5 Replies Latest reply on Feb 6, 2014 10:17 AM by jessepdx

    if i turn on firewall VPN's go down

    jessepdx New Member

      if i enable the firewall my vpn's shut off

       

      i'm unsure how to add the vpn selectors to the private acl or is if that is correct thing to do?

       

      i'm sure there is a simple answer... RTFM isn't helping

        • Re: if i turn on firewall VPN's go down
          Employee

          jessepdx - Thanks for posting your question on the forum!

           

          When the firewall is enabled, it is important that there is an allow rule in place for the outgoing VPN selectors on the LAN policy-class and incoming VPN selectors on the WAN policy-class. This so traffic is a.) allowed through the firewall and b.) not NATted unnecessarily (potentially causing traffic not to match the selectors and therefore not being encrypted).

           

          I would be more than happy to take a look at your configuration. Just reply to this thread with the file (please remove any sensitive information). Also, please do not hesitate to let us know if you have any further questions.

           

          Thanks,

          Noor

            • Re: if i turn on firewall VPN's go down
              jessepdx New Member

              yes please take a look at it,

               

              here you go:

               

              ip access-list extended self

                remark Traffic to NetVanta

                permit ip any  any     log

              !

              ip access-list extended VPN-10-vpn-selectors

                permit ip 192.168.0.0 0.0.0.255  192.168.3.0 0.0.0.255   

              !

              ip access-list extended VPN-30-vpn-selectors

                permit ip 192.168.0.0 0.0.0.255  192.168.4.0 0.0.0.255   

              !

              ip access-list extended VPN-40-vpn-selectors

                permit ip 192.168.0.0 0.0.0.255  192.168.5.0 0.0.0.255   

              !

              ip access-list extended VPN-50-vpn-selectors

                permit ip 192.168.0.0 0.0.0.255  192.168.6.0 0.0.0.255   

              !

              ip access-list extended VPN-60-vpn-selectors

                permit ip 192.168.0.0 0.0.0.255  192.168.2.0 0.0.0.255   

              !

              ip access-list extended VPN-70-vpn-selectors

                permit ip 192.168.0.0 0.0.0.255  192.168.8.0 0.0.0.255   

              !

              ip access-list extended wizard-ics

                remark Internet Connection Sharing

                permit ip any  any   

              !

              ip access-list extended wizard-pfwd-1

                remark Port Forward 1

                permit tcp any  host 75.x.x.x eq 3389   log

              !

              ip access-list extended wizard-remote-access

                remark do not hand edit this ACL

                permit tcp any  any eq ssh   log

                permit icmp any  any  echo   log

                permit tcp any  any eq https   log

              !

              !

              !

              !

              ip policy-class Private

                allow list self self

                nat source list wizard-ics interface eth 0/2 overload

              !

              ip policy-class Public

                nat destination list wizard-pfwd-1 address 192.168.0.211

              !

                • Re: if i turn on firewall VPN's go down
                  jayh Hall_of_Fame

                  Try adding the lines in bold.

                   

                   

                  ip policy-class Public

                  nat destination list wizard-pfwd-1 address 192.168.0.211

                  allow reverse list VPN-10-vpn-selectors stateless

                  allow reverse list VPN-30-vpn-selectors stateless

                  allow reverse list VPN-40-vpn-selectors stateless

                  allow reverse list VPN-50-vpn-selectors stateless

                  allow reverse list VPN-60-vpn-selectors stateless

                  allow reverse list VPN-70-vpn-selectors stateless

                   

                  ip policy-class Private

                  allow list VPN-10-vpn-selectors stateless

                  allow list VPN-30-vpn-selectors stateless

                  allow list VPN-40-vpn-selectors stateless

                  allow list VPN-50-vpn-selectors stateless

                  allow list VPN-60-vpn-selectors stateless

                  allow list VPN-70-vpn-selectors stateless

                    allow list self self

                    nat source list wizard-ics interface eth 0/2 overload

                  !

                    • Re: if i turn on firewall VPN's go down
                      Employee

                      jessepdx -

                      I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons.  If you have any additional information on this that others may benefit from, please come back to this post to provide an update.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.


                      Thanks,

                      Noor