Personally I recommend using match protocol gdoi, match protocol isakmp for the udp based traffic. Pass is just for ESP.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Mark Senteza Sent: Wednesday, August 03, 2011 7:26 PM To: Adil Pasha Cc: CCIE Security Maillist Subject: Re: [OSL | CCIE_Security] Remote Access through ZFW. Same thing - Apply the "pass" action on the IKE/ISAKMP and UDP 848 traffic On Wed, Aug 3, 2011 at 4:17 PM, Adil Pasha <[email protected]> wrote: Thanks Piotr and Mark, Is it really worth trying this scenario or am I making it too complicated? Also, what about GETVPN thru ZFW? :) I just want to cover all the bases. Best Regards. ______________________ Adil On Aug 3, 2011, at 4:41 PM, Mark Senteza wrote: "pass" ESP and IKE/ISAKMP traffic instead of "inspect" action On Wed, Aug 3, 2011 at 1:35 PM, Piotr Matusiak <[email protected]> wrote: ESP is not stateful in ZBF. You need another policy for that in opposite direction. Regards, Piotr 2011/8/3 Adil Pasha <[email protected]> Guys, I am trying my best to figure this out. I have the following: PC ----> ZFW router ----> EZVPN server I have the flowing configuration on ZFW router class-map type inspect match-any i2o match access-group 104 ! policy-map type inspect i2o class type inspect i2o inspect class class-default drop access-list 104 permit esp any any access-list 104 permit udp any any eq isakmp I am able to connect to the EZVPN router using my IPSec client through ZFW. The PC receives the EZVPN pool address and gateway. After the IPSec client established the connection I see the ACL counters increment, even when I try to PING. Extended IP access list 104 10 permit esp any any (8 matches) <<<< PING packets 20 permit udp any any eq isakmp (4 matches) <<<< IPSec connection For some reason I do not get the reply back. I did not include "ip any any" on the ACL since my traffic is passing through the tunnel and in my opinion I do not need this. Best Regards. ______________________ Adil _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com <http://www.PlatinumPlacement.com/> _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com <http://www.PlatinumPlacement.com/>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
