In Cisco IOS® Software Release 12.4(20)T and later, a virtual interface SSLVPN-VIF0 was introduced for AnyConnect VPN client connections. But, this SSLVPN-VIF0 interface is an internal interface, which does not support user configurations. This created a problem with AnyConnect VPN and Zone Based Policy Firewall since with the firewall, traffic can only flow between two interfaces when both interfaces belong to security zones. Since the user cannot configure the SSLVPN-VIF0 interface to make it a zone member, VPN client traffic terminated on the Cisco IOS WebVPN gateway after decryption cannot be forwarded to any other interface belonging to a security zone. The symptom of this problem can be seen with this log message reported by the firewall:
This issue was later addressed in newer software releases of Cisco IOS. With the new code, the user can assign a security zone to a virtual-template interface, which is referenced under the WebVPN context, in order to associate a security zone with the WebVPN context .*Mar 4 16:43:18.251: %FW-6-DROP_PKT: Dropping icmp session 192.168.1.12:0 192.168.10.1:0 due to One of the interfaces not being cfged for zoning with ip ident 0
AnyConnect VPN Client on IOS Router with IOS Zone Based Policy Firewall Configuration Example
code:
interface Virtual-Template1 ip unnumbered Loopback0 zone-member security inside ! !
Note: reload the router after the change.
Cisco SSL-VPN LAN Access with Zone Based Policy Firewall
If you've got multiple computers or numerous devices connected to your network, and want for them to be routed through your VPN servers, you will opt to setup a VPN affiliation on your actual router. By doing therefore there ought no to tack together each device severally, as your router can mechanically connect all devices to our service. This can be particularly helpful for connecting devices with no inbuilt VPN support.
ReplyDeleteMore Detail About VPN Router