Yogesh, Personally I wouldn't configure any zone-pairs to the self-zone unless required. If you don't and you want to use the router for remote VPN connections. Simply terminate the clients using a VTI and add the virtual-template interface to the same zone as the other protected interfaces and it will work perfectly.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Yogesh Gawankar Sent: Thursday, July 29, 2010 11:54 PM To: [email protected] Subject: [OSL | CCIE_Security] zfw Hi all can a zfw terminate vpn connections and act as an ezvpn server for remote access? Do we just need to permit the isakmp and esp traffic in the out to self zone policy? Regards _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
