01-27-2011 10:48 AM
We recently upgraded our 2821 router to 12.4 T4 and changed the firewall scheme from ACL's to full Zone-Based-Firewall. Good news is that the ZBF is working great. Bad news is our SSL VPN users can no longer connect to any host on the inside or in (new) DMZ zone.
Posting sanitized config hopeful someone can help identify what is wrong with our configuration.
Thanks in advance for taking a look. Feel free to make recommendations on anything else you find as well...
01-27-2011 11:17 AM
Hi,
Reupload config.
Regards.
Alain.
01-27-2011 08:11 PM
You would need to also allow traffic from the VPN Pool towards the inside as well as the DMZ subnet:
access-list 150 permit ip 10.100.220.0 0.0.0.255 172.20.1.0 0.0.0.255
access-list 150 permit ip 10.100.220.0 0.0.0.255 10.2.220.0 0.0.0.255
access-list 150 permit ip 10.100.220.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list 151 permit ip 10.100.220.0 0.0.0.255 192.168.220.0 0.0.0.255
class-map type inspect match-all vpn-access-inside
match access-group 150
class-map type inspect match-all vpn-access-dmz
match access-group 151
policy-map type inspect PM_Outside_To_Inside
class type inspect vpn-access-inside
inspect
policy-map type inspect PM_Outside_To_DMZ
class type inspect vpn-access-dmz
inspect
Hope that helps.
01-28-2011 10:46 AM
We solved the problem by downgrading the IOS version from 12.4 T4 to 12.4 T2.
Also made change suggested by halijenn to allow allow VPN pool access to inside, but found that this alone didn't solve the problem (but was still necessary).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide