SDM Firewall Configuration Issues

Unanswered Question
Aug 15th, 2009

I have an 871W router and am attempting to use SDM to configure the firewall functions. When I go through the firewall configuration (basic or advanced and it does not matter which setting I choose. Low/Medium/High) the firewall applications appears to configure correctly and I have network access to my ISP with no issues.

As soon as I reboot the 871W, that same configuration that appeared to work ok prior to the reboot, now will not allow any access to the ISP. I lose any routing I initially had through fa4 to my ISP.

I then have to fall back to my previous, no firewall configuration in order to restore any network connectivity to my ISP.

It is as if the NAT access is being overruled. I enter the affirmative when it quizzes me about allowing the NAT connections to pass through the firewall.

Any help here is most appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kevin Redmon Sun, 08/16/2009 - 19:02

With your current configuration, I see that you are leveraging Zone Based Firewall.

The best way to troubleshoot this issue is to do the following:

1.) enable the command 'ip inspect log drop-pkt'. This will create a syslog anytime a packet is dropped due to the firewall feature.

2.) After running the command, provide the output of 'show log | inc FW'. This will parse the output of the syslogs to include only the dropped packets.

3.) Please also provide the output of 'show version'. Depending on the particular version that you are using, there may be bugs and/or feature limitations.

turnera Mon, 08/17/2009 - 19:21

Thank you for your reply.

This is what I did.

I applied the firewall using SDM.

I entered the command you requested, turned on my syslog and then did a shut/no shut on fa4.

As soon as I did the shut/no shut I once again lost all connection to my ISP.

Basically the same results as would occur when I did the reboot with the firewall instruction set applied.

I ran the show log | inc FW and there were no returns (yes I had logging turned on).

I did capture syslog entries and they are attached. Not many but you can see where I did the shut/no shut and then attempted to browse the internet with no success.

My show version is also attached. I am running the latest 871 IOS.

Once again, the only way I could attain my connection to my ISP was to 'wr erase' and reload the config file that was prior to the firewall configuration.

Attachment: 

Actions

This Discussion