I'm trying to allow IPSec and L2TP VPN traffic through a IOS Zone Based Firewall. The router running the ZBF is NOT a vpn end point. It only needs to pass traffic from VPN clients behind the router to other remote routers.
When I try to connect to a remote router, the Username/Password dialog box does not appear (Cisco VPN client). When I remove the zones from the interfaces of the firewall the VPN works perfectly. So I suppose I'm blocking something in the ZBF but I don't know what.
I'm using the following policy map for VPN to allow traffic from the INSIDE to OUTSIDE and vica versa:
policy-map type inspect OUTSIDE_INSIDE_PM
class type inspect VPN_PROTOCOLS_CM
class-map type inspect match-any VPN_PROTOCOLS_CM
match protocol isakmp
match access-group name VPN_PROTOCOLS_ACL
ip access-list extended VPN_PROTOCOLS_ACL
permit esp any any
permit udp any any eq non500-isakmp
permit gre any any
Anyone any idea how to allow VPN traffic to passthrough?
Re: Allow VPN traffic through a Zone Based Firewall
If non-VTI IPsec is employed, you must exercise caution when you configure the firewall policy for VPN. The zone policy must specifically allow access by IP address to protected hosts for remote VPN sites' hosts or clients if they are in a different zone than the VPN traffic's ingress interface, where encrypted traffic will be sent to and received from remote VPN sites or clients. Access policy must be configured by including an access control list (ACL) enumerating the source addresses of the VPN clients and the destination addresses of the hosts the VPN clients will be allowed to reach. If the access policy is not properly configured, the policy could expose vulnerable hosts to hostile traffic.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :