Cool. Thanks Tyson. I will try it and let you guys know.
Best Regards. ______________________ Adil On Aug 3, 2011, at 8:02 PM, Tyson Scott wrote: > Personally I recommend using match protocol gdoi, match protocol isakmp for > the udp based traffic. Pass is just for ESP. > > Regards, > > Tyson Scott - CCIE #13513 R&S, Security, and SP > Managing Partner / Sr. Instructor - IPexpert, Inc. > Mailto: [email protected] > Telephone: +1.810.326.1444, ext. 208 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130 > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE > (R&S, Voice, Security & Service Provider) certification(s) with training > locations throughout the United States, Europe, South Asia and Australia. Be > sure to visit our online communities at www.ipexpert.com/communities and our > public website at www.ipexpert.com > > From: [email protected] > [mailto:[email protected]] On Behalf Of Mark Senteza > Sent: Wednesday, August 03, 2011 7:26 PM > To: Adil Pasha > Cc: CCIE Security Maillist > Subject: Re: [OSL | CCIE_Security] Remote Access through ZFW. > > Same thing - Apply the "pass" action on the IKE/ISAKMP and UDP 848 traffic > > On Wed, Aug 3, 2011 at 4:17 PM, Adil Pasha <[email protected]> wrote: > > Thanks Piotr and Mark, > > Is it really worth trying this scenario or am I making it too complicated? > > Also, what about GETVPN thru ZFW? > > :) > > I just want to cover all the bases. > > Best Regards. > ______________________ > Adil > > On Aug 3, 2011, at 4:41 PM, Mark Senteza wrote: > > > "pass" ESP and IKE/ISAKMP traffic instead of "inspect" action > > On Wed, Aug 3, 2011 at 1:35 PM, Piotr Matusiak <[email protected]> wrote: > ESP is not stateful in ZBF. You need another policy for that in opposite > direction. > > Regards, > Piotr > > 2011/8/3 Adil Pasha <[email protected]> > Guys, > > I am trying my best to figure this out. > > I have the following: > > PC ----> ZFW router ----> EZVPN server > > I have the flowing configuration on ZFW router > > class-map type inspect match-any i2o > match access-group 104 > > ! > policy-map type inspect i2o > class type inspect i2o > inspect > class class-default > drop > > access-list 104 permit esp any any > access-list 104 permit udp any any eq isakmp > > I am able to connect to the EZVPN router using my IPSec client through ZFW. > The PC receives the EZVPN pool address and gateway. > > After the IPSec client established the connection I see the ACL counters > increment, even when I try to PING. > > Extended IP access list 104 > 10 permit esp any any (8 matches) <<<< PING packets > 20 permit udp any any eq isakmp (4 matches) <<<< IPSec connection > > For some reason I do not get the reply back. > > I did not include "ip any any" on the ACL since my traffic is passing through > the tunnel and in my opinion I do not need this. > > > > Best Regards. > ______________________ > Adil > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
