-zone to allow inbound connections from VPN clients.

access-list 199 permit ip 192.168.1.160 0.0.0.15 192.168.1.0 0.0.0.255

!

class-map type inspect vpn-inbound

match access-group 199

!

policy-map type inspect out-in-pol

class type inspect vpn-inbound

inspect

!

zone-pair security ccp-zp-out-in source out-zone destination in-zone

service-policy type inspect out-in-pol

!

-Atul

Hello Atul,

Thank you for your reply. 

I had to get this working quickly so I removed the zone based firewall and went back to the classic firewall using ACL's and it worked.

Your solution looks good, I will try it in our lab on a test router before I deploy another of these.

Thanks for your help.

Mitchell Smith