03-21-2013 02:36 PM - edited 03-04-2019 07:22 PM
Hello,
We have setup site-to-client and site-to-site ipsec VPN. It is a non-VTI vpn and the crypto maps are already in place.
We want to change our firewall from CBAC to ZBF. We will configure it using the default High Security using CCP. My question is, will the VPN still work after this? Or do i need to input additional commands to open ports for the ipsec VPN?
03-21-2013 03:19 PM
hello
as long as you setup zbf correctly it will perform as did cbac - stateful inspection.
But the differance in zbf are the security zones which a unidirectional so.you will.require zone pairs for bidirectional traffic only IF you wish traffic originating external from the lan otherwise the second pair is not required because as stated the default statful inspection will be enough
res
Paul
Sent from Cisco Technical Support Android App
03-21-2013 03:29 PM
do i need to create a class map and policy map for the vpn traffic. Or the curent crypto-map, crypto isakmp, route-map, acls will take care of that?
03-21-2013 03:49 PM
Hello
yes c3pl which is like moc mapping is required. - CLASS-MAP TYPE INSPECT xxx
Your vpn as i see it is basically the wan connnection and its related physical interface would be defined as a external zone
could you post the config of the router?
res
Paul
Sent from Cisco Technical Support Android App
03-21-2013 05:04 PM
yes it is setup of three interfaces(zones) , inside, outside, and DMZ. The crypto map is applied on the outside. Now if i have to configure zbf, do i i need to create the service policy on the out-to-in pair or in-to-out pair and what protocol should i match? is there an option for ipsec? thanks
03-22-2013 10:42 AM
Hello Arvin
Please review this
http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080b37917.shtml
Res
Paul
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide