I put the lab together. Pass or Inspect. Nothing works. IPSec client gets connected through ZFW but cannot connect to any device behind the ezvpn server.
Any further suggestion? If anyone on the list has done this setup or GETVPN thru ZFW, could you please share the config? ! class-map type inspect match-all o2i_esp match access-group name pass_esp class-map type inspect match-all i2o_esp match access-group name pass_esp class-map type inspect match-any o2i match protocol telnet match protocol http match protocol https match protocol icmp match protocol isakmp class-map type inspect match-all i2o_ip_any match access-group 101 ! ! policy-map type inspect i2o class type inspect i2o_ip_any inspect class type inspect i2o_esp pass class class-default drop policy-map type inspect o2i class type inspect o2i inspect class type inspect o2i_esp pass class class-default drop ! zone security Inside zone security Outside zone-pair security i2o source Inside destination Outside service-policy type inspect i2o zone-pair security o2i source Outside destination Inside service-policy type inspect o2i ! ip access-list extended pass_esp permit esp any any ! Best Regards. ______________________ Adil On Aug 3, 2011, at 8:02 PM, Tyson Scott wrote: > Personally I recommend using match protocol gdoi, match protocol isakmp for > the udp based traffic. Pass is just for ESP. > > Regards, > > Tyson Scott - CCIE #13513 R&S, Security, and SP > Managing Partner / Sr. Instructor - IPexpert, Inc. > Mailto: [email protected] > Telephone: +1.810.326.1444, ext. 208 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130 > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE > (R&S, Voice, Security & Service Provider) certification(s) with training > locations throughout the United States, Europe, South Asia and Australia. Be > sure to visit our online communities at www.ipexpert.com/communities and our > public website at www.ipexpert.com > > From: [email protected] > [mailto:[email protected]] On Behalf Of Mark Senteza > Sent: Wednesday, August 03, 2011 7:26 PM > To: Adil Pasha > Cc: CCIE Security Maillist > Subject: Re: [OSL | CCIE_Security] Remote Access through ZFW. > > Same thing - Apply the "pass" action on the IKE/ISAKMP and UDP 848 traffic > > On Wed, Aug 3, 2011 at 4:17 PM, Adil Pasha <[email protected]> wrote: > > Thanks Piotr and Mark, > > Is it really worth trying this scenario or am I making it too complicated? > > Also, what about GETVPN thru ZFW? > > :) > > I just want to cover all the bases. > > Best Regards. > ______________________ > Adil > > On Aug 3, 2011, at 4:41 PM, Mark Senteza wrote: > > > "pass" ESP and IKE/ISAKMP traffic instead of "inspect" action > > On Wed, Aug 3, 2011 at 1:35 PM, Piotr Matusiak <[email protected]> wrote: > ESP is not stateful in ZBF. You need another policy for that in opposite > direction. > > Regards, > Piotr > > 2011/8/3 Adil Pasha <[email protected]> > Guys, > > I am trying my best to figure this out. > > I have the following: > > PC ----> ZFW router ----> EZVPN server > > I have the flowing configuration on ZFW router > > class-map type inspect match-any i2o > match access-group 104 > > ! > policy-map type inspect i2o > class type inspect i2o > inspect > class class-default > drop > > access-list 104 permit esp any any > access-list 104 permit udp any any eq isakmp > > I am able to connect to the EZVPN router using my IPSec client through ZFW. > The PC receives the EZVPN pool address and gateway. > > After the IPSec client established the connection I see the ACL counters > increment, even when I try to PING. > > Extended IP access list 104 > 10 permit esp any any (8 matches) <<<< PING packets > 20 permit udp any any eq isakmp (4 matches) <<<< IPSec connection > > For some reason I do not get the reply back. > > I did not include "ip any any" on the ACL since my traffic is passing through > the tunnel and in my opinion I do not need this. > > > > Best Regards. > ______________________ > Adil > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
