Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

ZoneBase FW and L2L IPSec VPN

I have a 2800 router connecting a small office to the Internet.  I am using zone-based firewall to provide protection.  The small office also needs to connect to another office.  The 2800 is at the small office and an ASA at HQ.   I successfully established the VPN connection and have allowed Internet access for the small office.  The purpose of this post is my zone-base fw policy doesn't appear to be as secure as it could be.

2800 - I have defined two zones (inside and outside).  Traffic from the inside to the outside is inspected expect for the traffic to the other office.  I allow traffic to the other office to "pass" zbfw.  Because the traffic "passes" zbfw, I have to "pass" the same traffic for the outside to in policy.  The ASA has "sysopt" to allow VPN traffic to bypass the outside_acl.  Do routers and zone-based firewall have a similar feature?



Everyone's tags (4)
Cisco Employee

ZoneBase FW and L2L IPSec VPN

Yes, instead of "pass" you should configure "inspect". It will allow the outgoing traffic and will dynamically allow the return traffic. However if you need to initiate traffic from ASA towards the router, then you would also need to configure ACL to allow that traffic, with the action "inspect" as well.

CreatePlease to create content