Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Challenges Implementing Self Zone in ZBF

Trying to wrap my head around ZBF. I have it working to a point - except VPN connections can no longer be established once I implement the zone-pairs. I thought it might be the Access-List, so I added additional statements for VPN.

Using IPSec and WebSSL

What I put in is below:

ip access-list extended Outside_Self

permit icmp any any echo

permit ah any any

permit esp any any

permit gre any any

permit udp any eq isakmp any

permit upd any eq non500-isakmp any

ip access-list extended Management-Protocols

permit tcp any any eq 22

permit tcp any any eq 443

permit icmp any any echo

class-map type inspect match-any Out_Self

match access-group name Outside_Self

class-map type inspect match-any Router-Management

match access-group name Management-Protocols

policy-map type inspect Inside-To-Router

class type inspect Router-Management


class class-default

policy-map type inspect Router-To-Inside

class class-default


policy-map type inspect Outside-Router

class type inspect Out_Self


class class-default

drop log

zone-pair security Outside-To-Router source outside destination self

zone-pair security Inside-To-Router source inside destination self

zone-pair security Router-To-Inside source self destination inside

CreatePlease to create content