Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Zone based firewall VPN problem

I am trying to set up a VPN using a 871 router. The VPN is to be used by a remote client who will gain remote access to a PC using NetSupport software, a product similar to PCAnywhere. I am able to establish the VPN connection but the NetSupport software at the client is unable to connect to the PC behind the router. I have not been able to figure out how to configure the router's firewall to allow NetSupport (port 5405) traffic. My attempt so far consists of the following:

I created a port to application mapping for NetSupport:

ip port-map user-NetSupport port tcp 5405

I created a class map:

class-map type inspect match-any sdm_NetSupport_traffic

match protocol user-NetSupport

I created a second class map (probably unnessary but I was trying to replicate what SDM had created for the VPN)

class-map type inspect match-all sdm_NetSupport_pt

match class-map sdm_NetSupport_traffic

I created a policy map:

policy-map type inspect sdm-permit-netsupport

class type inspect sdm_NetSupport_pt


class type inspect SDM_IP


class class-default


I then applied this policy to the VPN/Inzone zone pair

zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone

service-policy type inspect sdm-permit-netsupport

I apologise for my lack of IOS knowledge, I have looked at all the CISCO documents on zone based firewalls and what I have done seems to make sense according to what I have read. Any help would be greatly appreciated. I have attached my running config.

Cisco Employee

Re: Zone based firewall VPN problem


Besides the NetSupport traffic, are you able to see any other traffic can be communicated between the remote VPN client and the local PC?

For troubleshooting, instead of using the class-map to inspect NetSupport traffic, can you inspect all traffic (i.e. any to any) using the same policy-maps and zone-pair configs and see if that works?

Do you have a TAC case opened for this?


Alex Yeung

New Member

Re: Zone based firewall VPN problem

Hi Alex

The answer to the first question is no. I have not even been able to ping the local PC over the VPN. I tried to inspect all traffic by doing the following:

ip access-list extended SDM_ALL_TCP

remark SDM_ACL Category=1

permit tcp any any


class-map type inspect match-any sdm_all_tcp_cmap

match access-group name SDM_ALL_TCP


policy-map type inspect sdm_inspect_tcp_all

class type inspect sdm_all_tcp_cmap

no drop




zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone

no service-policy type inspect sdm-permit-netsupport

service-policy type inspect sdm_inspect_tcp_all


but it made no difference. I have now opened a TAC case but thanks for your help anyway.

Best Regards


CreatePlease to create content