I'm testing a 2811 router with IOS 12.4(9)T2 (IOS Firewall enabled). As I'm interested in Cisco new approach to firewalls, with Zone Based design, I tried to use it to build my configuration.
My scenario is as follows:
- Router 2801
- Router 2811 with Cisco IOS (the one I'm configuring), with one HWIC-1ADSL (not working now) and one HWIC-4ESW.
- The 2811 is connected to the 2801 router with FastEthernet0/0, IP address 192.168.1.2.
- Two separate offices connected to the HWIC-4ESW. In that module I've configured two VLANs, one for office1 in ports 0-1, and one for office2 in ports 2-3. Office1 is in a 10.100.0.x network, and office2 is in 192.168.3.x network.
- See pic attached (networkmap.jpg).
My goals are:
- Permit all outbound traffic (from inside to internet)
- Permit only certain traffic from office2 to office1
- Permit only certain inbound traffic to office1
- Do not permit traffic from office1 to office2
- VPN with headquarters site. That site has 10.1.0.x network.
- Remote access from internet via http, ssh.
Information about networks, NATs and policies are attached in the following pic. With attached configuration, outound traffic works, inbound traffic works, but I have no remote access to the 2811, and no VPN.
With the configuration of the self-zone I want to achieve remote access, permitting only https and ssh traffic to self interface, and permitting all traffic originating in self zone (that's why I use class-default in self zone). When I try remote access, with "show policy-map type inspect zone-pair to-self-pmap" see ssh and https traffic to self zone, but it doesn't work (no https, no ssh to the management IP addresses).
With the VPN, I think the problem is in NAT. I need to avoid NATting with vpn packets, that's the reason of access-lists 101 and 102. The error log doesn't offer much help, it's in debugg level, so I'm overloaded with information, I can't see exactly where is the problem.
I have other problems, like no ping from inside office1 to internet, or no mail sending (smtp) from office1. Is there any error in class-maps, policies or zone-pair? Other protocols works without problems, what's the difference with smtp or icmp?
Maybe my best option is abandon zone based design, and use old-fashioned access-list with SDM, isn't it? It's very difficult to find info about zone based...
Thank you very much,