Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
369
Views
0
Helpful
2
Replies

please I need help 2811 router

usuario0001
Level 1
Level 1

‎09-10-2009 12:22 AM - edited ‎03-04-2019 05:59 AM

I have a site-to-site vpn with two 2811 Cisco Routers with 2 interfaces each

(LAN and WAN) and a GRE Tunnel. I have an ACL implemented to allow some PCs to have access to the VPN and another PCs to have access to Internet but deny access to vpn.

I want to implement Zone Based Firewall, but I don't know how many zone-pair do I

have to configure. I think I need one private-to-vpn, one vpn-to-private, one

private-to-public, but I don't know if I need to configure one public-to-private zone pair if I need to telnet/ssh the router from a public IP from outside Internet.

I have also some doubts about ACLs and class-maps. I don't know if I have to include these ACLs in class-maps. Or if I have different zones for each interface (include GRE Tunnel) is enough.

Another question is that I have read several configurations to block P2P and Instant messaging, but each of them is for a specific applications, and I'd like to know if there is a way to block all of them or I have to block each individual protocol.

Thanks and best regards.

Labels:
0 Helpful
2 Replies 2

Peter Paluch
Cisco Employee
Cisco Employee

‎09-12-2009 01:35 AM

Hello Marian,

Many questions in one post :-) Regarding the Zone Based Policy Firewall, I believe that instead of explaining its basics here, you should refer to the guides and examples published on Cisco website. They are very helpful and I think they will answer most of your questions. I suggest reading these:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/white_paper_c27_543585.html

http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew.html

Of course please come back after reading those documents with any questions you might have.

Best regards,

Peter

0 Helpful

usuario0001
Level 1
Level 1
In response to Peter Paluch

‎09-16-2009 07:41 AM

Thanks Peter for your reply,

I had already read these documents (and many others) but I still have a lot of doubts.

My message was very long, but to begin, I only need to know these 2 questions:

Do I need to configure one public-to-private zone pair if I need to telnet/ssh the router from a public IP from outside Internet? (all the configurations I have seen doesn't have a zone pair in this way.

If I had configured several ACLs, do I have to include them in new class-maps? or is it enough to have different zones for each interface (include GRE tunnel).

Thanks and regards

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card