Zone Based Firewall and WAN interface ACL

James Walsh · ‎03-17-2011

I am getting ready to deploy a 3945 ISR to serve as an internet and core router for and remote site. I will be terminating a site-to-site VPN tunnel on it and also confiugring a zone based firewall config between my "outside" (internet link) and "inside" (all internal nets). My question is about how to approach securing the WAN interface with the Zone based FW in place?

what kind of ACL do I need beyond those alllowing and restricing remote access to the outside ip?

Thanks, any thoughts are appreciated.

PAUL GILBERT ARIAS · ‎03-17-2011

If you configure first your VPN you could use the SDM to configure ZFW since it helps in setting up both configs without conflicting with each other.

James Walsh · ‎03-17-2011

thanks for the reply paul.

I already have the VPN and ZBFW configured and working together. My question is how I should go about securing the outside interface. I want to restrict ssh access to just from out local nets, but wondering what else I should apply to the outside interface since we are running the zone based FW on the router.

PAUL GILBERT ARIAS · ‎03-17-2011

to allow or deny management protocols there are different options. One way is to use the management plane, check this link:

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htsecmpp.html

You can also configure acls allowing the desired IPs and apply the ACL on the specific lines of the router. This traffic has to be allowed by the ZFW from the specific zone to self.

I hope this helps