We have a site to site VPN between an 800 series router and a VPN concentrator. I want to implement the Zone-based firewall on on the router.
On the 800 series router, once I apply the Zone on the outside interface which is the "Dialer 1" VPN connection is terminated. Based on the configuration below, what am I missing?
ip access-list extended county-out permit ip any 192.168.60.0 0.0.0.255
ip access-list extended county-in permit ip 192.168.60.0 0.0.0.255 any
ip access-list extended ICMPReply permit icmp any any host-unreachable permit icmp any any port-unreachable permit icmp any any ttl-exceeded permit icmp any any packet-too-big
ip access-list extended esp-traffic permit esp any any
class-map type inspect match-any IPSec match protocol isakmp match protocol ipsec-msft match access-group name esp-traffic
class-map type inspect match-all ICMPReply match access-group name ICMPReply
class-map type inspect match-any in-out match access-group name county-in match protocol icmp match protocol dns match protocol http match protocol https match protocol ftp
class-map type inspect match-any out-in match access-group name county-out
policy-map type inspect OutToSelf description Permitted traffic from Internet to Router class type inspect ICMPReply pass class type inspect IPSec pass class class-default drop log policy-map type inspect access-county class type inspect in-out inspect class class-default drop policy-map type inspect county-out class type inspect out-in inspect zone security in-zone zone security out-zone
Thanks for the reply! It does work when I modify the self outzone with IP any any. However, I want to be more specific if possible. I am using NAT on each endpoint as well. Unfortunately I am not onsite, I have the configuration unsaved and I am having the router reload automatically to go back to it's original configuration. I will try the "ip inspect log drop-pkt"
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :