Hi Simon,
Here’s an example:
class-map type inspect match-all LAN_TO_WAN
match access-group name LAN_TO_WAN
class-map type inspect match-all WAN_TO_LAN
match access-group name WAN_TO_LAN
class-map type inspect match-all ISAKMP_IPSEC
match access-group name ISAKMP_IPSEC
class-map type inspect match-all DHCP
match access-group name DHCP_CLIENT
!
policy-map type inspect WAN_TO_SELF
class type inspect ICMP
pass
class type inspect ISAKMP_IPSEC
pass
class type inspect DHCP
pass
class class-default
drop
policy-map type inspect WAN_TO_LAN
class type inspect WAN_TO_LAN
pass
class class-default
drop
policy-map type inspect LAN_TO_WAN
class type inspect LAN_TO_WAN
pass
class class-default
drop
!
zone security LAN
zone security WAN
zone-pair security LAN_TO_WAN source LAN destination WAN
description LAN_TO_WAN TRAFFIC
service-policy type inspect LAN_TO_WAN
zone-pair security WAN_TO_LAN source WAN destination LAN
description WAN_TO_LAN TRAFFIC
service-policy type inspect WAN_TO_LAN
zone-pair security WAN_TO_SELF source WAN destination self
description WAN_TO_SELF TRAFFIC
service-policy type inspect WAN_TO_SELF
!
ip access-list extended DHCP_CLIENT
permit udp any eq bootps any
ip access-list extended ICMP
permit icmp any any
ip access-list extended ISAKMP_IPSEC
permit udp host <remote_peer> any eq isakmp
permit esp host <remote_peer> any
permit udp host <remote_peer> any eq non500-isakmp
ip access-list extended LAN_TO_WAN
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended WAN_TO_LAN
permit ip 192.168.2.0 0.0.0.255 192.168.1.0.0 0.0.0.255
This will allow a remote peer to establish an IPSec tunnel from WAN to the SELF zone (router). ICMP traffic to SELF is permitted and the router can get an IP address from the ISP through DHCP.
Once the VPN is established, traffic between the LAN (192.168.1.0) and a remote subnet (192.168.2.0) is permitted (pass).
Rene