zbf on 1921 messing up vpn

phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
in CCNP
Well today was fun... Had to place a tac request because a 1921 was accepting vpn connections but dropping packets to internal resources for remote vpn users. Two vpn engineers couldnt figure it out so they passed it to the firewall team. Turns out there was an issue with zbf. Now I can connect to vpn, ping routers internal interface but can't telnet or ssh it. And interestingly enough, I can only ping one or two hosts on the inside network while the others time out. Thoughts? Don't have a config right now but it doesnt look like its an acl. The hosts are all win7 boxes with firewall disabled. Fun times...
· Share on FacebookShare on Twitter

Comments

  • wbosherwbosher Member Posts: 422
    You might want to move this into the CCNP forum.
    · Share on FacebookShare on Twitter
  • ConstantlyLearningConstantlyLearning Member Posts: 445
    Configs. :)
    "There are 3 types of people in this world, those who can count and those who can't"
    · Share on FacebookShare on Twitter
  • SlowhandSlowhand Mod Posts: 5,161 Mod
    wbosher wrote: »
    You might want to move this into the CCNP forum.
    Actually, this topic might be better-suited to the CCSP forum since it deals with ZBF. And I agree with ConstantlyLearning, we need to see the running-config to get a better idea of what's going on. (Don't forget to edit out any sensitive information, like passwords.)
    Twitter | LinkIn
    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
    · Share on FacebookShare on Twitter
  • mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    phoeneous wrote: »
    I can only ping one or two hosts on the inside network while the others time out.
    Is it always the same one or two hosts that you can ping? Or just the first one or two hosts you ping that work? QoS/Security could be rate limiting your pings.
    :mike: Cisco Certifications -- Collect the Entire Set!
    · Share on FacebookShare on Twitter
  • creamy_stewcreamy_stew Member Posts: 406 ■■■□□□□□□□
    Can't really offer any advice, sorry icon_sad.gif

    Perhaps a funky switch/LAN on the remte side?

    Other than that, I'm just tagging this for later enjoyment :)
    edit: How are you liking the 1912? At least 1 gi port, right? Have you tried iperf, torrents etc to see how it handles the load?
    edit: it has 2 gi ports
    Itchy... Tasty!
    [X] DCICN
    [X] IINS
    [ ] CCDA
    [ ] DCICT
    · Share on FacebookShare on Twitter
  • phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
    I feel like an efn idiot... guess which command was missing from the internal switch...
    · Share on FacebookShare on Twitter
  • creamy_stewcreamy_stew Member Posts: 406 ■■■□□□□□□□
    Not really analyzing your description, but.

    ip nat inside?

    if you're talking about the vlan interface.

    edit: No, I'm talking out of the wrong orifice.
    Itchy... Tasty!
    [X] DCICN
    [X] IINS
    [ ] CCDA
    [ ] DCICT
    · Share on FacebookShare on Twitter
  • phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
    ip default-gateway... icon_redface.gif

    That's one of the first commands I ever run on a switch, I guess I missed it that time.

    Also after creating a static nat mapping we had to create class-map, policy-map and acl so outside users can access an internal resource (voip box for vendor support).
    · Share on FacebookShare on Twitter
Sign In or Register to comment.