Worldwide [change] |Account |Register |About Cisco
Guest

Hierarchical Navigation

Cisco IOS Firewall

Troubleshooting Zone-Based Firewall

Downloads

Document ID: 109479


Contents

Introduction
Prerequisites
      Requirements
      Components Used
      Conventions
Problem: Unable to Pass VPN Traffic
      Solution
Problem: Network Reachability
      Solution
NetPro Discussion Forums - Featured Conversations
Related Information

Introduction

This document contains troubleshooting information for Zone-Based Firewall.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

Components Used

This document is not restricted to specific software and hardware versions.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Problem: Unable to Pass VPN Traffic

The issue is that VPN traffic is unable to pass across Zone-Based Firewall.

Solution

Allow the VPN client traffic to be inspected by the Zone-Based IOS Firewall.

For example, these are the lines to add on the router's configuration: 

access-list 103 permit ip 172.16.1.0 0.0.0.255 172.22.10.0 0.0.0.255
 
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
  match access-group 103
 
policy-map type inspect sdm-inspect-all
  class type inspect sdm-cls-VPNOutsideToInside-1
   inspect
 
zone-pair security sdm-zp-out-in source out-zone destination in-zone
  service-policy type inspect sdm-inspect-all

Problem: Network Reachability

After the policy for Zone-Based Firewall is applied in the IOS Router, the networks are not reachable.

Solution

This problem might be the asymmetric routing. Cisco IOSĀ® Firewall does not work in environments with asymmetric routing. Packets are not guaranteed to return through the same router.

Cisco IOS Firewall tracks the state of TCP/UDP sessions. A packet must depart and return from the same router for accurate maintenance of state information.

NetPro Discussion Forums - Featured Conversations

Networking Professionals Connection is a forum for networking professionals to share questions, suggestions, and information about networking solutions, products, and technologies. The featured links are some of the most recent conversations available in this technology.
NetPro Discussion Forums - Featured Conversations for Security
Security: Intrusion Detection [Systems]
Security: AAA
Security: General
Security: Firewalling

Related Information

Updated: Jan 23, 2009Document ID: 109479