Will do it tonight or tomorrow and let you know.
Best Regards. ______________________ Adil On Aug 3, 2011, at 7:26 PM, Mark Senteza wrote: > Same thing - Apply the "pass" action on the IKE/ISAKMP and UDP 848 traffic > > On Wed, Aug 3, 2011 at 4:17 PM, Adil Pasha <[email protected]> wrote: > > Thanks Piotr and Mark, > > Is it really worth trying this scenario or am I making it too complicated? > > Also, what about GETVPN thru ZFW? > > :) > > I just want to cover all the bases. > > Best Regards. > ______________________ > Adil > > On Aug 3, 2011, at 4:41 PM, Mark Senteza wrote: > >> "pass" ESP and IKE/ISAKMP traffic instead of "inspect" action >> >> On Wed, Aug 3, 2011 at 1:35 PM, Piotr Matusiak <[email protected]> wrote: >> ESP is not stateful in ZBF. You need another policy for that in opposite >> direction. >> >> Regards, >> Piotr >> >> 2011/8/3 Adil Pasha <[email protected]> >> Guys, >> >> I am trying my best to figure this out. >> >> I have the following: >> >> PC ----> ZFW router ----> EZVPN server >> >> I have the flowing configuration on ZFW router >> >> class-map type inspect match-any i2o >> match access-group 104 >> >> ! >> policy-map type inspect i2o >> class type inspect i2o >> inspect >> class class-default >> drop >> >> access-list 104 permit esp any any >> access-list 104 permit udp any any eq isakmp >> >> I am able to connect to the EZVPN router using my IPSec client through ZFW. >> The PC receives the EZVPN pool address and gateway. >> >> After the IPSec client established the connection I see the ACL counters >> increment, even when I try to PING. >> >> Extended IP access list 104 >> 10 permit esp any any (8 matches) <<<< PING packets >> 20 permit udp any any eq isakmp (4 matches) <<<< IPSec connection >> >> For some reason I do not get the reply back. >> >> I did not include "ip any any" on the ACL since my traffic is passing >> through the tunnel and in my opinion I do not need this. >> >> >> >> Best Regards. >> ______________________ >> Adil >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
