Firewall

Unanswered Question
Aug 17th, 2010
User Badges:

Hi,


I had a site to site IPsec tunnel VPN. Now I need to activate the firewall. After I used th SDM to create basic firewall (low-risk), my VPN is down.


What is the reason? What configuration must I input?


Thank you

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jitendriya Athavale Tue, 08/17/2010 - 21:19
User Badges:
  • Cisco Employee,

what kind of firewall are u using is it a cbac??? if in doubt please paste your firewall config


also you might have an access-list applied to th eoutside interface when you enabled the firewall


please permit ports for vpn udp 500, esp 50 udp 4500

Deepak Khemani Wed, 08/18/2010 - 02:55
User Badges:

Hi


Please add a access-list on outside interface IN Direction to allow UDP 500, esp and AH protocol.


Basically when you make firewall active everything goes down, only connection from inside of network can be initiated. In case of VPN there is an incoming connection to outside interface hence we need to explicitly allow protocols and ports related to IPSec.


Post if that works.


Cheers


Deepak Khemani

jazzlim2004 Thu, 08/19/2010 - 20:52
User Badges:

Hi,


I activated the firewall only at the local router ( site to site VTI) so I can test out my firewall from remote router.


To test my firewall at local router, from local router I SSH to remote router to do:

1. ping to local router- successfully

2. ping to local router-inside address - failed. ( could you pls advise how to resolve this)

3. The above travel thru my VTI


I did not have any ACL or  permit any VPN port, why do my VPN still working?


Here' my firewall config:


class-map type inspect match-any myinspectclass
match protocol icmp
match protocol http
match protocol dns
match protocol https
match protocol tcp


policy-map type inspect myinspectpolicy
class type inspect myinspectclass
  inspect
class class-default


zone security inside
description from priv-to-pub
zone security outside
description from pub-to-priv
zone-pair security in-out source inside destination outside
service-policy type inspect myinspectpolicy
zone-pair security out-in source outside destination inside


Int Dialer0

zone-member security outside

Int Vlan1

zone-member security inside




Thank you

Actions

This Discussion