Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSec VPN through ZBF

Hello All,

I am porting the config from a 1841 that had a L2L IPSec VPN setup with a Sonicwall peer. This 1841 had a CBAC firewall on it as well. We are retiring this router and moving the VPN over to a 1941 router with a Zone-based firewall. How do I set up the ZBF to allow this IPSec VPN tunnel? Can I use VTI when connecting to a non-Cisco host (Sonicwall)? Right now there are only two zones setup (inside/outside).


  • Firewalling
Cisco Employee

Re: IPSec VPN through ZBF

well since you have only 2 zones it makes life much easier , you dont have to worry about permitting esp and isakmp traffic in zbf

now since you have 2 zone have the following configured for ipsec vpn

zone-pair out-in

match acl - remote end network to my end network

action inspect

zone-pair in-out

match acl - my end network to remote end network

action inspect

i would suggest use 15.0 code and later whenever you are implementing zbf it has better support for zbf

Re: IPSec VPN through ZBF

And not configured a self zone. If you do u will have to permit esp and udp 500 basically. You will neet to create 2 zones from Out to Self and another one from selft to Out to PASS  Esp

New Member

Re: IPSec VPN through ZBF

The new router has two interfaces to the internet via two different providers. Can I run CBAC and all the VPN traffic on one public interface and zone-based on the other internal client serving interface? I have read that you can mix CBAC and ZBF together.

This widget could not be displayed.