Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IOS Zone-Based Firewall and Easy VPN client configuration

I really don't know where to post this question whether in VPN section or here in Firewalling hence sorry if you find it in both.
The customer migrates from from CBAC to ZBF on their 800 series routers and to complicate things these routers connect to the HQ via VPN as Easy VPN Remote client. The client is configured with network extension mode to allow access from HQ network to the network behind the router:

crypto ipsec client ezvpn NAME
  connect auto
  group Stores key ***********
  mode network-extension
  username name password 6 ********
  xauth userid mode local

Now I'm lost and don't know who to configure zones for this traffic. There's a zone-pair, i.e. INTERNET-SELF that allows all required traffic including ISAKMP and IPSEC, the tunnel seems to be up but of course there's no connectivity to the internal network behind the router. Is there any good reference guide except those that supposedly show how to configure it with the virtual template interface. This particular guide describes Easy VPN Server not the client. There are of course zone-pairs for internal VLANS, i.e.
zone-pair VLAN1-INTERNET
zone-pair VLAN3-INTERNET
and users from these vlans seem to be able to access internet based on configured policy-map.

Thanks in advance for any help.


Cisco Employee

Re: IOS Zone-Based Firewall and Easy VPN client configuration


Would you please enable ip inspect log drop-pkt in global configuration mode, then do term mon... and try to send some traffic? I would like to see the log from the firewall when the packets are being dropped.

Mostlikely you will need to enable the traffic from HQ network to your network and put it as inspect.




Re: IOS Zone-Based Firewall and Easy VPN client configuration

Hi Eugene,

I am guessing we are using EZVPN with DVTI in our implementation. (Virtual Tunnel Interface and Virtual Templates)

First,we need to make the Virtual Template a part of some Zone so that the tunnel interface becomes a part of some zone. Let us say we call it EZVPN zone.

In this case it is a better idea to configure a pass action on the VPN traffic in both the In-EZVPN zone pair and EZVPN-In zone pair to allow bidirectional VPN traffic.

Create an ACL permitting traffic from Local Subnet to Remote Subnet and create a class map with the same.

Also, create an ACL  permitting traffic from Remote Subnet to  Local Subnet and create a class map with the same.

(Local Subnet to Remote Subnet) in the InZone-EZVPN-Zone pair Policy Map.

(Remote Subnet to Local Subnet) in the EZVPN-InZone pair Policy Map.

Also, the class maps classifying this traffic should be placed at the top of the policy map.

By default, all sorts of traffic destined to the Router (Self Zone) is allowed. So, unless you have a policy map attached to the zone pairs containing the Self Zone already, it is a better idea not to configure any policies for those Zone pairs.

If this still doesn't resolve the problem, please do as Maykol suggested so that we can isolate the issue.



P.S : INZONE -- Zone containing the LAN interface of the Router connecting to your Local LAN.

         Self Zone -- The router itself.

Re: IOS Zone-Based Firewall and Easy VPN client configuration

Do you guys have a configuration exemple that works for that, I would really appreciate


New Member

Re: IOS Zone-Based Firewall and Easy VPN client configuration

CreatePlease login to create content