I have a site-to-site vpn with two 2811 Cisco Routers with 2 interfaces each
(LAN and WAN) and a GRE Tunnel. I have an ACL implemented to allow some PCs to have access to the VPN and another PCs to have access to Internet but deny access to vpn.
I want to implement Zone Based Firewall, but I don't know how many zone-pair do I
have to configure. I think I need one private-to-vpn, one vpn-to-private, one
private-to-public, but I don't know if I need to configure one public-to-private zone pair if I need to telnet/ssh the router from a public IP from outside Internet.
I have also some doubts about ACLs and class-maps. I don't know if I have to include these ACLs in class-maps. Or if I have different zones for each interface (include GRE Tunnel) is enough.
Another question is that I have read several configurations to block P2P and Instant messaging, but each of them is for a specific applications, and I'd like to know if there is a way to block all of them or I have to block each individual protocol.
Thanks and best regards.