Zone-based firewall problem !

Unanswered Question


I have problem with zone-based firewall on Cisco 2821 Router. This pretty new feature doesn't work for me. On the router I have one internal gigabit0/1 Interface which is in zone “IN” (in private network), gigabit0/0 Interface in zone “OUT” (in Internet) and one VTI in zone “IN” (to be able to communicate with g0/1 without any problem, it carries OSPF over VPN). I have the following zone-pairs created:

zone-pair security sdm-zp-self-out source self destination out-zone

zone-pair security sdm-zp-out-self source out-zone destination self

zone-pair security sdm-zp-in-out source in-zone destination out-zone

The VPN is passing traffic, because the routing table is updated and I see all routes coming from the other site of the VPN. The problem is that I cannot pass IP/TCP/UDP traffic beyond the routers (in the private networks) on both sides. May be I missed a zone-pair? Please help. The problem is a bit urgent for me and any help will be highly appreciated.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
torchris Wed, 11/19/2008 - 08:38
User Badges:

Please provide the configuration of the router.

Also, if you could post the output of the IP INSPECT LOG DROP-PKT.



torchris Thu, 11/20/2008 - 08:29
User Badges:

Well, just as additional information, I had the same problem once where the VPN tunnel is established but I am unable to pass traffic between the Local LAN and the remote LAN.

In order to make it work, I did an access-list from the LOCAL LAN to the remote one and I put it on the zone-pair that is from the out-zone to the self zone.

I hope it helps.


This Discussion