zbf on 1921 messing up vpn

phoeneousphoeneous Go ping yourself...Member Posts: 2,333 ■■■■■■■□□□
Well today was fun... Had to place a tac request because a 1921 was accepting vpn connections but dropping packets to internal resources for remote vpn users. Two vpn engineers couldnt figure it out so they passed it to the firewall team. Turns out there was an issue with zbf. Now I can connect to vpn, ping routers internal interface but can't telnet or ssh it. And interestingly enough, I can only ping one or two hosts on the inside network while the others time out. Thoughts? Don't have a config right now but it doesnt look like its an acl. The hosts are all win7 boxes with firewall disabled. Fun times...

Comments

  • wbosherwbosher Member Posts: 422
    You might want to move this into the CCNP forum.
  • Configs. :)
    "There are 3 types of people in this world, those who can count and those who can't"
  • SlowhandSlowhand MCSE: Cloud Platform and Infrastructure, MCSA: Windows Server 2003/2012/2016, CCNA Routing & Switchi Bay Area, CaliforniaMod Posts: 5,161 Mod
    wbosher wrote: »
    You might want to move this into the CCNP forum.
    Actually, this topic might be better-suited to the CCSP forum since it deals with ZBF. And I agree with ConstantlyLearning, we need to see the running-config to get a better idea of what's going on. (Don't forget to edit out any sensitive information, like passwords.)

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    phoeneous wrote: »
    I can only ping one or two hosts on the inside network while the others time out.
    Is it always the same one or two hosts that you can ping? Or just the first one or two hosts you ping that work? QoS/Security could be rate limiting your pings.
    :mike: Cisco Certifications -- Collect the Entire Set!
  • creamy_stewcreamy_stew Member Posts: 406 ■■■□□□□□□□
    Can't really offer any advice, sorry icon_sad.gif

    Perhaps a funky switch/LAN on the remte side?

    Other than that, I'm just tagging this for later enjoyment :)
    edit: How are you liking the 1912? At least 1 gi port, right? Have you tried iperf, torrents etc to see how it handles the load?
    edit: it has 2 gi ports
    Itchy... Tasty!
    [X] DCICN
    [X] IINS

    [ ] CCDA
    [ ] DCICT
  • phoeneousphoeneous Go ping yourself... Member Posts: 2,333 ■■■■■■■□□□
    I feel like an efn idiot... guess which command was missing from the internal switch...
  • creamy_stewcreamy_stew Member Posts: 406 ■■■□□□□□□□
    Not really analyzing your description, but.

    ip nat inside?

    if you're talking about the vlan interface.

    edit: No, I'm talking out of the wrong orifice.
    Itchy... Tasty!
    [X] DCICN
    [X] IINS

    [ ] CCDA
    [ ] DCICT
  • phoeneousphoeneous Go ping yourself... Member Posts: 2,333 ■■■■■■■□□□
    ip default-gateway... icon_redface.gif

    That's one of the first commands I ever run on a switch, I guess I missed it that time.

    Also after creating a static nat mapping we had to create class-map, policy-map and acl so outside users can access an internal resource (voip box for vendor support).
Sign In or Register to comment.