Can't connect to our works VPN server using Zone Firewalling

Unanswered Question
Apr 11th, 2009

I have been using a Cisco 837 for a while now and upgraded to an 877 on the weekend. One of my requirements is that I need to be able to connect to our work network via a IPSEC VPN tunnel using the Microsoft Windows VPN client.

On the Cisco 837 this was very simple, lock every thing else down but give full access to our works VPN server using it's public ip address.


With the 877 I thought I would implement Cisco new Zone firewall over the old access lists of the 837 but damed if I can get a tunnel to our work's VPN server established.


What I am trying to do is

1)setup to zones, 1 internal and 1 external

2)allow full access to/from server 212.55.16.234 to any computer on my VLAN zone


Without the access list 100 added I can't even see out Public VPN server, ( 212.X.X.X is not the real ip), with the entries added I can see the server but it get stuck on the “Verify user name and password”




zone security vlan1

zone security internet

!

!

!

interface Dialer0

zone-member security internet

!

interface Vlan1

zone-member security vlan1

!

!

!

class-map type inspect match-any vlan1-internet-class

match protocol http

match protocol https

match protocol dns

match protocol smtp

match protocol pop3

match protocol icmp

match access-group 100

!

class-map type inspect match-any L4-internet-self-class

match protocol tcp

match protocol udp

match protocol icmp

!

class-map type inspect match-all internet-self-class

match class-map L4-internet-self-class

match access-group 100

!

!

!

policy-map type inspect internet-vlan1-policy

class class-default

drop log

!

policy-map type inspect vlan1-internet-policy

class type inspect vlan1-internet-class

inspect

class class-default

drop log

!

policy-map type inspect internet-self-policy

class type inspect internet-self-class

inspect

class class-default

drop log

!

!

!

zone-pair security internet-self source internet destination self

service-policy type inspect internet-self-policy

!

zone-pair security vlan1-internet source vlan1 destination internet

service-policy type inspect vlan1-internet-policy

!

zone-pair security internet-vlan1 source internet destination vlan1

service-policy type inspect internet-vlan1-policy

!

!

access-list 100 remark WorkIn

access-list 100 permit ip host 212.55.16.234 any

access-list 100 remark WorkOut

access-list 100 permit ip any host 212.55.16.234



Any pointers to fix this issue would be appreciate

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Sat, 04/11/2009 - 21:34

Hello John,

if traffic for the VPN has to go from security zone internet to security zone vlan1 you may need to add a match access-group 100 in another classes:


this is your current internet to vlan1 policy:


policy-map type inspect internet-vlan1-policy

class class-default

drop log


I think you should create a class for inspection and to invokes it inside the above policy.



Hope to help

Giuseppe


john230873 Tue, 04/14/2009 - 01:09

Thanks Giuseppe, I'll give that a go and let you know how I get on.


On the same type of topic, what is the self Zone? I understand that a need a public and private zone but the SDM seems to also produce a self zone but I don't seem to point any interfaces to it.



john230873 Tue, 04/14/2009 - 01:42

I've been able to get this working tonight, once I have a replicated method I'll post another reply with my IOS.



Actions

This Discussion