ZBF driving me crazy!!!

markpj · ‎07-01-2015

Hi

I have a Cisco 887 router up and running however it is currently wide open on the internet due to no access list or ZBF config.

I have tried to use CCP to configure the firewall which works fine however the default options in the wizard look messy and I want to build the rules from scratch.

Dialer0 set as WAN zone

VLAN1 set as LAN zone

Outbound policy map has a match class map called Outbound map with the usual, http, https, dns, included.

When I create the zone pair of LAN to WAN to use the policy the outbound rules work.

How can i now secure the router from the outside as when I ping the router's Dialer0 IP address it responds. I want to stop it from responding.using the ZBF.

Thanks

Mark

johnd2310 · ‎07-01-2015

Hi,

You need to create a SELF zone and create a policy between WAN zone and SELF zone which denies all traffic. You control traffic to the router using the SELF zone.

Thanks

John

**Please rate posts you find helpful**

markpj · ‎07-02-2015

Hi John

Thanks for the point in direction. I will take another go at it following your advice.

Mark

markpj · ‎07-03-2015

Hi John

Thanks for the tip. It seemed to work when I set the self zone to use default class drop with WAN to self. I had to add another rule for self to wan to inspect tcp and udp as well but it all seems to work how I would like it.