Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
635
Views
0
Helpful
7
Replies

871 SSL VPN firewall problem

mhdacegan
Level 1
Level 1

‎07-08-2009 07:21 AM

I've finally gotten the SSL VPN working right with the new Anyconnect client and the latest IOS version on an 871 router. Everytime I try to implement the firewall however, remote VPN clients can no longer see anything on the office LAN (192.168.1.x) except the gateway and the office clients cannot access the internet. I tried using both the basic and advanced firewall wizard in the SDM with the same result. Can anyone suggest the right way to configure this or a sample code I can use to secure this setup while keeping full access to the office LAN(192.168.1.x) from the SSL tunnel and allowing full internet access for the office clients? Current config attached which works but has no firewall configured...

Labels:
Preview file
9 KB
0 Helpful
7 Replies 7

Todd Pula
Level 7
Level 7

‎07-08-2009 11:47 AM

The first thing you will want to do is modify your existing configuration to support virtual-templates. This feature was added in 12.4(20)T3 and 12.4(24)T1 to address a well documented bug. Please see the attached sample config. Once this change has been made, please try to add the ZBFW config and let me know if the problem persists.

Preview file
2 KB
0 Helpful

mhdacegan
Level 1
Level 1
In response to Todd Pula

‎07-08-2009 12:30 PM

Thanks for your response. If I understand from your config, the line "ip unnumbered" should have the actual name of my outside(WAN) interface? Therefore my command would look like:

interface Virtual-Template1

ip unnumbered FastEthernet4

Is that correct?

0 Helpful

Todd Pula
Level 7
Level 7
In response to mhdacegan

‎07-08-2009 01:26 PM

You are correct...

0 Helpful

mhdacegan
Level 1
Level 1
In response to Todd Pula

‎07-10-2009 06:15 AM

Ok...I will try this. Curiously, how does enabling the virtual templates get the firewall working? Should I just go through the basic firewall wizard again in the SDM?

0 Helpful

Todd Pula
Level 7
Level 7
In response to mhdacegan

‎07-10-2009 06:24 AM

This is related to bug CSCsr41631 in which there were interop issues with SSL VPN and other IP features in 12.4(20)T and above.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsr41631

0 Helpful

mhdacegan
Level 1
Level 1
In response to Todd Pula

‎07-16-2009 04:43 AM

Hi, I tried to implement this yesterday with no success. I added the virtual template code and then re-ran the basic firewall wizard which caused everything to stop working again. The wizard adds a rule that drops everything from the in-zone out which I manually changed to "firewall permit" so the clients could access the internet again. Remote clients trying to use the SSL VPN could connect and get an IP address but could not access any hosts on the office LAN (192.168.1.x). I tried tweaking the rules for half an hour while a client kept trying the connection and finally had to delete everything again because it was preventing them from doing work. Is there some basic firewall config you can suggest that will just get this to work properly? I've been trying to get this straightened out for serveral weeks now and need to finish it. Thanks.

0 Helpful

mhdacegan
Level 1
Level 1
In response to mhdacegan

‎07-31-2009 08:19 AM

This is still an issue...any further suggestions?

0 Helpful
Customers Also Viewed These Support Documents