cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2291
Views
0
Helpful
4
Replies

Zone-Based-Firewall: crypto map / tunnel interface / zone ?

NISITNETC
Level 1
Level 1

Hello,

we are using a CISCO1921-SEC Router. On the "WAN" side we have 1 public IP Adress assigned by DHCP.

At the moment we are using the WAN Interface with a crypto-map as endpoint of some IPSec connections. We set up a zone-based-firewall with "WAN" and "LAN" zone. In this setup all IPSec Endpoints are on one Interface - connections to the "LAN" zone can be managed by rulesets. What about connections between IPSec connections and the zone "self".

We like to terminate each IPSec connection in a seperated zone. Is this a good idea ?

How can this be configured ?

Each one on a "tunnel inetface" with "tunnel source ..." binding ?

Please give us a hint ... Thanks !!

Nachricht geändert durch NISITNETC

1 Accepted Solution

Accepted Solutions

When tunnels are terminating on the router, that is the self zone, by default all the traffic is allowed, If you want to restrict access you need to create a self zone and add a zone-pair from WAN to Self.

Hope this link will help you,

http://inkling/?q=node/1305

View solution in original post

4 Replies 4

NISITNETC
Level 1
Level 1

push ...

When tunnels are terminating on the router, that is the self zone, by default all the traffic is allowed, If you want to restrict access you need to create a self zone and add a zone-pair from WAN to Self.

Hope this link will help you,

http://inkling/?q=node/1305

> When tunnels are terminating on the router, that is the self zone,

> by  default all the traffic is allowed, If you want to restrict access

> you  need to create a self zone and add a zone-pair from WAN to Self.

Yes, I set up the self-zone rules and traffic was allowed to the tunnel-end on the system (self).

But we want to set up rules FROM this tunnel-end to the rest of the system. Something like

TUNNEL1 - LAN

TUNNEL2 - LAN

LAN - TUNNEL1

LAN - TUNNEL2

with the situation having a crypto-map in the WAN Interface with all tunnels.

Can you give ma an example for this ?

> Hope this link will help you,

> http://inkling/?q=node/1305

Sorry, the link is broken ...

push ...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: