Zone-based firewall problem !

rvr_76bg · ‎11-18-2008

Hello,

I have problem with zone-based firewall on Cisco 2821 Router. This pretty new feature doesn't work for me. On the router I have one internal gigabit0/1 Interface which is in zone â€œINâ€ (in private network), gigabit0/0 Interface in zone â€œOUTâ€ (in Internet) and one VTI in zone â€œINâ€ (to be able to communicate with g0/1 without any problem, it carries OSPF over VPN). I have the following zone-pairs created:

zone-pair security sdm-zp-self-out source self destination out-zone

zone-pair security sdm-zp-out-self source out-zone destination self

zone-pair security sdm-zp-in-out source in-zone destination out-zone

The VPN is passing traffic, because the routing table is updated and I see all routes coming from the other site of the VPN. The problem is that I cannot pass IP/TCP/UDP traffic beyond the routers (in the private networks) on both sides. May be I missed a zone-pair? Please help. The problem is a bit urgent for me and any help will be highly appreciated.

Regards,

rvr

rvr_76bg · ‎11-18-2008

Come on guys,

Nobody knows about zone-based policy firewall and how it's working? Please, help.

rvr

torchris · ‎11-19-2008

Please provide the configuration of the router.

Also, if you could post the output of the IP INSPECT LOG DROP-PKT.

Thx

Torchris

torchris · ‎11-20-2008

Well, just as additional information, I had the same problem once where the VPN tunnel is established but I am unable to pass traffic between the Local LAN and the remote LAN.

In order to make it work, I did an access-list from the LOCAL LAN to the remote one and I put it on the zone-pair that is from the out-zone to the self zone.

I hope it helps.