ESP is not stateful in ZBF. You need another policy for that in opposite direction.
Regards, Piotr 2011/8/3 Adil Pasha <[email protected]> > Guys, > > I am trying my best to figure this out. > > I have the following: > > *PC ----> ZFW router ----> EZVPN server* > > I have the flowing configuration on ZFW router > > class-map type inspect match-any i2o > match access-group 104 > > ! > policy-map type inspect i2o > class type inspect i2o > inspect > class class-default > drop > > access-list 104 permit esp any any > access-list 104 permit udp any any eq isakmp > > I am able to connect to the EZVPN router using my IPSec client through ZFW. > The PC receives the EZVPN pool address and gateway. > > After the IPSec client established the connection I see the ACL counters > increment, even when I try to PING. > > Extended IP access list 104 > 10 permit esp any any (8 matches) <<<< PING packets > 20 permit udp any any eq isakmp (4 matches) <<<< IPSec connection > > For some reason I do not get the reply back. > > I did not include "ip any any" on the ACL since my traffic is passing > through the tunnel and in my opinion I do not need this. > > > > Best Regards. > ______________________ > Adil > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
