Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN pass through and the Self Zone and NAT

Hi

If we have a router running zone based firewall and doing NAT but the VPN terminates on a ASA on teh inside zone do we need to consider the incoming client VPNs as being destined for the "self" zone if we are using NAT overloading through the outside interface of the router ?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: VPN pass through and the Self Zone and NAT

No

The rules are below:

* Whenever you filter traffic transiting the router, you control it with a zone-pair specifying an inside and an ouside zone.

* The self zone controls traffic sent to the router itself or originated by the router.

* Unless you specify a zone-pair combining self zone with another zone, all traffic from that zone sent to the router itself is allowed (the router is not protected)

* To control traffic that the router can send into a zone use a zone-pair from self to another zone. Use inspect in the service-policy to allow the return traffic.

* To filter the traffic that the router can accept, use a zone-pair from another zone to self. Only the packets accepted by this zone-pair's service-policy will be accepted by the router.

HTH>

1 REPLY

Re: VPN pass through and the Self Zone and NAT

No

The rules are below:

* Whenever you filter traffic transiting the router, you control it with a zone-pair specifying an inside and an ouside zone.

* The self zone controls traffic sent to the router itself or originated by the router.

* Unless you specify a zone-pair combining self zone with another zone, all traffic from that zone sent to the router itself is allowed (the router is not protected)

* To control traffic that the router can send into a zone use a zone-pair from self to another zone. Use inspect in the service-policy to allow the return traffic.

* To filter the traffic that the router can accept, use a zone-pair from another zone to self. Only the packets accepted by this zone-pair's service-policy will be accepted by the router.

HTH>

332
Views
0
Helpful
1
Replies