Easy VPN Remote Client and Zone-based firewall configuration, how to define zones?

zheka_pefti · ‎10-22-2010

I really don't know where to post this question whether in VPN section or here in Firewalling hence sorry if you find it in both.
The customer migrates from from CBAC to ZBF on their 800 series routers and to complicate things these routers connect to the HQ via VPN as Easy VPN Remote client. The client is configured with network extension mode to allow access from HQ network to the network behind the router:

crypto ipsec client ezvpn NAME
connect auto
group Stores key ***********
mode network-extension
peer xxx.xxx.xxx.xxx
username name password 6 ********
xauth userid mode local

Now I'm lost and don't know who to configure zones for this traffic. There's a zone-pair, i.e. INTERNET-SELF that allows all required traffic including ISAKMP and IPSEC, the tunnel seems to be up but of course there's no connectivity to the internal network behind the router. Is there any good reference guide except those that supposedly show how to configure it with the virtual template interface. This particular guide describes Easy VPN Server not the client. There are of course zone-pairs for internal VLANS, i.e.
zone-pair VLAN1-INTERNET
zone-pair VLAN3-INTERNET
and users from these vlans seem to be able to access internet based on configured policy-map.

Thanks in advance for any help.

Eugene

Jitendriya Athavale · ‎10-22-2010

this is what you need to do,

in your out to self inspect the following traffic and if you have self to out do the same

udp 500 - isakmp

udp 4500 - if vpn with client or hardware which is behind nat device

ip 50 - esp

i think you have already done these, just make sure these ports are both src and dst

now in your out to in (probably in your case internet to vlan)

inspect ip traffic from remote network to your network

and preferably do the same in in to out (vlan to internet)

this is it

hope it helps