There is no restriction for traffic between interfaces that are in same zone. If you define separate zones, then you need add policies using zone pair.
(zone in) g0/1 -----router ------ g0/0 (zone out) For Tunnel 0, lets create a GRE zone. access-list 123 permit gre any any class-map type inspect gre match acces-group 123 policy-type type inspect gre class gre pass zone-pair in - gre > policies to inspect traffic from inside zone -pair gre - in > class - default with pass action zone-pair gre - out > policy-map gre zone-pair out - gre > policy-map gre For your next question, ZFW inspects IP based protocol like tcp, udp, icmp etc. IPSec, GRE, multicast, broadcast packets can't be inspected by ZFW. For these, you need add a separate class-map with pass action on both direction in-out and out-in. That's why we use IPSec over TCP when firewall is in between.TCP will be inspected and ISAKMP which is over UDP 500 is also inspected. With regards Kings On Wed, May 5, 2010 at 6:28 PM, Sumit Mahla <[email protected]> wrote: > And what if we want allow IPsec vpn negotiation through a zone based > firewall.. > > Do we need to pass the IP traffic? or esp and udp only ? > > kings.. could you suggest? > > ------------------------------ > From: [email protected] > To: [email protected] > Subject: DMVPN and ZONE Based > Date: Wed, 5 May 2010 17:55:55 +0530 > > > If implementing DMVPN on a Router enabled for Zone based config.... then do > we require loopbacks which are advertised in the routing protocol used in > DMVPN to be configured in some zones? > > i mean do the loopbacks and tunnel interface need to be member of any zone? > > ------------------------------ > Invest your money wisely post Budget Sign up > now.<http://news.in.msn.com/moneyspecial/> > ------------------------------ > All the post budget analysis and implications Sign up > now.<http://news.in.msn.com/moneyspecial/budget2010/> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
