I have a 2800 router connecting a small office to the Internet. I am using zone-based firewall to provide protection. The small office also needs to connect to another office. The 2800 is at the small office and an ASA at HQ. I successfully established the VPN connection and have allowed Internet access for the small office. The purpose of this post is my zone-base fw policy doesn't appear to be as secure as it could be.
2800 - I have defined two zones (inside and outside). Traffic from the inside to the outside is inspected expect for the traffic to the other office. I allow traffic to the other office to "pass" zbfw. Because the traffic "passes" zbfw, I have to "pass" the same traffic for the outside to in policy. The ASA has "sysopt" to allow VPN traffic to bypass the outside_acl. Do routers and zone-based firewall have a similar feature?
Yes, instead of "pass" you should configure "inspect". It will allow the outgoing traffic and will dynamically allow the return traffic. However if you need to initiate traffic from ASA towards the router, then you would also need to configure ACL to allow that traffic, with the action "inspect" as well.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :