https://community.cisco.com/t5/network-security/help-zone-based-firewall/m-p/1332499#M832065 <P>I have a site-to-site vpn with two 2811 Cisco Routers with 2 interfaces each</P><P>(LAN and WAN) and a GRE Tunnel. I have an ACL implemented to allow some PCs to have access to the VPN and another PCs to have access to Internet but deny access to vpn.</P><P>I want to implement Zone Based Firewall, but I don't know how many zone-pair do I </P><P>have to configure. I think I need one private-to-vpn, one vpn-to-private, one</P><P>private-to-public, but I don't know if I need to configure one public-to-private zone pair if I need to telnet/ssh the router from a public IP from outside Internet.</P><P>I have also some doubts about ACLs and class-maps. I don't know if I have to include these ACLs in class-maps. Or if I have different zones for each interface (include GRE Tunnel) is enough.</P><P>Another question is that I have read several configurations to block P2P and Instant messaging, but each of them is for a specific applications, and I'd like to know if there is a way to block all of them or I have to block each individual protocol.</P><P></P><P>Thanks and best regards.</P> Mon, 11 Mar 2019 16:13:10 GMT usuario0001 2019-03-11T16:13:10Z https://community.cisco.com/t5/network-security/help-zone-based-firewall/m-p/1332499#M832065 <P>I have a site-to-site vpn with two 2811 Cisco Routers with 2 interfaces each</P><P>(LAN and WAN) and a GRE Tunnel. I have an ACL implemented to allow some PCs to have access to the VPN and another PCs to have access to Internet but deny access to vpn.</P><P>I want to implement Zone Based Firewall, but I don't know how many zone-pair do I </P><P>have to configure. I think I need one private-to-vpn, one vpn-to-private, one</P><P>private-to-public, but I don't know if I need to configure one public-to-private zone pair if I need to telnet/ssh the router from a public IP from outside Internet.</P><P>I have also some doubts about ACLs and class-maps. I don't know if I have to include these ACLs in class-maps. Or if I have different zones for each interface (include GRE Tunnel) is enough.</P><P>Another question is that I have read several configurations to block P2P and Instant messaging, but each of them is for a specific applications, and I'd like to know if there is a way to block all of them or I have to block each individual protocol.</P><P></P><P>Thanks and best regards.</P> Mon, 11 Mar 2019 16:13:10 GMT https://community.cisco.com/t5/network-security/help-zone-based-firewall/m-p/1332499#M832065 usuario0001 2019-03-11T16:13:10Z