Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

How do I allow ESP traffic through zone firewall to Avaya VPN Phone?

I've got a 3825 setup on my home network and everything is working except for my company provided Avaya VPN phone. Previously I had used the old style CBAC firewall and it worked fine - once I put a rule in to allow inbound ESP traffic. I can't figure out how to do that with the ZBFW. Can anyone help? My current config is below. The VPN phone is located on VLAN 14, in the "Trusted" security zone. Thanks!

Using 4591 out of 491512 bytes
!
! Last configuration change at 03:18:34 UTC Wed Sep 24 2014
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname phil-r1
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
!
dot11 syslog
ip source-route
ip dhcp excluded-address 192.168.100.1 192.168.100.100
ip dhcp excluded-address 192.168.15.1 192.168.15.100
ip dhcp excluded-address 192.168.16.1 192.168.16.100
ip dhcp excluded-address 192.168.14.1 192.168.14.100
!
ip dhcp pool lwapp-pool
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
option 43 hex f104.c0a8.6318
!
ip dhcp pool vlan-15
network 192.168.15.0 255.255.255.0
default-router 192.168.15.1
dns-server 8.8.8.8 8.8.4.4
!
ip dhcp pool vlan-16
network 192.168.16.0 255.255.255.0
default-router 192.168.16.1
dns-server 8.8.8.8 8.8.4.4
!
ip dhcp pool vlan-14
network 192.168.14.0 255.255.255.0
default-router 192.168.14.1
dns-server 8.8.8.8 8.8.4.4
!
!
!
ip cef
!
!
no ip domain lookup
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
!
!
!
redundancy
!
!
!
class-map type inspect match-any Guest_Protocols
match protocol http
match protocol https
match protocol dns
class-map type inspect match-any All_Protocols
match protocol tcp
match protocol udp
match protocol icmp
!
!
policy-map type inspect Trusted
class class-default
pass
policy-map type inspect Guest_to_Internet
class type inspect Guest_Protocols
inspect
class class-default
drop
policy-map type inspect Trusted_to_Internet
class type inspect All_Protocols
inspect
class class-default
drop
!
zone security Trusted
zone security Guest
zone security Internet
zone-pair security Trusted source Trusted destination Trusted
service-policy type inspect Trusted
zone-pair security Trusted->Internet source Trusted destination Internet
service-policy type inspect Trusted_to_Internet
zone-pair security Guest->Internet source Guest destination Internet
service-policy type inspect Guest_to_Internet
!
!
!
!
!
!
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
media-type sfp
negotiation auto
!
interface GigabitEthernet0/1
description Outside - TWC Roadrunner
ip address dhcp
ip nat outside
ip virtual-reassembly in
zone-member security Internet
duplex auto
speed auto
media-type rj45
!
interface Integrated-Service-Engine1/0
description Internally connected to NME-AIR-WLC8-K9
ip address 192.168.99.254 255.255.255.0
no keepalive
!
interface Integrated-Service-Engine1/0.15
encapsulation dot1Q 15
ip address 192.168.15.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security Trusted
!
interface Integrated-Service-Engine1/0.16
encapsulation dot1Q 16
ip address 192.168.16.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security Guest
!
interface GigabitEthernet2/0
description Internally connected to NME-16ES-1G-P
ip address 20.0.0.1 255.255.255.0
load-interval 30
!
interface GigabitEthernet2/0.14
encapsulation dot1Q 14
ip address 192.168.14.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security Trusted
!
interface GigabitEthernet2/0.100
encapsulation dot1Q 100
ip address 192.168.100.1 255.255.255.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list NAT interface GigabitEthernet0/1 overload
!
ip access-list standard NAT
permit 192.168.14.0 0.0.0.255
permit 192.168.15.0 0.0.0.255
permit 192.168.16.0 0.0.0.255
!
!
!
!
!
!
!
!
!
control-plane
!
bridge 15 protocol ieee
bridge 16 protocol ieee
!
!
line con 0
password 7
line aux 0
exec-timeout 0 1
no exec
transport output none
line 66
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line 130
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
access-class 99 in
privilege level 2
transport input ssh
transport output all
line vty 5 924
access-class 99 in
privilege level 2
transport input ssh
transport output all
!
scheduler allocate 20000 1000

Everyone's tags (1)
86
Views
0
Helpful
0
Replies
CreatePlease to create content