SSL VPN & ZFW

Answered Question

I ran into a problem with Cisco 881 IOS 15.1M (or 12.4T2 also): zone based firewall is blocking access for anyconnect clients. There's SSLVPN-VIF0 interface but no way I can put it into any zone. So if I idsable ZFW - everything's fine... I found several cases with the same problem - no solution from Cisco. CBAC is not a case.

Quite a dissapoitment... If the same issue will be with ASA5510 - I guess $20K will go to checkpoint.

Correct Answer by kicharle about 7 years 4 months ago

It should work fine.


With Anyclient, the the traffic will come through the WAN interface, then virtual-template and then only to the LAN interface. So the solution is that, you need to create a zone and asscoiate the zone to the virtual-template.


Since virtual-template is not part of any zone, anyclient traffic doesn't pass across the virtual template.


Basically, we will have three zones now - in, sslvpn and out.



Just do the following for these zone-pairs


in - sslvpn zone > permit any IP traffic

sslvpn zone - in > permit any IP traffic

out - sslvpn zone > permit any IP traffic

sslvpn zone - out > permit any IP traffic



You could be specific for the traffic, if you know what is IP address of anyclients.



This should solve the problem.





With regards

Kings

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
kicharle Tue, 12/08/2009 - 21:04
User Badges:

It should work fine.


With Anyclient, the the traffic will come through the WAN interface, then virtual-template and then only to the LAN interface. So the solution is that, you need to create a zone and asscoiate the zone to the virtual-template.


Since virtual-template is not part of any zone, anyclient traffic doesn't pass across the virtual template.


Basically, we will have three zones now - in, sslvpn and out.



Just do the following for these zone-pairs


in - sslvpn zone > permit any IP traffic

sslvpn zone - in > permit any IP traffic

out - sslvpn zone > permit any IP traffic

sslvpn zone - out > permit any IP traffic



You could be specific for the traffic, if you know what is IP address of anyclients.



This should solve the problem.





With regards

Kings

Thank  you.

The key word here is "virtual-template", I thought it could be used only for dial-in VPN, it still has PPP encapsulation feature, just try to guess why ,


Everything about Cisco SSL VPN looks inconsistent with lack of logic though... And if you look at virtual-access interface while vpn connection is up it's still down, and at the same time SSLVPN_VIF0 since first vpn connection goes up also goes up and never goes down after that.

Looks very strange but working .


P.S. And WebVPN clientless is not working with most Polycom JScript-based management sites... Just a toy.

Actions

This Discussion