08-17-2010 07:51 PM
Hi,
I had a site to site IPsec tunnel VPN. Now I need to activate the firewall. After I used th SDM to create basic firewall (low-risk), my VPN is down.
What is the reason? What configuration must I input?
Thank you
08-17-2010 09:19 PM
what kind of firewall are u using is it a cbac??? if in doubt please paste your firewall config
also you might have an access-list applied to th eoutside interface when you enabled the firewall
please permit ports for vpn udp 500, esp 50 udp 4500
08-18-2010 02:55 AM
Hi
Please add a access-list on outside interface IN Direction to allow UDP 500, esp and AH protocol.
Basically when you make firewall active everything goes down, only connection from inside of network can be initiated. In case of VPN there is an incoming connection to outside interface hence we need to explicitly allow protocols and ports related to IPSec.
Post if that works.
Cheers
Deepak Khemani
08-19-2010 08:52 PM
Hi,
I activated the firewall only at the local router ( site to site VTI) so I can test out my firewall from remote router.
To test my firewall at local router, from local router I SSH to remote router to do:
1. ping to local router- successfully
2. ping to local router-inside address - failed. ( could you pls advise how to resolve this)
3. The above travel thru my VTI
I did not have any ACL or permit any VPN port, why do my VPN still working?
Here' my firewall config:
class-map type inspect match-any myinspectclass
match protocol icmp
match protocol http
match protocol dns
match protocol https
match protocol tcp
policy-map type inspect myinspectpolicy
class type inspect myinspectclass
inspect
class class-default
zone security inside
description from priv-to-pub
zone security outside
description from pub-to-priv
zone-pair security in-out source inside destination outside
service-policy type inspect myinspectpolicy
zone-pair security out-in source outside destination inside
Int Dialer0
zone-member security outside
Int Vlan1
zone-member security inside
Thank you
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: