08-23-2010 07:45 AM - edited 03-11-2019 11:29 AM
Hello All,
I am porting the config from a 1841 that had a L2L IPSec VPN setup with a Sonicwall peer. This 1841 had a CBAC firewall on it as well. We are retiring this router and moving the VPN over to a 1941 router with a Zone-based firewall. How do I set up the ZBF to allow this IPSec VPN tunnel? Can I use VTI when connecting to a non-Cisco host (Sonicwall)? Right now there are only two zones setup (inside/outside).
Thanks!
08-23-2010 08:03 AM
well since you have only 2 zones it makes life much easier , you dont have to worry about permitting esp and isakmp traffic in zbf
now since you have 2 zone have the following configured for ipsec vpn
zone-pair out-in
match acl - remote end network to my end network
action inspect
zone-pair in-out
match acl - my end network to remote end network
action inspect
i would suggest use 15.0 code and later whenever you are implementing zbf it has better support for zbf
08-23-2010 12:11 PM
And not configured a self zone. If you do u will have to permit esp and udp 500 basically. You will neet to create 2 zones from Out to Self and another one from selft to Out to PASS Esp
08-31-2010 11:16 AM
The new router has two interfaces to the internet via two different providers. Can I run CBAC and all the VPN traffic on one public interface and zone-based on the other internal client serving interface? I have read that you can mix CBAC and ZBF together.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: