https://community.cisco.com/t5/network-security/zone-based-firewall-and-wan-interface-acl/m-p/1618320#M559647 <HTML><HEAD></HEAD><BODY><P>thanks for the reply paul.</P><P></P><P>I already have the VPN and ZBFW configured and working together.&nbsp; My question is how I should go about securing the outside interface.&nbsp; I want to restrict ssh access to just from out local nets, but wondering what else I should apply to the outside interface since we are running the zone based FW on the router.</P></BODY></HTML> Thu, 17 Mar 2011 19:50:17 GMT James Walsh 2011-03-17T19:50:17Z https://community.cisco.com/t5/network-security/zone-based-firewall-and-wan-interface-acl/m-p/1618318#M559645 <P>I am getting ready to deploy a 3945 ISR to serve as an internet and core router for and remote site.&nbsp; I will be terminating a site-to-site VPN tunnel on it and also confiugring a zone based firewall config between my "outside" (internet link) and "inside" (all internal nets).&nbsp; My question is about how to approach securing the WAN interface with the Zone based FW in place?</P><P></P><P>what kind of ACL do I need beyond those alllowing and restricing remote access to the outside ip?&nbsp; </P><P></P><P>Thanks, any thoughts are appreciated.</P> Mon, 11 Mar 2019 20:08:40 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-and-wan-interface-acl/m-p/1618318#M559645 James Walsh 2019-03-11T20:08:40Z https://community.cisco.com/t5/network-security/zone-based-firewall-and-wan-interface-acl/m-p/1618319#M559646 <HTML><HEAD></HEAD><BODY><P>If you configure first your VPN you could use the SDM to configure ZFW since it helps in setting up both configs without conflicting with each other.</P></BODY></HTML> Thu, 17 Mar 2011 19:24:14 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-and-wan-interface-acl/m-p/1618319#M559646 PAUL GILBERT ARIAS 2011-03-17T19:24:14Z https://community.cisco.com/t5/network-security/zone-based-firewall-and-wan-interface-acl/m-p/1618320#M559647 <HTML><HEAD></HEAD><BODY><P>thanks for the reply paul.</P><P></P><P>I already have the VPN and ZBFW configured and working together.&nbsp; My question is how I should go about securing the outside interface.&nbsp; I want to restrict ssh access to just from out local nets, but wondering what else I should apply to the outside interface since we are running the zone based FW on the router.</P></BODY></HTML> Thu, 17 Mar 2011 19:50:17 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-and-wan-interface-acl/m-p/1618320#M559647 James Walsh 2011-03-17T19:50:17Z https://community.cisco.com/t5/network-security/zone-based-firewall-and-wan-interface-acl/m-p/1618321#M559648 <HTML><HEAD></HEAD><BODY><P>to allow or deny management protocols there are different options. One way is to use the management plane, check this link:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htsecmpp.html">http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htsecmpp.html</A></P><P></P><P>You can also configure acls allowing the desired IPs and apply the ACL on the specific lines of the router. This traffic has to be allowed by the ZFW from the specific zone to self.</P><P></P><P>I hope this helps</P></BODY></HTML> Thu, 17 Mar 2011 20:01:53 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-and-wan-interface-acl/m-p/1618321#M559648 PAUL GILBERT ARIAS 2011-03-17T20:01:53Z