ā12-08-2009 08:30 PM
I ran into a problem with Cisco 881 IOS 15.1M (or 12.4T2 also): zone based firewall is blocking access for anyconnect clients. There's SSLVPN-VIF0 interface but no way I can put it into any zone. So if I idsable ZFW - everything's fine... I found several cases with the same problem - no solution from Cisco. CBAC is not a case.
Quite a dissapoitment... If the same issue will be with ASA5510 - I guess $20K will go to checkpoint.
Solved! Go to Solution.
ā12-08-2009 09:04 PM
It should work fine.
With Anyclient, the the traffic will come through the WAN interface, then virtual-template and then only to the LAN interface. So the solution is that, you need to create a zone and asscoiate the zone to the virtual-template.
Since virtual-template is not part of any zone, anyclient traffic doesn't pass across the virtual template.
Basically, we will have three zones now - in, sslvpn and out.
Just do the following for these zone-pairs
in - sslvpn zone > permit any IP traffic
sslvpn zone - in > permit any IP traffic
out - sslvpn zone > permit any IP traffic
sslvpn zone - out > permit any IP traffic
You could be specific for the traffic, if you know what is IP address of anyclients.
This should solve the problem.
With regards
Kings
ā12-08-2009 09:04 PM
It should work fine.
With Anyclient, the the traffic will come through the WAN interface, then virtual-template and then only to the LAN interface. So the solution is that, you need to create a zone and asscoiate the zone to the virtual-template.
Since virtual-template is not part of any zone, anyclient traffic doesn't pass across the virtual template.
Basically, we will have three zones now - in, sslvpn and out.
Just do the following for these zone-pairs
in - sslvpn zone > permit any IP traffic
sslvpn zone - in > permit any IP traffic
out - sslvpn zone > permit any IP traffic
sslvpn zone - out > permit any IP traffic
You could be specific for the traffic, if you know what is IP address of anyclients.
This should solve the problem.
With regards
Kings
ā12-09-2009 04:13 AM
Thank you.
The key word here is "virtual-template", I thought it could be used only for dial-in VPN, it still has PPP encapsulation feature, just try to guess why ,
Everything about Cisco SSL VPN looks inconsistent with lack of logic though... And if you look at virtual-access interface while vpn connection is up it's still down, and at the same time SSLVPN_VIF0 since first vpn connection goes up also goes up and never goes down after that.
Looks very strange but working .
P.S. And WebVPN clientless is not working with most Polycom JScript-based management sites... Just a toy.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide