Re: VPN users can't reach inside hosts after change to Zone Base

2ndcongress · ‎01-27-2011

We recently upgraded our 2821 router to 12.4 T4 and changed the firewall scheme from ACL's to full Zone-Based-Firewall. Good news is that the ZBF is working great. Bad news is our SSL VPN users can no longer connect to any host on the inside or in (new) DMZ zone.

Posting sanitized config hopeful someone can help identify what is wrong with our configuration.

Thanks in advance for taking a look. Feel free to make recommendations on anything else you find as well...

cadet alain · ‎01-27-2011

Hi,

Reupload config.

Regards.

Alain.

Don't forget to rate helpful posts.

Jennifer Halim · ‎01-27-2011

You would need to also allow traffic from the VPN Pool towards the inside as well as the DMZ subnet:

access-list 150 permit ip 10.100.220.0 0.0.0.255 172.20.1.0 0.0.0.255

access-list 150 permit ip 10.100.220.0 0.0.0.255 10.2.220.0 0.0.0.255

access-list 150 permit ip 10.100.220.0 0.0.0.255 10.10.1.0 0.0.0.255

access-list 151 permit ip 10.100.220.0 0.0.0.255 192.168.220.0 0.0.0.255

class-map type inspect match-all vpn-access-inside
match access-group 150

class-map type inspect match-all vpn-access-dmz
match access-group 151

policy-map type inspect PM_Outside_To_Inside
class type inspect vpn-access-inside
inspect

policy-map type inspect PM_Outside_To_DMZ
class type inspect vpn-access-dmz
inspect

Hope that helps.

2ndcongress · ‎01-28-2011

We solved the problem by downgrading the IOS version from 12.4 T4 to 12.4 T2.

Also made change suggested by halijenn to allow allow VPN pool access to inside, but found that this alone didn't solve the problem (but was still necessary).

VPN users can't reach inside hosts after change to Zone Based Firewall