How do I allow ESP traffic through zone firewall to Avaya VPN Phone?
I've got a 3825 setup on my home network and everything is working except for my company provided Avaya VPN phone. Previously I had used the old style CBAC firewall and it worked fine - once I put a rule in to allow inbound ESP traffic. I can't figure out how to do that with the ZBFW. Can anyone help? My current config is below. The VPN phone is located on VLAN 14, in the "Trusted" security zone. Thanks!
Using 4591 out of 491512 bytes ! ! Last configuration change at 03:18:34 UTC Wed Sep 24 2014 version 15.1 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname phil-r1 ! boot-start-marker boot-end-marker ! ! ! aaa new-model ! ! ! ! ! ! ! aaa session-id common ! ! dot11 syslog ip source-route ip dhcp excluded-address 192.168.100.1 192.168.100.100 ip dhcp excluded-address 192.168.15.1 192.168.15.100 ip dhcp excluded-address 192.168.16.1 192.168.16.100 ip dhcp excluded-address 192.168.14.1 192.168.14.100 ! ip dhcp pool lwapp-pool network 192.168.100.0 255.255.255.0 default-router 192.168.100.1 option 43 hex f104.c0a8.6318 ! ip dhcp pool vlan-15 network 192.168.15.0 255.255.255.0 default-router 192.168.15.1 dns-server 184.108.40.206 220.127.116.11 ! ip dhcp pool vlan-16 network 192.168.16.0 255.255.255.0 default-router 192.168.16.1 dns-server 18.104.22.168 22.214.171.124 ! ip dhcp pool vlan-14 network 192.168.14.0 255.255.255.0 default-router 192.168.14.1 dns-server 126.96.36.199 188.8.131.52 ! ! ! ip cef ! ! no ip domain lookup ip name-server 184.108.40.206 ip name-server 220.127.116.11 ! multilink bundle-name authenticated ! crypto pki token default removal timeout 0 ! ! ! ! ! redundancy ! ! ! class-map type inspect match-any Guest_Protocols match protocol http match protocol https match protocol dns class-map type inspect match-any All_Protocols match protocol tcp match protocol udp match protocol icmp ! ! policy-map type inspect Trusted class class-default pass policy-map type inspect Guest_to_Internet class type inspect Guest_Protocols inspect class class-default drop policy-map type inspect Trusted_to_Internet class type inspect All_Protocols inspect class class-default drop ! zone security Trusted zone security Guest zone security Internet zone-pair security Trusted source Trusted destination Trusted service-policy type inspect Trusted zone-pair security Trusted->Internet source Trusted destination Internet service-policy type inspect Trusted_to_Internet zone-pair security Guest->Internet source Guest destination Internet service-policy type inspect Guest_to_Internet ! ! ! ! ! ! ! interface GigabitEthernet0/0 no ip address shutdown duplex auto speed auto media-type sfp negotiation auto ! interface GigabitEthernet0/1 description Outside - TWC Roadrunner ip address dhcp ip nat outside ip virtual-reassembly in zone-member security Internet duplex auto speed auto media-type rj45 ! interface Integrated-Service-Engine1/0 description Internally connected to NME-AIR-WLC8-K9 ip address 192.168.99.254 255.255.255.0 no keepalive ! interface Integrated-Service-Engine1/0.15 encapsulation dot1Q 15 ip address 192.168.15.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security Trusted ! interface Integrated-Service-Engine1/0.16 encapsulation dot1Q 16 ip address 192.168.16.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security Guest ! interface GigabitEthernet2/0 description Internally connected to NME-16ES-1G-P ip address 18.104.22.168 255.255.255.0 load-interval 30 ! interface GigabitEthernet2/0.14 encapsulation dot1Q 14 ip address 192.168.14.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security Trusted ! interface GigabitEthernet2/0.100 encapsulation dot1Q 100 ip address 192.168.100.1 255.255.255.0 ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ip nat inside source list NAT interface GigabitEthernet0/1 overload ! ip access-list standard NAT permit 192.168.14.0 0.0.0.255 permit 192.168.15.0 0.0.0.255 permit 192.168.16.0 0.0.0.255 ! ! ! ! ! ! ! ! ! control-plane ! bridge 15 protocol ieee bridge 16 protocol ieee ! ! line con 0 password 7 line aux 0 exec-timeout 0 1 no exec transport output none line 66 no activation-character no exec transport preferred none transport input all transport output pad telnet rlogin lapb-ta mop udptn v120 ssh line 130 no activation-character no exec transport preferred none transport input all transport output pad telnet rlogin lapb-ta mop udptn v120 ssh line vty 0 4 access-class 99 in privilege level 2 transport input ssh transport output all line vty 5 924 access-class 99 in privilege level 2 transport input ssh transport output all ! scheduler allocate 20000 1000
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...