Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
682
Views
0
Helpful
4
Replies

Trend Content Filtering

steve-gates
Level 1
Level 1

‎02-23-2011 03:41 AM - edited ‎03-11-2019 12:55 PM

Morning

  I currently have a Cisco 887 running Trend filtering which is all running fine and blocking url's etc. I also have a Cisco 2960 and 3 x AP's running behind the 887. I have a VPN running on the 887 to enable us to connect remotely to the devices.

My problem is with the zone security outside not enabled on the dialer interface I can telnet,ping,ftp etc fine to the devices. As soon as I enable the zone security my ability to do any of this stops. Any ideas as to what else i need to configure would be appreciated..

  Cheers

     Steve

Labels:
0 Helpful
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

‎02-23-2011 03:45 AM

Yes, once you applied a zone to an interface, you will have to explicitly configure rules to allow access to those devices.

As you are connecting to the VPN first, I assume you have a VPN zone configured? If you do, then you will need to configure zone-pair between the VPN zone towards the inside zone, and the class map will match the traffic that you would like to allow, ie: FTP, telnet, ping,etc, with a policy-map set to "inspect".

Here is a sample configuration on ZBFW:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_white_paper0900aecd8062a909.html

Hope that helps.

0 Helpful

steve-gates
Level 1
Level 1
In response to Jennifer Halim

‎02-23-2011 04:48 AM

Hi

  Thanks for the reply. I don't have anything like a VPN Zone configured, can't seem to cut and paste my config onto here either..

0 Helpful

steve-gates
Level 1
Level 1

‎02-23-2011 06:26 AM

Some more information, We have 2 vlans configured on the router.

Vlan 1 for the seperate users traffic and Vlan 2 for the management traffic we use for the vpn.

  Vlan 1 is currently the inside zone for the security and dialer 0 is the outside, I have attached a copy of the currnt content filtering configuration

82079-Contentconfig.txt.zip
0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to steve-gates

‎02-24-2011 02:58 AM

1) You will need to create an access-list that says permit from VPN Client pool subnet to internal subnets

2) Create a class-map to match the access-list above

3) Create a policy-map for the above class with the action as inspect

4) Apply the policy-map to zone-pair:

zone-pair security out-to-in source outside destination inside

     service-policy type inspect

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card