"pass" ESP and IKE/ISAKMP traffic instead of "inspect" action
On Wed, Aug 3, 2011 at 1:35 PM, Piotr Matusiak <[email protected]> wrote: > ESP is not stateful in ZBF. You need another policy for that in opposite > direction. > > Regards, > Piotr > > 2011/8/3 Adil Pasha <[email protected]> > >> Guys, >> >> I am trying my best to figure this out. >> >> I have the following: >> >> *PC ----> ZFW router ----> EZVPN server* >> >> I have the flowing configuration on ZFW router >> >> class-map type inspect match-any i2o >> match access-group 104 >> >> ! >> policy-map type inspect i2o >> class type inspect i2o >> inspect >> class class-default >> drop >> >> access-list 104 permit esp any any >> access-list 104 permit udp any any eq isakmp >> >> I am able to connect to the EZVPN router using my IPSec client through >> ZFW. The PC receives the EZVPN pool address and gateway. >> >> After the IPSec client established the connection I see the ACL counters >> increment, even when I try to PING. >> >> Extended IP access list 104 >> 10 permit esp any any (8 matches) <<<< PING packets >> 20 permit udp any any eq isakmp (4 matches) <<<< IPSec connection >> >> For some reason I do not get the reply back. >> >> I did not include "ip any any" on the ACL since my traffic is passing >> through the tunnel and in my opinion I do not need this. >> >> >> >> Best Regards. >> ______________________ >> Adil >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
