Zone-based firewall with ezvpn - configuration exemple ?

philippe.cousineau · ‎01-27-2011

Hi,

this weekend I will have a 881w and I am new with the zone-based firewall concept. I'am really not sure how zones will deal with my EZVPN config on the router.

I have read some stuff that said you cannot configure a self zone with inspect to accept the VPN traffic you need the "pass"

Here is my config for that zone.. anyone can tell me if I'm in the right way.. do you guys have any configuration exemple to share ?

ip access-list extended ISAKMP
permit udp any any eq isakmp
permit ahp any any
permit esp any any
permit udp any any eq non500-isakmp

class-map type inspect match-any OUTSIDE-Self_ClassMAP
match access-group name ISAKMP

policy-map type inspect OUTSIDE-Self_PlcyMAP
class type inspect OUTSIDE-Self_ClassMAP
pass

zone-pair security OUT->Self source OUTSIDE destination self
service-policy type inspect OUTSIDE-Self_PlcyMAP

thanks

andamani · ‎01-27-2011

Hi,

The following link will describe the basic configuration:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_white_paper0900aecd8062a909.html

Regards,

Anisha

P.S.: please mark this thread as resolved if you feel your query is answered.

philippe.cousineau · ‎01-28-2011

But I can't understand how VPN traffic ( ESP, ipsec ) will pass

through the firewall without any ACL to permit it ?

they dont talk about that