Cisco Firewall Issues
Posted in Tech
Afternoon watch, 3 bells (1:35 pm)

I've been working with my boss for quite a while on a router issue. We've spent hours on the phone with Cisco technicians trying to get this issue solved, and today it finally happened. The solution was deceptively simple, but I guess you need to get the right technician.

Our issue was this: a firewall was configured on a Cisco 881W router with NAT translation to pass Microsoft VPN traffic in to a VPN server on the inside of the firewall (port 1723). The problem is it never worked. The solution required GRE (which we knew), but finding a tech with the right qualifications to tell us exactly what to do was a right pain. We found if the firewall was shut off, then the VPN connection worked, so we knew there was an issue somewhere on the firewall itself.

Well, to make a long story short, here are the missing bits:

access-list 120 permit gre any any

class-map type inspect match-all GRE
   match access-group 120

policy-map type inspect NATOut-to-In
   class type inspect GRE

The number of the access list isn't important, as long as it isn't already used. The traffic has to be passed through via the policy map because it cannot be inspected. The NATOut-to-In is the rule for the firewall that handles outside to inside traffic. I don't know what yours may be named, but it should be something like that.

Leave a Comment »

Leave a Reply