Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco VPN cannot establish - ZBF block


My 2811 router is an EZVPN server.

I have Cisco clients connecting via VPN - no problem.

The problem is going out (outbound) and connecting to another EZVPN remote server, somehow there ZBF is blocking some the VPN client.

I use another internet line, and i have no problem connecting to the remote server.

Please help if you can spot any error on my summarized config:

policy-map type inspect A_OUTBOUND_POLICY

class type inspect 1_INVALID_TRAFFIC

  drop log

class type inspect 2_TORRENT_TRAFFIC


class type inspect 3_ICMP_TRAFFIC


class type inspect 6_VUE_TRAFFIC


class type inspect 7_GRE_TRAFFIC


class type inspect 8_VPN_TRAFFIC


class type inspect 9_INTERNET_TRAFFIC


class class-default


zone-pair security ZP1-3 source ZONE-1 destination ZONE-3

service-policy type inspect A_OUTBOUND_POLICY

class-map type inspect match-all 1_INVALID_TRAFFIC

match access-group name INVALID_LIST

class-map type inspect match-any 2_TORRENT_TRAFFIC

match protocol bittorrent

match protocol gnutella

class-map type inspect match-all 3_ICMP_TRAFFIC

match class-map CLASS_ICMP_OUT

class-map type inspect match-all 6_VUE_TRAFFIC

match protocol tcp

match access-group 199

class-map type inspect match-all 8_VPN_TRAFFIC

match class-map CLASS_ANY_VPN

class-map type inspect match-any 7_GRE_TRAFFIC

match class-map CLASS_GRE

match class-map CLASS_ESP

class-map type inspect match-all 9_INTERNET_TRAFFIC

match class-map CLASS_INTERNET

class-map type inspect match-any CLASS_AH

match access-group name ACL_AH

class-map type inspect match-any CLASS_ESP

match access-group name ACL_ESP

ip access-list extended ACL_AH

permit ahp any any

ip access-list extended ACL_ESP

permit esp any any

ip access-list extended ACL_GRE

permit gre any any

ip access-list extended ACL_IP

permit ip any any

ip access-list extended ACL_L2TP

permit udp any any eq isakmp

permit udp any any eq non500-isakmp

permit esp any any

class-map type inspect match-any CLASS_ANY_VPN

match class-map CLASS_AH

match class-map CLASS_ESP

match access-group name ACL_L2TP

class-map type inspect match-all CLASS_L2TP

match access-group name ACL_L2TP

class-map type inspect match-any CLASS_GRE

match access-group name ACL_GRE

match access-group name ACL_L2TP

class-map type inspect match-any CLASS_INTERNET

match protocol dns

match protocol ftp

match protocol telnet

match protocol h323

match protocol http

match protocol https

match protocol pop3

match protocol smtp

match protocol vdolive

match protocol tcp

match protocol udp


Everyone's tags (2)
CreatePlease login to create content