Configuration Example Most Basic Zone Based Firewall

I have some remote SOHO routers VPNing to a central site.  I want to add a very basic Zone Based Policy Firewall such that all traffic to the Internet is permitted out and its reply traffic is permitted in.  Inbound SIP traffic from two hosts is peritted in and IPSEC traffic is permitted from specific IP.  ICMP is permitted any any.  Would appreciate a configuration example.  Thanks.
amigan_99Network EngineerAsked:
Who is Participating?
I highly recommend the Cisco ASA 5505 - this firewall is indeed zone-based and supports SIP as well as IPsec and SSL VPN. The unit runs about $350 USD and will do everything you need! It will work fine with an 871 router as well regarding the VPN. 
Cheers! Let me know if you have any questions
Also - it supports all Cisco LAN routing protocols - EIGRP, OSPF, RIP.
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

A Very basic example of this would be just to create a few ACLs:

This is just off the top of my head and would probably work.
- The config assumes your internal network is
- Also, the permit gre ACLs are still in place for the IPSEC.

At least you've got something to base your config on...

int Dialer 0
 ip access-group 110 in
! Allow SIP from hosts x.x.x.x, and y.y.y.y, deny the rest
access-list 110 permit tcp host x.x.x.x  any eq 5060
access-list 110 permit tcp host y.y.y.y  any eq 5060
access-list 110 deny tcp any eq 5060
! IPSEC allow
access-list 110 permit tcp z.z.z.z any eq 500
access-list 110 deny tcp any eq 500
access-list 110 permit icmp any any
! And allow existing NAT TCP streams
access-list 110 permit tcp any any established
! DENY the rest
access-list 110 deny any any
amigan_99Network EngineerAuthor Commented:
Thanks for the ACL method.  But I specifically want the ZBPF so that all the return traffic is intelligently permitted back in.  
amigan_99Network EngineerAuthor Commented:
I was looking specifically for a minimalist configuration.  But this is the best answer.  Thanks.
The ASA/PIX will automatically permit all return traffic.
On Cisco routers, you must use the keyword "established" at the end of all TCP ACLs, like this:
access-list 110 permit tcp host y.y.y.y any eq 5060 established
Cheers! Let me know if you have any questions!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.