cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
399
Views
0
Helpful
3
Replies

Firewall

jazzlim2004
Level 1
Level 1

Hi,

I had a site to site IPsec tunnel VPN. Now I need to activate the firewall. After I used th SDM to create basic firewall (low-risk), my VPN is down.

What is the reason? What configuration must I input?

Thank you

3 Replies 3

Jitendriya Athavale
Cisco Employee
Cisco Employee

what kind of firewall are u using is it a cbac??? if in doubt please paste your firewall config

also you might have an access-list applied to th eoutside interface when you enabled the firewall

please permit ports for vpn udp 500, esp 50 udp 4500

Deepak Khemani
Level 1
Level 1

Hi

Please add a access-list on outside interface IN Direction to allow UDP 500, esp and AH protocol.

Basically when you make firewall active everything goes down, only connection from inside of network can be initiated. In case of VPN there is an incoming connection to outside interface hence we need to explicitly allow protocols and ports related to IPSec.

Post if that works.

Cheers

Deepak Khemani

Hi,

I activated the firewall only at the local router ( site to site VTI) so I can test out my firewall from remote router.

To test my firewall at local router, from local router I SSH to remote router to do:

1. ping to local router- successfully

2. ping to local router-inside address - failed. ( could you pls advise how to resolve this)

3. The above travel thru my VTI

I did not have any ACL or  permit any VPN port, why do my VPN still working?

Here' my firewall config:

class-map type inspect match-any myinspectclass
match protocol icmp
match protocol http
match protocol dns
match protocol https
match protocol tcp

policy-map type inspect myinspectpolicy
class type inspect myinspectclass
  inspect
class class-default

zone security inside
description from priv-to-pub
zone security outside
description from pub-to-priv
zone-pair security in-out source inside destination outside
service-policy type inspect myinspectpolicy
zone-pair security out-in source outside destination inside

Int Dialer0

zone-member security outside

Int Vlan1

zone-member security inside

Thank you

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: