Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
429
Views
0
Helpful
2
Replies

Zone based firewall VPN problem

FredBloggs2
Level 1
Level 1

‎03-02-2009 07:57 AM - edited ‎03-11-2019 07:59 AM

I am trying to set up a VPN using a 871 router. The VPN is to be used by a remote client who will gain remote access to a PC using NetSupport software, a product similar to PCAnywhere. I am able to establish the VPN connection but the NetSupport software at the client is unable to connect to the PC behind the router. I have not been able to figure out how to configure the router's firewall to allow NetSupport (port 5405) traffic. My attempt so far consists of the following:

I created a port to application mapping for NetSupport:

ip port-map user-NetSupport port tcp 5405

I created a class map:

class-map type inspect match-any sdm_NetSupport_traffic

match protocol user-NetSupport

I created a second class map (probably unnessary but I was trying to replicate what SDM had created for the VPN)

class-map type inspect match-all sdm_NetSupport_pt

match class-map sdm_NetSupport_traffic

I created a policy map:

policy-map type inspect sdm-permit-netsupport

class type inspect sdm_NetSupport_pt

inspect

class type inspect SDM_IP

pass

class class-default

drop

I then applied this policy to the VPN/Inzone zone pair

zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone

service-policy type inspect sdm-permit-netsupport

I apologise for my lack of IOS knowledge, I have looked at all the CISCO documents on zone based firewalls and what I have done seems to make sense according to what I have read. Any help would be greatly appreciated. I have attached my running config.

Labels:
Preview file
12 KB
0 Helpful
2 Replies 2

Alex Yeung
Cisco Employee
Cisco Employee

‎03-02-2009 04:02 PM

Hi,

Besides the NetSupport traffic, are you able to see any other traffic can be communicated between the remote VPN client and the local PC?

For troubleshooting, instead of using the class-map to inspect NetSupport traffic, can you inspect all traffic (i.e. any to any) using the same policy-maps and zone-pair configs and see if that works?

Do you have a TAC case opened for this?

Thanks.

Alex Yeung

0 Helpful

FredBloggs2
Level 1
Level 1
In response to Alex Yeung

‎03-03-2009 10:16 AM

Hi Alex

The answer to the first question is no. I have not even been able to ping the local PC over the VPN. I tried to inspect all traffic by doing the following:

ip access-list extended SDM_ALL_TCP

remark SDM_ACL Category=1

permit tcp any any

exit

class-map type inspect match-any sdm_all_tcp_cmap

match access-group name SDM_ALL_TCP

exit

policy-map type inspect sdm_inspect_tcp_all

class type inspect sdm_all_tcp_cmap

no drop

inspect

exit

exit

zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone

no service-policy type inspect sdm-permit-netsupport

service-policy type inspect sdm_inspect_tcp_all

exit

but it made no difference. I have now opened a TAC case but thanks for your help anyway.

Best Regards

David

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card