security zone for IPSec traffic

Utair Corporation · ‎07-18-2013

Hi.

Suppose i have classic static IPSec with remote site like this:

crypto map CRYPTOMAP 10 ipsec-isakmp

set peer x.x.x.x

set transform-set TS

match address crypto_acl

ip access-list extended crypto_acl

permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255

interface Fas0/0

ip address <some internet address>

crypto map CRYPTOMAP

!

interface Fas0/1

ip address 10.1.0.1 255.255.0.0

!

ip route 10.2.0.0 255.255.0.0 <ISP address>

Now i want to establish zone-based-firewall.

I create zones

zone security INET

zone security REMOTE_SITE

zone security LAN

!

zone-pair blah-blah...

!

interface Fas0/0

zone-member INET

!

interface Fas0/1

zone-member LAN

How do i put traffic passing through IPSec tunnel to zone REMOTE_SITE ???

Note: this is NOT ASA, this is IOS.

Note2: remote site is not Cisco and i connot create Tunnel interface.

Julio Carvajal · ‎07-19-2013

Hello Utair,

You need only 2 interfaces,

The one that connects to the internal devices

The one that connects to the outside interface (where the crypto-map is usually applied)

Just match the traffic from the internal interface to the outside interface and apply the right action

Same thing for the traffic that will be generated in the other site to the Local Area Network

Do you follow me?

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC