https://community.cisco.com/t5/network-security/zone-based-firewall-crypto-map-tunnel-interface-zone/m-p/1710007#M557211 <P>Hello,</P><P></P><P>we are using a CISCO1921-SEC Router. On the "WAN" side we have 1 public IP Adress assigned by DHCP.</P><P></P><P>At the moment we are using the WAN Interface with a crypto-map as endpoint of some IPSec connections. We set up a zone-based-firewall with "WAN" and "LAN" zone. In this setup all IPSec Endpoints are on one Interface - connections to the "LAN" zone can be managed by rulesets. What about connections between IPSec connections and the zone "self".</P><P></P><P>We like to terminate each IPSec connection in a seperated zone. Is this a good idea ?</P><P>How can this be configured ?</P><P>Each one on a "tunnel inetface" with "tunnel source ..." binding ?</P><P></P><P>Please give us a hint ... Thanks !! <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN></P><P></P><P>Nachricht geändert durch NISITNETC</P> Mon, 11 Mar 2019 20:24:59 GMT NISITNETC 2019-03-11T20:24:59Z https://community.cisco.com/t5/network-security/zone-based-firewall-crypto-map-tunnel-interface-zone/m-p/1710007#M557211 <P>Hello,</P><P></P><P>we are using a CISCO1921-SEC Router. On the "WAN" side we have 1 public IP Adress assigned by DHCP.</P><P></P><P>At the moment we are using the WAN Interface with a crypto-map as endpoint of some IPSec connections. We set up a zone-based-firewall with "WAN" and "LAN" zone. In this setup all IPSec Endpoints are on one Interface - connections to the "LAN" zone can be managed by rulesets. What about connections between IPSec connections and the zone "self".</P><P></P><P>We like to terminate each IPSec connection in a seperated zone. Is this a good idea ?</P><P>How can this be configured ?</P><P>Each one on a "tunnel inetface" with "tunnel source ..." binding ?</P><P></P><P>Please give us a hint ... Thanks !! <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN></P><P></P><P>Nachricht geändert durch NISITNETC</P> Mon, 11 Mar 2019 20:24:59 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-crypto-map-tunnel-interface-zone/m-p/1710007#M557211 NISITNETC 2019-03-11T20:24:59Z https://community.cisco.com/t5/network-security/zone-based-firewall-crypto-map-tunnel-interface-zone/m-p/1710008#M557213 <HTML><HEAD></HEAD><BODY><P><SPAN __jive_emoticon_name="wink" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/wink.gif"></SPAN> push ...</P></BODY></HTML> Wed, 27 Apr 2011 12:36:44 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-crypto-map-tunnel-interface-zone/m-p/1710008#M557213 NISITNETC 2011-04-27T12:36:44Z https://community.cisco.com/t5/network-security/zone-based-firewall-crypto-map-tunnel-interface-zone/m-p/1710009#M557214 <HTML><HEAD></HEAD><BODY><P>When tunnels are terminating on the router, that is the self zone, by default all the traffic is allowed, If you want to restrict access you need to create a self zone and add a zone-pair from WAN to Self.</P><P></P><P></P><P>Hope this link will help you,</P><P></P><P><A class="jive-link-external-small" href="http://inkling/?q=node/1305">http://inkling/?q=node/1305</A></P></BODY></HTML> Thu, 28 Apr 2011 04:09:11 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-crypto-map-tunnel-interface-zone/m-p/1710009#M557214 Syed Usaid K 2011-04-28T04:09:11Z https://community.cisco.com/t5/network-security/zone-based-firewall-crypto-map-tunnel-interface-zone/m-p/1710010#M557217 <HTML><HEAD></HEAD><BODY><P>&gt; When tunnels are terminating on the router, that is the self zone,</P><P>&gt; by&nbsp; default all the traffic is allowed, If you want to restrict access</P><P>&gt; you&nbsp; need to create a self zone and add a zone-pair from WAN to Self.</P><P></P><P>Yes, I set up the self-zone rules and traffic was allowed to the tunnel-end on the system (self).</P><P></P><P>But we want to set up rules FROM this tunnel-end to the rest of the system. Something like</P><P></P><P>TUNNEL1 - LAN</P><P>TUNNEL2 - LAN</P><P>LAN - TUNNEL1</P><P>LAN - TUNNEL2</P><P></P><P>with the situation having a crypto-map in the WAN Interface with all tunnels.</P><P></P><P>Can you give ma an example for this ?</P><P></P><P>&gt; Hope this link will help you,</P><P>&gt; <A class="jive-link-external-small active_link" href="http://inkling/?q=node/1305">http://inkling/?q=node/1305</A></P><P></P><P>Sorry, the link is broken ...</P></BODY></HTML> Thu, 28 Apr 2011 07:23:08 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-crypto-map-tunnel-interface-zone/m-p/1710010#M557217 NISITNETC 2011-04-28T07:23:08Z https://community.cisco.com/t5/network-security/zone-based-firewall-crypto-map-tunnel-interface-zone/m-p/1710011#M557218 <HTML><HEAD></HEAD><BODY><P>push ... <SPAN __jive_emoticon_name="confused" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/confused.gif"></SPAN></P></BODY></HTML> Fri, 06 May 2011 19:38:20 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-crypto-map-tunnel-interface-zone/m-p/1710011#M557218 NISITNETC 2011-05-06T19:38:20Z