Hi,

I have a site to site VPN using VTI.

I tried to configure my zone-based fw to deny ping on my WAN IP but when I applied it, my VPN went down.

Could someone advise me how to do it?

Below is my config:

class-map type inspect match-any Inside-Outside-Class
match protocol https
match protocol http
match protocol dns
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any Outside-Self-Class

match access-group name ICMPReply

match access-group name ISAKMP

class-map type inspect match-any VPN-Inside-Class
match protocol icmp
match protocol tcp
match protocol udp
match protocol http
match protocol ssh
match protocol https
match protocol sip
class-map type inspect match-any Inside-VPN-Class
match protocol icmp
match protocol tcp
match protocol udp
match protocol http
match protocol https
match protocol ssh
match protocol sip

policy-map type inspect Inside-Outside-Policy
class type inspect Inside-Outside-Class
  inspect
class class-default
policy-map type inspect VPN-Inside-Policy
class type inspect VPN-Inside-Class
  inspect
class class-default
policy-map type inspect Inside-VPN-Policy
class type inspect Inside-VPN-Class
  inspect
class class-default

policy-map type inspect Outside-Self-Policy
class type inspect Outside-Self-Class
  inspect
class class-default

zone security Inside
zone security Outside
zone security VPN

zone-pair security in-out source Inside destination Outside
service-policy type inspect Inside-Outside-Policy
zone-pair security VPN-In source VPN destination Inside
service-policy type inspect VPN-Inside-Policy
zone-pair security In-VPN source Inside destination VPN
service-policy type inspect Inside-VPN-Policy

zone-pair security Out-Self source Outside destination self
service-policy type inspect Outside-Self-Policy

Interface Tunnel100

zone-member security VPN

Tunnel source Dialer0

Interface Dialer0

zone-member security Outside

Interface Vlan1

zone-member security Inside

ip access-list extended ISAKMP
permit udp any any eq isakmp
permit ahp any any
permit esp any any
permit udp any any eq non500-isakmp

ip access-list extended ICMPReply
permit icmp any any host-unreachable

Thank you