Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

please I need help 2811 router

I have a site-to-site vpn with two 2811 Cisco Routers with 2 interfaces each

(LAN and WAN) and a GRE Tunnel. I have an ACL implemented to allow some PCs to have access to the VPN and another PCs to have access to Internet but deny access to vpn.

I want to implement Zone Based Firewall, but I don't know how many zone-pair do I

have to configure. I think I need one private-to-vpn, one vpn-to-private, one

private-to-public, but I don't know if I need to configure one public-to-private zone pair if I need to telnet/ssh the router from a public IP from outside Internet.

I have also some doubts about ACLs and class-maps. I don't know if I have to include these ACLs in class-maps. Or if I have different zones for each interface (include GRE Tunnel) is enough.

Another question is that I have read several configurations to block P2P and Instant messaging, but each of them is for a specific applications, and I'd like to know if there is a way to block all of them or I have to block each individual protocol.

Thanks and best regards.

2 REPLIES
Cisco Employee

Re: please I need help 2811 router

Hello Marian,

Many questions in one post :-) Regarding the Zone Based Policy Firewall, I believe that instead of explaining its basics here, you should refer to the guides and examples published on Cisco website. They are very helpful and I think they will answer most of your questions. I suggest reading these:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/white_paper_c27_543585.html

http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew.html

Of course please come back after reading those documents with any questions you might have.

Best regards,

Peter

New Member

Re: please I need help 2811 router

Thanks Peter for your reply,

I had already read these documents (and many others) but I still have a lot of doubts.

My message was very long, but to begin, I only need to know these 2 questions:

Do I need to configure one public-to-private zone pair if I need to telnet/ssh the router from a public IP from outside Internet? (all the configurations I have seen doesn't have a zone pair in this way.

If I had configured several ACLs, do I have to include them in new class-maps? or is it enough to have different zones for each interface (include GRE tunnel).

Thanks and regards

98
Views
0
Helpful
2
Replies
CreatePlease to create content