Zone-based Firewall & Easy VPN

jrahm — Mon, 11 Mar 2019 11:54:41 GMT

I'm a little confused about the zoning requirements with easy vpn. Considering the following setup on an 871 router:

interface vlan 1

desc Direct Internet Access

ip address 192.168.1.1 255.255.255.0

ip nat inside

interface vlan 2

desc Corporate Resources Access

ip address 10.1.1.1 255.255.255.224

crypto ipsec client ezvpn Corp inside

interface Fa4

desc Public

ip address x.x.x.x x.x.x.x

ip nat outside

crypto ipsec client ezvpn Corp outside

How would this be zoned so that all traffic from vlan2 only goes across the ipsec tunnel, all traffic from vlan1 goes to the internet, traffic cannot flow between vlan1 & vlan2, & no inbound traffic from the internet except return traffic for vlan1 and DNS (proxied by the router). I've seen some solutions with the classic firewall configurations, but not with the zone-based. Thanks for any insight.

Re: Zone-based Firewall & Easy VPN

tstanik — Fri, 01 Feb 2008 20:37:46 GMT

Create a crypto ACL for vlan2 to make all traffic go through the vpn tunnel. You can disable inter vlan routing to stop the traffic from vlan and vlan2 to flow between. Following link may help you

http://www.cisco.com/en/US/docs/routers/access/800/850/software/configuration/guide/vpnezvpn.html

topic Re: Zone-based Firewall & Easy VPN in Network Security

Zone-based Firewall & Easy VPN

Re: Zone-based Firewall & Easy VPN