Same thing - Apply the "pass" action on the IKE/ISAKMP and UDP 848 traffic
On Wed, Aug 3, 2011 at 4:17 PM, Adil Pasha <[email protected]> wrote: > > Thanks Piotr and Mark, > > Is it really worth trying this scenario or am I making it too complicated? > > Also, what about GETVPN thru ZFW? > > :) > > I just want to cover all the bases. > > Best Regards. > ______________________ > Adil > > On Aug 3, 2011, at 4:41 PM, Mark Senteza wrote: > > "pass" ESP and IKE/ISAKMP traffic instead of "inspect" action > > On Wed, Aug 3, 2011 at 1:35 PM, Piotr Matusiak <[email protected]> wrote: > >> ESP is not stateful in ZBF. You need another policy for that in opposite >> direction. >> >> Regards, >> Piotr >> >> 2011/8/3 Adil Pasha <[email protected]> >> >>> Guys, >>> >>> I am trying my best to figure this out. >>> >>> I have the following: >>> >>> *PC ----> ZFW router ----> EZVPN server* >>> >>> I have the flowing configuration on ZFW router >>> >>> class-map type inspect match-any i2o >>> match access-group 104 >>> >>> ! >>> policy-map type inspect i2o >>> class type inspect i2o >>> inspect >>> class class-default >>> drop >>> >>> access-list 104 permit esp any any >>> access-list 104 permit udp any any eq isakmp >>> >>> I am able to connect to the EZVPN router using my IPSec client through >>> ZFW. The PC receives the EZVPN pool address and gateway. >>> >>> After the IPSec client established the connection I see the ACL counters >>> increment, even when I try to PING. >>> >>> Extended IP access list 104 >>> 10 permit esp any any (8 matches) <<<< PING packets >>> 20 permit udp any any eq isakmp (4 matches) <<<< IPSec connection >>> >>> For some reason I do not get the reply back. >>> >>> I did not include "ip any any" on the ACL since my traffic is passing >>> through the tunnel and in my opinion I do not need this. >>> >>> >>> >>> Best Regards. >>> ______________________ >>> Adil >>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >>> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
