04-28-2016 02:58 AM - edited 03-12-2019 12:40 AM
Got zone based firewall setup. Also configured for remote VPN client, got branch office router configured for eazyvpn, tunnel comes up but not able to access inside LAN please see the zonebased firewall config /ACL below and advise what i am missing?
class-map type inspect match-any CMAP-LAN
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-any CMAP-WMD-WAN
match access-group name ACL-WAN-TO-LAN
class-map type inspect match-all CMAP-IPSEC-VPN
match access-group name ACL-IPSEC-VPN
!
policy-map type inspect PMAP-LAN
class type inspect CMAP-LAN
inspect
class class-default
drop
policy-map type inspect PMAP-WAN
class type inspect CMAP-WAN
inspect
class type inspect CMAP-IPSEC-VPN
pass
class class-default
drop
!
zone security Z-WAN
zone security Z-LAN
zone-pair security ZP-LAN-To-WAN source Z-LAN destination Z-WAN
service-policy type inspect PMAP-LAN
zone-pair security ZP-WAN-To-LAN source Z-WAN destination Z-LAN
service-policy type inspect PMAP-WAN
Extended IP access list ACL-IPSEC-VPN
10 permit esp any any
20 permit udp any any
Extended IP access list ACL-WAN-TO-LAN
10 permit tcp any host x.x.x.x eq smtp
20 permit tcp any host x.x.x.x eq 443
30 permit tcp host y.y.y.y host x.x.x.x eq 3389
41 permit esp any any
42 permit udp any any eq isakmp
43 permit udp any any eq non500-isakmp
50 permit ip host y.y.y.y any
60 deny ip any any
Extended IP access list NAT
10 deny ip x.x.x.x 0.0.0.255 z.z.z.z 0.0.0.255
30 permit ip x.x.x.x 0.0.0.255 any
Extended IP access list VPNRemote
10 permit ip x.x.x.x 0.0.0.255 z.z.z.z 0.0.0.255
x.x.x.x - LAN
y.y.y.y - WAN
z.z.z.z - Branch office IP
Solved! Go to Solution.
04-28-2016 03:46 AM
I'm not sure about that way (that is quite an old way of doing it). I use Virtual-Template, so each connection has its own interface. Then you just make sure you specify that the Virtual-Template is a member of the "inside" zone.
Take a look at my Cisco 890 series config wizard. Tick the box to enable "client to site vpn" and have a look at how it does it.
04-28-2016 03:26 AM
I need to see your VPN configuration as well. Can you just post the whole config?
04-28-2016 03:41 AM
04-28-2016 03:46 AM
I'm not sure about that way (that is quite an old way of doing it). I use Virtual-Template, so each connection has its own interface. Then you just make sure you specify that the Virtual-Template is a member of the "inside" zone.
Take a look at my Cisco 890 series config wizard. Tick the box to enable "client to site vpn" and have a look at how it does it.
04-28-2016 03:48 AM
Thanks Philip, I thought that it might need virtual template, will configure that way and test it out
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: