ZoneBase FW and L2L IPSec VPN

Unanswered Question
Jul 25th, 2012
User Badges:

I have a 2800 router connecting a small office to the Internet.  I am using zone-based firewall to provide protection.  The small office also needs to connect to another office.  The 2800 is at the small office and an ASA at HQ.   I successfully established the VPN connection and have allowed Internet access for the small office.  The purpose of this post is my zone-base fw policy doesn't appear to be as secure as it could be.

2800 - I have defined two zones (inside and outside).  Traffic from the inside to the outside is inspected expect for the traffic to the other office.  I allow traffic to the other office to "pass" zbfw.  Because the traffic "passes" zbfw, I have to "pass" the same traffic for the outside to in policy.  The ASA has "sysopt" to allow VPN traffic to bypass the outside_acl.  Do routers and zone-based firewall have a similar feature?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Wed, 07/25/2012 - 09:53
User Badges:
  • Cisco Employee,

Yes, instead of "pass" you should configure "inspect". It will allow the outgoing traffic and will dynamically allow the return traffic. However if you need to initiate traffic from ASA towards the router, then you would also need to configure ACL to allow that traffic, with the action "inspect" as well.


This Discussion