Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
328
Views
2
Helpful
3
Replies

Zone Based Firewall - single Zones over more than one interface.

Go to solution
frazreid2
Level 1
Level 1

‎05-20-2025 05:00 AM

Hi, I have a question.

I build VTI's to 2 separate destinations (2 tunnel interfaces) that I would logically like to have as my outside Zone.

Added to this a standard Inside and a DMZ.

What happens to the "Sessions" noted in the firewall if a session is started outgoing over the first Tunnel but the answer comes back over the 2nd tunnel - would it pass? Or does also the interface have to be the same?

 

I hope that this can be understood...

 

Thanks for the help.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to frazreid2

‎05-20-2025 10:43 AM

@frazreid2 I'm sorry I automatically assumed you were referring to VTI on FTD. I've not had this scenario before on a IOS-XE router using VTI with ZBFW to be honest. There doesn't appear to be much information in the ZBFW design guide, but perhaps you "pass" traffic instead of "inspect", you would have to amend the policy to explictly permit traffic. Else log a call with Cisco TAC and see if they have a solution.

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎05-20-2025 05:18 AM - edited ‎05-20-2025 05:20 AM

@frazreid2 use ECMP traffic zones.

  • You can associate VTI interfaces with ECMP zones and configure ECMP static routes to achieve the following:

    • Load balancing (Active/Active VTIs)—Connection can flow over any of the parallel VTI tunnels.

    • Seamless connection migration—When a VTI tunnel becomes unreachable, the flows are seamlessly migrated to another VTI interface that is configured in the same zone.

    • Asymmetric routing—Forward traffic flow through one VTI interface and configure the reverse traffic flow through another VTI interface.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/760/management-center-device-config-76/vpn-s2s.html

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/760/management-center-device-config-76/routing-ecmp.html

 

Go to solution
frazreid2
Level 1
Level 1

‎05-20-2025 07:02 AM

Hi Rob - not sure how to configure ECMP on a Catalyst C8300 router with VTI's.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to frazreid2

‎05-20-2025 10:43 AM

@frazreid2 I'm sorry I automatically assumed you were referring to VTI on FTD. I've not had this scenario before on a IOS-XE router using VTI with ZBFW to be honest. There doesn't appear to be much information in the ZBFW design guide, but perhaps you "pass" traffic instead of "inspect", you would have to amend the policy to explictly permit traffic. Else log a call with Cisco TAC and see if they have a solution.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card