It all depends on the number of zones, you have used. Usually the following is the way ZFW is configured:
inside ---------------- in zone Router out zone ----------------------- Outside in to out zone > inspects traffic from inside to outside and allow them back self to out > inspects router generated traffic out to self > Allows traffic coming to router IPSec traffic will terminate on the router and after decryption the clear traffic should pass out zone to in zone.Hence we should configure out to self zone accordingly. out to self > Allow ESP, AS, ISAKMP and Non-ISAKMP with pass action. You can't use inspect as ZFW can't inspect these protocols except non-ISAKMP which uses UDP. While clear traffic is encrpted, the self to out zone should permit the VPN traffic self to out > Either use pass action for class-default or have a class for AH, ESP, ISAKMP and Non-ISAKMP with pass action To allow the clear text back: Out to in > Should allow the client network for clients in network extension mode and the leased pool network for clients in client mode With regards Kings On Fri, Jul 30, 2010 at 9:24 AM, Yogesh Gawankar <[email protected]>wrote: > Hi all > > can a zfw terminate vpn connections and act as an ezvpn server for remote > access? Do we just need to permit the isakmp and esp traffic in the out to > self zone policy? > > Regards > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
