Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Andrzejek on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Firewall Rule Issue

Status
Not open for further replies.

Niall22

IS-IT--Management
Jun 9, 2000
109
CA
Hi Guys,

I just upgraded one of our Cisco routers to IOS version 12.2(23) and now I'm running into issues with our firewall configuration. Everything was fine until I upgraded but the upgrade was to patch a vulnerability so I don't want to go back to our previous version.

The issue is with our VPN clients. They could not send packets to our network unless I temporarily took our firewall down. Once the firewall was down they could communicate without any problems. All of our VPN clients are assigned private IP addresses when the tunnel is established. Here is the access list that is giving me grief. Any help you can provide me would be great!

access-list 101 permit icmp any any (for testing)
access-list 101 permit udp any eq isakmp any eq isakmp
access-list 101 permit udp host x.x.x.x any
access-list 101 permit tcp any host x.x.x.x eq www
access-list 101 permit tcp any host x.x.x.x eq 443
access-list 101 permit ip 10.0.0.0 0.255.255.255 10.x.x.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.255.255.255 10.x.y.0 0.0.0.255

The last two lines are the ones that are causing me problems. They used to work fine but now the access-list says none of the packets match the criteria.

Any ideas?

Thanks,


Niall
 
access-list 101 permit ip 10.0.0.0 0.255.255.255 10.x.x.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.255.255.255 10.x.y.0 0.0.0.255


In each of those statements, you will be having problem with overlapping. The destination address is a subnet of the source address. Am kind of curious what the ip address of source and destination interface will be.

If you check 'Show ip route' you will discover that you only have one route through a single interface to network 10.0.0.0/8.

Since the your vpn client's source address is the same as your internal network address, the firewall will think of it as a spoofed ip and as such block the ip.

To resolve this problem, one have to know more about your network eg?
1. Your vpn clients are coming through the internet or it is an intranet setup.
2. Are you giving out ip addresses stitically or dynamically
3. what is your firewall plateform, pix, checkpoint, ect?
4. what plateform is your vpn server, microsoft, pix, checkpoint, etc?
5....

If your firewall is Cisco PIX, check the debug when connecting, it will reveal alot about what is happening, if it is checkpoint, look at the log viewer.

Thanks.
Isokocons
 
Thanks for the reply Isokocons.

I managed to get a case open with Cisco TAC (without having to pay) because the problem only cropped up after the IOS upgrade.

It turned out that I needed to add the following entry to my access list:

permit esp any any

For some reason I didn't need to allow the escapsulation protocol on the old version of the IOS but I did need it with the newer version.


Again, thanks for your help.



Niall
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top