I've finally gotten the SSL VPN working right with the new Anyconnect client and the latest IOS version on an 871 router. Everytime I try to implement the firewall however, remote VPN clients can no longer see anything on the office LAN (192.168.1.x) except the gateway and the office clients cannot access the internet. I tried using both the basic and advanced firewall wizard in the SDM with the same result. Can anyone suggest the right way to configure this or a sample code I can use to secure this setup while keeping full access to the office LAN(192.168.1.x) from the SSL tunnel and allowing full internet access for the office clients? Current config attached which works but has no firewall configured...
The first thing you will want to do is modify your existing configuration to support virtual-templates. This feature was added in 12.4(20)T3 and 12.4(24)T1 to address a well documented bug. Please see the attached sample config. Once this change has been made, please try to add the ZBFW config and let me know if the problem persists.
Hi, I tried to implement this yesterday with no success. I added the virtual template code and then re-ran the basic firewall wizard which caused everything to stop working again. The wizard adds a rule that drops everything from the in-zone out which I manually changed to "firewall permit" so the clients could access the internet again. Remote clients trying to use the SSL VPN could connect and get an IP address but could not access any hosts on the office LAN (192.168.1.x). I tried tweaking the rules for half an hour while a client kept trying the connection and finally had to delete everything again because it was preventing them from doing work. Is there some basic firewall config you can suggest that will just get this to work properly? I've been trying to get this straightened out for serveral weeks now and need to finish it. Thanks.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...