Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

help Zone Based Firewall

I have a site-to-site vpn with two 2811 Cisco Routers with 2 interfaces each

(LAN and WAN) and a GRE Tunnel. I have an ACL implemented to allow some PCs to have access to the VPN and another PCs to have access to Internet but deny access to vpn.

I want to implement Zone Based Firewall, but I don't know how many zone-pair do I

have to configure. I think I need one private-to-vpn, one vpn-to-private, one

private-to-public, but I don't know if I need to configure one public-to-private zone pair if I need to telnet/ssh the router from a public IP from outside Internet.

I have also some doubts about ACLs and class-maps. I don't know if I have to include these ACLs in class-maps. Or if I have different zones for each interface (include GRE Tunnel) is enough.

Another question is that I have read several configurations to block P2P and Instant messaging, but each of them is for a specific applications, and I'd like to know if there is a way to block all of them or I have to block each individual protocol.

Thanks and best regards.