Firewall

Unanswered Question
Aug 17th, 2010

Hi,

I had a site to site IPsec tunnel VPN. Now I need to activate the firewall. After I used th SDM to create basic firewall (low-risk), my VPN is down.

What is the reason? What configuration must I input?

Thank you

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jitendriya Athavale Tue, 08/17/2010 - 21:19

what kind of firewall are u using is it a cbac??? if in doubt please paste your firewall config

also you might have an access-list applied to th eoutside interface when you enabled the firewall

please permit ports for vpn udp 500, esp 50 udp 4500

Deepak Khemani Wed, 08/18/2010 - 02:55

Hi

Please add a access-list on outside interface IN Direction to allow UDP 500, esp and AH protocol.

Basically when you make firewall active everything goes down, only connection from inside of network can be initiated. In case of VPN there is an incoming connection to outside interface hence we need to explicitly allow protocols and ports related to IPSec.

Post if that works.

Cheers

Deepak Khemani

jazzlim2004 Thu, 08/19/2010 - 20:52

Hi,

I activated the firewall only at the local router ( site to site VTI) so I can test out my firewall from remote router.

To test my firewall at local router, from local router I SSH to remote router to do:

1. ping to local router- successfully

2. ping to local router-inside address - failed. ( could you pls advise how to resolve this)

3. The above travel thru my VTI

I did not have any ACL or  permit any VPN port, why do my VPN still working?

Here' my firewall config:

class-map type inspect match-any myinspectclass
match protocol icmp
match protocol http
match protocol dns
match protocol https
match protocol tcp

policy-map type inspect myinspectpolicy
class type inspect myinspectclass
  inspect
class class-default

zone security inside
description from priv-to-pub
zone security outside
description from pub-to-priv
zone-pair security in-out source inside destination outside
service-policy type inspect myinspectpolicy
zone-pair security out-in source outside destination inside

Int Dialer0

zone-member security outside

Int Vlan1

zone-member security inside

Thank you

Actions

This Discussion