Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1348
Views
0
Helpful
4
Replies

VPN traffic pass through Zone Based Firewall

Go to solution
Hasrat Bhanot
Level 1
Level 1

‎04-28-2016 02:58 AM - edited ‎03-12-2019 12:40 AM

Got zone based firewall setup. Also configured for remote VPN client, got branch office router configured for eazyvpn, tunnel comes up but not able to access inside LAN please see the zonebased firewall config /ACL below and advise what i am missing?

class-map type inspect match-any CMAP-LAN
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-any CMAP-WMD-WAN
match access-group name ACL-WAN-TO-LAN
class-map type inspect match-all CMAP-IPSEC-VPN
match access-group name ACL-IPSEC-VPN
!
policy-map type inspect PMAP-LAN
class type inspect CMAP-LAN
inspect
class class-default
drop
policy-map type inspect PMAP-WAN
class type inspect CMAP-WAN
inspect
class type inspect CMAP-IPSEC-VPN
pass
class class-default
drop
!
zone security Z-WAN
zone security Z-LAN
zone-pair security ZP-LAN-To-WAN source Z-LAN destination Z-WAN
service-policy type inspect PMAP-LAN
zone-pair security ZP-WAN-To-LAN source Z-WAN destination Z-LAN
service-policy type inspect PMAP-WAN

Extended IP access list ACL-IPSEC-VPN
10 permit esp any any
20 permit udp any any 


Extended IP access list ACL-WAN-TO-LAN
10 permit tcp any host x.x.x.x eq smtp 
20 permit tcp any host x.x.x.x eq 443 
30 permit tcp host y.y.y.y host x.x.x.x eq 3389 
41 permit esp any any
42 permit udp any any eq isakmp
43 permit udp any any eq non500-isakmp
50 permit ip host y.y.y.y any 
60 deny ip any any 


Extended IP access list NAT
10 deny ip x.x.x.x 0.0.0.255 z.z.z.z 0.0.0.255 
30 permit ip x.x.x.x 0.0.0.255 any 

Extended IP access list VPNRemote
10 permit ip x.x.x.x 0.0.0.255 z.z.z.z 0.0.0.255

x.x.x.x - LAN

y.y.y.y - WAN

z.z.z.z - Branch office IP

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to Hasrat Bhanot

‎04-28-2016 03:46 AM

I'm not sure about that way (that is quite an old way of doing it).  I use Virtual-Template, so each connection has its own interface.  Then you just make sure you specify that the Virtual-Template is a member of the "inside" zone.

Take a look at my Cisco 890 series config wizard.  Tick the box to enable "client to site vpn" and have a look at how it does it.

http://www.ifm.net.nz/cookbooks/890-isr-wizard.html

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎04-28-2016 03:26 AM

I need to see your VPN configuration as well.  Can you just post the whole config?

0 Helpful

Go to solution
Hasrat Bhanot
Level 1
Level 1
In response to Philip D'Ath

‎04-28-2016 03:41 AM

Please see the attched

Preview file
7 KB
0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to Hasrat Bhanot

‎04-28-2016 03:46 AM

I'm not sure about that way (that is quite an old way of doing it).  I use Virtual-Template, so each connection has its own interface.  Then you just make sure you specify that the Virtual-Template is a member of the "inside" zone.

Take a look at my Cisco 890 series config wizard.  Tick the box to enable "client to site vpn" and have a look at how it does it.

http://www.ifm.net.nz/cookbooks/890-isr-wizard.html

0 Helpful

Go to solution
Hasrat Bhanot
Level 1
Level 1
In response to Philip D'Ath

‎04-28-2016 03:48 AM

Thanks Philip, I thought that it might need virtual template, will configure that way and test it out

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card