Hi Andrew, indeed ZBFW doesn't recognize ESP protocol , there is only 'match isakmp' available that doesnt help much. So you are left with ACL-way of doing this , I did it once for a client here is example: http://ccie-security-blog.com/2011/02/19/ios-zone-based-firewall-with-vpn-ipsec-site-to-site-configured-example/
Regarding ipsec-msft - cisco.com lists it as related to Microsoft IP Security (IPSec) NAT-T so not relevant in this case. Cheers Yuri On Sun, May 8, 2011 at 7:10 AM, Andrew Wurster <[email protected]>wrote: > hey team - > > in one of the solution guides (lab 17), i saw mention of the *ipsec-msft > *inspection > (*match protocol ipsec-msft*). i believe that doesn't apply in the case > of normal site to site and VPN traffic over ESP and we have to "pass" ESP > regardless (and consequently plan for it's return with a mirror policy). > > i first thought this is for UDP 1701 which is the encapsulation for > L2TP/IPsec. is it for L2TP/IPsec, or for standard NAT-T on UDP 4500, or > what? > > am i also correct in my understanding that things like ESP (*match > protocol ipsec*), while may be possible to inspect on high-end routers > like a 7600, is not capable on the ISRs in the lab blueprint? > > looking here... : > > > http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_m1.html#wp1057374 > > > > thanks! > > andrew > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com <http://www.platinumplacement.com/> > -- Taking challenges one by one. http://yurisk.info
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
