Adtran
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jessepdx
New Contributor II
‎10-18-2013 12:51 PM

if i turn on firewall VPN's go down

Jump to solution

if i enable the firewall my vpn's shut off

i'm unsure how to add the vpn selectors to the private acl or is if that is correct thing to do?

i'm sure there is a simple answer... RTFM isn't helping

Labels (2)
Labels
Tags (3)
0 Kudos
Reply
1 Solution

Accepted Solutions
jayh
Honored Contributor
Honored Contributor
‎10-24-2013 10:00 PM

Re: if i turn on firewall VPN's go down

Jump to solution

Try adding the lines in bold.

ip policy-class Public

nat destination list wizard-pfwd-1 address 192.168.0.211

allow reverse list VPN-10-vpn-selectors stateless

allow reverse list VPN-30-vpn-selectors stateless

allow reverse list VPN-40-vpn-selectors stateless

allow reverse list VPN-50-vpn-selectors stateless

allow reverse list VPN-60-vpn-selectors stateless

allow reverse list VPN-70-vpn-selectors stateless

ip policy-class Private

allow list VPN-10-vpn-selectors stateless

allow list VPN-30-vpn-selectors stateless

allow list VPN-40-vpn-selectors stateless

allow list VPN-50-vpn-selectors stateless

allow list VPN-60-vpn-selectors stateless

allow list VPN-70-vpn-selectors stateless

  allow list self self

  nat source list wizard-ics interface eth 0/2 overload

!

View solution in original post

Reply
5 Replies
Anonymous
Not applicable
‎10-22-2013 03:54 PM

Re: if i turn on firewall VPN's go down

Jump to solution

- Thanks for posting your question on the forum!

When the firewall is enabled, it is important that there is an allow rule in place for the outgoing VPN selectors on the LAN policy-class and incoming VPN selectors on the WAN policy-class. This so traffic is a.) allowed through the firewall and b.) not NATted unnecessarily (potentially causing traffic not to match the selectors and therefore not being encrypted).

I would be more than happy to take a look at your configuration. Just reply to this thread with the file (please remove any sensitive information). Also, please do not hesitate to let us know if you have any further questions.

Thanks,

Noor

0 Kudos
Accept as Solution Reply
jessepdx
New Contributor II
‎10-24-2013 12:39 PM

Re: if i turn on firewall VPN's go down

Jump to solution

yes please take a look at it,

here you go:

ip access-list extended self

  remark Traffic to NetVanta

  permit ip any  any     log

!

ip access-list extended VPN-10-vpn-selectors

  permit ip 192.168.0.0 0.0.0.255  192.168.3.0 0.0.0.255   

!

ip access-list extended VPN-30-vpn-selectors

  permit ip 192.168.0.0 0.0.0.255  192.168.4.0 0.0.0.255   

!

ip access-list extended VPN-40-vpn-selectors

  permit ip 192.168.0.0 0.0.0.255  192.168.5.0 0.0.0.255   

!

ip access-list extended VPN-50-vpn-selectors

  permit ip 192.168.0.0 0.0.0.255  192.168.6.0 0.0.0.255   

!

ip access-list extended VPN-60-vpn-selectors

  permit ip 192.168.0.0 0.0.0.255  192.168.2.0 0.0.0.255   

!

ip access-list extended VPN-70-vpn-selectors

  permit ip 192.168.0.0 0.0.0.255  192.168.8.0 0.0.0.255   

!

ip access-list extended wizard-ics

  remark Internet Connection Sharing

  permit ip any  any   

!

ip access-list extended wizard-pfwd-1

  remark Port Forward 1

  permit tcp any  host 75.x.x.x eq 3389   log

!

ip access-list extended wizard-remote-access

  remark do not hand edit this ACL

  permit tcp any  any eq ssh   log

  permit icmp any  any  echo   log

  permit tcp any  any eq https   log

!

!

!

!

ip policy-class Private

  allow list self self

  nat source list wizard-ics interface eth 0/2 overload

!

ip policy-class Public

  nat destination list wizard-pfwd-1 address 192.168.0.211

!

0 Kudos
Accept as Solution Reply
jayh
Honored Contributor
Honored Contributor
‎10-24-2013 10:00 PM

Re: if i turn on firewall VPN's go down

Jump to solution

Try adding the lines in bold.

ip policy-class Public

nat destination list wizard-pfwd-1 address 192.168.0.211

allow reverse list VPN-10-vpn-selectors stateless

allow reverse list VPN-30-vpn-selectors stateless

allow reverse list VPN-40-vpn-selectors stateless

allow reverse list VPN-50-vpn-selectors stateless

allow reverse list VPN-60-vpn-selectors stateless

allow reverse list VPN-70-vpn-selectors stateless

ip policy-class Private

allow list VPN-10-vpn-selectors stateless

allow list VPN-30-vpn-selectors stateless

allow list VPN-40-vpn-selectors stateless

allow list VPN-50-vpn-selectors stateless

allow list VPN-60-vpn-selectors stateless

allow list VPN-70-vpn-selectors stateless

  allow list self self

  nat source list wizard-ics interface eth 0/2 overload

!

Reply
Anonymous
Not applicable
‎11-07-2013 10:54 AM

Re: if i turn on firewall VPN's go down

Jump to solution

-

I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons.  If you have any additional information on this that others may benefit from, please come back to this post to provide an update.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.


Thanks,

Noor

0 Kudos
Accept as Solution Reply
jessepdx
New Contributor II
‎02-06-2014 12:17 PM

Re: if i turn on firewall VPN's go down

Jump to solution

yes, i finally got around to this and it worked perfectly.

thank you for the help!

0 Kudos
Accept as Solution Reply