Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
596
Views
0
Helpful
5
Replies

Zone-based Firewall and VPN

freybeitops
Level 1
Level 1

‎03-21-2013 02:36 PM - edited ‎03-04-2019 07:22 PM

Hello,

We have setup site-to-client and site-to-site ipsec VPN. It is a non-VTI vpn and the crypto maps are already in place.

We want to change our firewall from CBAC to ZBF. We will configure it using the  default High Security using CCP. My question is, will the VPN still work  after this? Or do i need to input additional commands to open ports for  the ipsec VPN?

Labels:
0 Helpful
5 Replies 5

paul driver
VIP
VIP

‎03-21-2013 03:19 PM

hello
as long as you setup zbf correctly it will perform as did cbac - stateful inspection.
But the differance in zbf are the security zones which a unidirectional so.you will.require zone pairs for bidirectional traffic only IF you wish traffic originating external from the lan otherwise the second pair is not required because as stated the default statful inspection will be enough

res
Paul

Sent from Cisco Technical Support Android App


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

freybeitops
Level 1
Level 1
In response to paul driver

‎03-21-2013 03:29 PM

do i need to create a  class map and policy map for the vpn traffic. Or the curent crypto-map, crypto isakmp, route-map, acls will take care of that?

0 Helpful

paul driver
VIP
VIP

‎03-21-2013 03:49 PM

Hello
yes c3pl which is like moc mapping is required. - CLASS-MAP TYPE INSPECT xxx

Your vpn as i see it is basically the wan connnection and its related physical interface would be defined as a external zone

could you post the config of the router?

res
Paul

Sent from Cisco Technical Support Android App


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

freybeitops
Level 1
Level 1
In response to paul driver

‎03-21-2013 05:04 PM

yes it is setup of three interfaces(zones) , inside, outside, and DMZ. The crypto map is applied on the outside. Now if i have to configure zbf, do i i need to create the service policy on the out-to-in pair or in-to-out pair and what protocol should i match? is there an option for ipsec? thanks

0 Helpful

paul driver
VIP
VIP
In response to freybeitops

‎03-22-2013 10:42 AM

Hello Arvin

Please review this
http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080b37917.shtml

Res
Paul

Sent from Cisco Technical Support iPad App


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card