871 SSL VPN firewall problem

Unanswered Question
Jul 8th, 2009
User Badges:

I've finally gotten the SSL VPN working right with the new Anyconnect client and the latest IOS version on an 871 router. Everytime I try to implement the firewall however, remote VPN clients can no longer see anything on the office LAN (192.168.1.x) except the gateway and the office clients cannot access the internet. I tried using both the basic and advanced firewall wizard in the SDM with the same result. Can anyone suggest the right way to configure this or a sample code I can use to secure this setup while keeping full access to the office LAN(192.168.1.x) from the SSL tunnel and allowing full internet access for the office clients? Current config attached which works but has no firewall configured...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Todd Pula Wed, 07/08/2009 - 11:47
User Badges:
  • Silver, 250 points or more

The first thing you will want to do is modify your existing configuration to support virtual-templates. This feature was added in 12.4(20)T3 and 12.4(24)T1 to address a well documented bug. Please see the attached sample config. Once this change has been made, please try to add the ZBFW config and let me know if the problem persists.

mhdacegan Wed, 07/08/2009 - 12:30
User Badges:

Thanks for your response. If I understand from your config, the line "ip unnumbered" should have the actual name of my outside(WAN) interface? Therefore my command would look like:

interface Virtual-Template1

ip unnumbered FastEthernet4

Is that correct?

mhdacegan Fri, 07/10/2009 - 06:15
User Badges:

Ok...I will try this. Curiously, how does enabling the virtual templates get the firewall working? Should I just go through the basic firewall wizard again in the SDM?

mhdacegan Thu, 07/16/2009 - 04:43
User Badges:

Hi, I tried to implement this yesterday with no success. I added the virtual template code and then re-ran the basic firewall wizard which caused everything to stop working again. The wizard adds a rule that drops everything from the in-zone out which I manually changed to "firewall permit" so the clients could access the internet again. Remote clients trying to use the SSL VPN could connect and get an IP address but could not access any hosts on the office LAN (192.168.1.x). I tried tweaking the rules for half an hour while a client kept trying the connection and finally had to delete everything again because it was preventing them from doing work. Is there some basic firewall config you can suggest that will just get this to work properly? I've been trying to get this straightened out for serveral weeks now and need to finish it. Thanks.

mhdacegan Fri, 07/31/2009 - 08:19
User Badges:

This is still an issue...any further suggestions?


This Discussion