Zone based firewall VPN problem

Unanswered Question
Mar 2nd, 2009

I am trying to set up a VPN using a 871 router. The VPN is to be used by a remote client who will gain remote access to a PC using NetSupport software, a product similar to PCAnywhere. I am able to establish the VPN connection but the NetSupport software at the client is unable to connect to the PC behind the router. I have not been able to figure out how to configure the router's firewall to allow NetSupport (port 5405) traffic. My attempt so far consists of the following:

I created a port to application mapping for NetSupport:

ip port-map user-NetSupport port tcp 5405

I created a class map:

class-map type inspect match-any sdm_NetSupport_traffic

match protocol user-NetSupport

I created a second class map (probably unnessary but I was trying to replicate what SDM had created for the VPN)

class-map type inspect match-all sdm_NetSupport_pt

match class-map sdm_NetSupport_traffic

I created a policy map:

policy-map type inspect sdm-permit-netsupport

class type inspect sdm_NetSupport_pt


class type inspect SDM_IP


class class-default


I then applied this policy to the VPN/Inzone zone pair

zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone

service-policy type inspect sdm-permit-netsupport

I apologise for my lack of IOS knowledge, I have looked at all the CISCO documents on zone based firewalls and what I have done seems to make sense according to what I have read. Any help would be greatly appreciated. I have attached my running config.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Alex Yeung Mon, 03/02/2009 - 16:02


Besides the NetSupport traffic, are you able to see any other traffic can be communicated between the remote VPN client and the local PC?

For troubleshooting, instead of using the class-map to inspect NetSupport traffic, can you inspect all traffic (i.e. any to any) using the same policy-maps and zone-pair configs and see if that works?

Do you have a TAC case opened for this?


Alex Yeung

FredBloggs2 Tue, 03/03/2009 - 10:16

Hi Alex

The answer to the first question is no. I have not even been able to ping the local PC over the VPN. I tried to inspect all traffic by doing the following:

ip access-list extended SDM_ALL_TCP

remark SDM_ACL Category=1

permit tcp any any


class-map type inspect match-any sdm_all_tcp_cmap

match access-group name SDM_ALL_TCP


policy-map type inspect sdm_inspect_tcp_all

class type inspect sdm_all_tcp_cmap

no drop




zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone

no service-policy type inspect sdm-permit-netsupport

service-policy type inspect sdm_inspect_tcp_all


but it made no difference. I have now opened a TAC case but thanks for your help anyway.

Best Regards



This Discussion