01-02-2019 09:58 AM - edited 03-08-2019 05:32 PM
In my deployment I have a production VPN (VPN1) and a guest VPN (VPN2). I want to allow my guest network to talk to specific devices on my production network for the purposes of wireless screen casting. My preference is to keep the traffic local in each branch office (not route across the WAN and hairpin back).
When I read the zone based firewall documentation I get the understanding that "zones" are tied to VPNs. But I also understand that by default VPNs are designed to not communicate with one another, similar to VRF. I feel like I am missing something on how this is meant to allow/deny traffic between VPNs/Zones without something else needing configured for the routing component.
Solved! Go to Solution.
01-03-2019 11:16 AM
You need to create vSmart policy to leak routes between VPN, something like this:
policy lists vpn-list vpn1-list vpn 1 ! vpn-list vpn2-list vpn 2 ! prefix-list 154 ip-prefix 172.16.154.0/24 ! prefix-list 155 ip-prefix 172.16.155.0/24 ! ! control-policy route-leak sequence 1 match route prefix-list 155 vpn-list vpn1-list ! action accept export-to vpn-list vpn2-list ! ! ! sequence 11 match route prefix-list 154 vpn-list vpn2-list ! action accept export-to vpn-list vpn1-list ! ! ! default-action accept ! ! apply-policy site-list branch-152 control-policy route-leak in ! !
01-03-2019 11:16 AM
You need to create vSmart policy to leak routes between VPN, something like this:
policy lists vpn-list vpn1-list vpn 1 ! vpn-list vpn2-list vpn 2 ! prefix-list 154 ip-prefix 172.16.154.0/24 ! prefix-list 155 ip-prefix 172.16.155.0/24 ! ! control-policy route-leak sequence 1 match route prefix-list 155 vpn-list vpn1-list ! action accept export-to vpn-list vpn2-list ! ! ! sequence 11 match route prefix-list 154 vpn-list vpn2-list ! action accept export-to vpn-list vpn1-list ! ! ! default-action accept ! ! apply-policy site-list branch-152 control-policy route-leak in ! !
01-03-2019 11:46 AM
OK, that makes sense to me. I wish something like this would be called out in the ZBFW documentation: here
01-03-2019 12:42 PM
Well... you can always leave feedback to documentation, see "Leave feedback" button at the bottom of the page.
HTH.
Cheers.
01-03-2019 12:57 PM
Good recommendation! I just submitted that feedback.
10-21-2019 05:55 PM
Even in October 2019 a simple explanation of how to route traffic between 2 VPN's is hard find in official Cisco docs.
This youtube video covers in less than 6 minutes what you could spend a day searching for.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide