Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Zone-based Firewall & Easy VPN

I'm a little confused about the zoning requirements with easy vpn. Considering the following setup on an 871 router:

interface vlan 1

desc Direct Internet Access

ip address 192.168.1.1 255.255.255.0

ip nat inside

interface vlan 2

desc Corporate Resources Access

ip address 10.1.1.1 255.255.255.224

crypto ipsec client ezvpn Corp inside

interface Fa4

desc Public

ip address x.x.x.x x.x.x.x

ip nat outside

crypto ipsec client ezvpn Corp outside

How would this be zoned so that all traffic from vlan2 only goes across the ipsec tunnel, all traffic from vlan1 goes to the internet, traffic cannot flow between vlan1 & vlan2, & no inbound traffic from the internet except return traffic for vlan1 and DNS (proxied by the router). I've seen some solutions with the classic firewall configurations, but not with the zone-based. Thanks for any insight.

1 REPLY
Bronze

Re: Zone-based Firewall & Easy VPN

Create a crypto ACL for vlan2 to make all traffic go through the vpn tunnel. You can disable inter vlan routing to stop the traffic from vlan and vlan2 to flow between. Following link may help you

http://www.cisco.com/en/US/docs/routers/access/800/850/software/configuration/guide/vpnezvpn.html

198
Views
0
Helpful
1
Replies