Cisco VPN Client 3.5.x integrated firewall 1

[schazz]

We have a Cisco VPN Concentrator 3000 using an address pool for VPN client assignment.
All groups require a firewall.
The firewall policy is pushed to each VPN client using CPP.

When the 'Stateful Firewall' option is enabled on the VPN client, we are unable to ping from the local LAN to the VPN client. Upon disabling this option, pings are successful. (We are able to ping the opposite way regardless of setting)

Is there any way to enable the client 'Stateful Firewall' and still be able to access the VPN client from the LAN?

 

[awillcox]

Using CPP, you should be able to configure the firewall policy such that the remote VPN client responds to ICMP (Ping) requests.

 

[asafayan]

The Cisco VPN client ships with a striped down version of Zone Lab's ZoneAlarm host firewall product. You cannot alter this firewall configuration. It is statically set to not allow any incoming traffic to the vpn client, *UNLESS* the traffic was initiated from the vpn client itself. You cannot connect to the vpn client from your LAN with the firewall in place.

 

[schazz]

Thanks.
I had hoped that we could somewhat protect the client PC while no tunnels exist AND be able to manage it from the LAN while the VPN tunnel is established.

Maybe in a future release.....