Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

cat6500 msfc2 vpnsm and fwsm problem

I am trying to configure a cat6500 with two VPNSM and two FWSM in transparent mode with about 30 transparent firewall contexts. The FWSM just works fine, but I cant pass any traffic trought the vpnsm.

I am trying to chain both modules.

client---vlan 700 ---| inside FWSM outside |--- vlan 701 ---| VPNSM | --- int vlan 702

That is the config:

firewall multiple-vlan-interfaces

firewall module 3 vlan-group 2

firewall vlan-group 2 700-702

! Client VLAN

vlan 700

name TEST_CLIENT

! OUTSIDE Port of the FWSM

vlan 701

name TEST_FW_OUTSIDE

!

vlan 702

name TEST_CRYPTO

! VPNSM Config

interface GigabitEthernet5/1

no ip address

flowcontrol receive on

flowcontrol send off

switchport

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,600,606,702,1002-1005

switchport mode trunk

spanning-tree portfast trunk

!

interface GigabitEthernet5/2

no ip address

flowcontrol receive on

flowcontrol send off

switchport

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,106,701,1002-1005

switchport mode trunk

spanning-tree portfast trunk

!

! Here is my client connected

interface GigabitEthernet9/3

no ip address

switchport

switchport access vlan 700

!

interface Vlan701

no ip address

crypto connect vlan 702

!

interface Vlan702

ip address 192.168.230.254 255.255.255.0

crypto map TEST

crypto engine slot 5

!

The Firewall Context doesnt filter any traffic. When I start the vpn softclient the the session will be established and DPD pakets are sent from the msfc. But I cant pass any traffic over the vpn connection. Where is the problem? Is my config to fancy?

Any Ideas to solve this issues?

Thanks in advance...

1 REPLY
New Member

Re: cat6500 msfc2 vpnsm and fwsm problem

I found the problem. I simply forgot to enable reverse-route injection in the appropriate crypto map:

crypto dynamic-map ROADWARRIOR 50

description Remote Access VPN User XAUTH

set security-association lifetime seconds 7200

set transform-set SOFTCLIENT

set isakmp-profile ROADWARRIOR

reverse-route

107
Views
0
Helpful
1
Replies