The Adtran community holiday season is starting next week! The holiday period will span from December 21, 2024 to January 6, 2025. During this time, responses to feedback form submissions may be delayed. If you are encountering product issues, you can reach out to Adtran support at any time.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jessepdx
New Contributor II

if i turn on firewall VPN's go down

Jump to solution

if i enable the firewall my vpn's shut off

i'm unsure how to add the vpn selectors to the private acl or is if that is correct thing to do?

i'm sure there is a simple answer... RTFM isn't helping

Labels (2)
Tags (3)
0 Kudos
1 Solution

Accepted Solutions
jayh
Honored Contributor
Honored Contributor

Re: if i turn on firewall VPN's go down

Jump to solution

Try adding the lines in bold.

ip policy-class Public

nat destination list wizard-pfwd-1 address 192.168.0.211

allow reverse list VPN-10-vpn-selectors stateless

allow reverse list VPN-30-vpn-selectors stateless

allow reverse list VPN-40-vpn-selectors stateless

allow reverse list VPN-50-vpn-selectors stateless

allow reverse list VPN-60-vpn-selectors stateless

allow reverse list VPN-70-vpn-selectors stateless

ip policy-class Private

allow list VPN-10-vpn-selectors stateless

allow list VPN-30-vpn-selectors stateless

allow list VPN-40-vpn-selectors stateless

allow list VPN-50-vpn-selectors stateless

allow list VPN-60-vpn-selectors stateless

allow list VPN-70-vpn-selectors stateless

  allow list self self

  nat source list wizard-ics interface eth 0/2 overload

!

View solution in original post

5 Replies
Anonymous
Not applicable

Re: if i turn on firewall VPN's go down

Jump to solution

- Thanks for posting your question on the forum!

When the firewall is enabled, it is important that there is an allow rule in place for the outgoing VPN selectors on the LAN policy-class and incoming VPN selectors on the WAN policy-class. This so traffic is a.) allowed through the firewall and b.) not NATted unnecessarily (potentially causing traffic not to match the selectors and therefore not being encrypted).

I would be more than happy to take a look at your configuration. Just reply to this thread with the file (please remove any sensitive information). Also, please do not hesitate to let us know if you have any further questions.

Thanks,

Noor

jessepdx
New Contributor II

Re: if i turn on firewall VPN's go down

Jump to solution

yes please take a look at it,

here you go:

ip access-list extended self

  remark Traffic to NetVanta

  permit ip any  any     log

!

ip access-list extended VPN-10-vpn-selectors

  permit ip 192.168.0.0 0.0.0.255  192.168.3.0 0.0.0.255   

!

ip access-list extended VPN-30-vpn-selectors

  permit ip 192.168.0.0 0.0.0.255  192.168.4.0 0.0.0.255   

!

ip access-list extended VPN-40-vpn-selectors

  permit ip 192.168.0.0 0.0.0.255  192.168.5.0 0.0.0.255   

!

ip access-list extended VPN-50-vpn-selectors

  permit ip 192.168.0.0 0.0.0.255  192.168.6.0 0.0.0.255   

!

ip access-list extended VPN-60-vpn-selectors

  permit ip 192.168.0.0 0.0.0.255  192.168.2.0 0.0.0.255   

!

ip access-list extended VPN-70-vpn-selectors

  permit ip 192.168.0.0 0.0.0.255  192.168.8.0 0.0.0.255   

!

ip access-list extended wizard-ics

  remark Internet Connection Sharing

  permit ip any  any   

!

ip access-list extended wizard-pfwd-1

  remark Port Forward 1

  permit tcp any  host 75.x.x.x eq 3389   log

!

ip access-list extended wizard-remote-access

  remark do not hand edit this ACL

  permit tcp any  any eq ssh   log

  permit icmp any  any  echo   log

  permit tcp any  any eq https   log

!

!

!

!

ip policy-class Private

  allow list self self

  nat source list wizard-ics interface eth 0/2 overload

!

ip policy-class Public

  nat destination list wizard-pfwd-1 address 192.168.0.211

!

jayh
Honored Contributor
Honored Contributor

Re: if i turn on firewall VPN's go down

Jump to solution

Try adding the lines in bold.

ip policy-class Public

nat destination list wizard-pfwd-1 address 192.168.0.211

allow reverse list VPN-10-vpn-selectors stateless

allow reverse list VPN-30-vpn-selectors stateless

allow reverse list VPN-40-vpn-selectors stateless

allow reverse list VPN-50-vpn-selectors stateless

allow reverse list VPN-60-vpn-selectors stateless

allow reverse list VPN-70-vpn-selectors stateless

ip policy-class Private

allow list VPN-10-vpn-selectors stateless

allow list VPN-30-vpn-selectors stateless

allow list VPN-40-vpn-selectors stateless

allow list VPN-50-vpn-selectors stateless

allow list VPN-60-vpn-selectors stateless

allow list VPN-70-vpn-selectors stateless

  allow list self self

  nat source list wizard-ics interface eth 0/2 overload

!

Anonymous
Not applicable

Re: if i turn on firewall VPN's go down

Jump to solution

-

I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons.  If you have any additional information on this that others may benefit from, please come back to this post to provide an update.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.


Thanks,

Noor

jessepdx
New Contributor II

Re: if i turn on firewall VPN's go down

Jump to solution

yes, i finally got around to this and it worked perfectly.

thank you for the help!