Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
713
Views
0
Helpful
2
Replies

Problems with IOS zone based firewall

Go to solution
marvin-thomas
Level 1
Level 1

‎11-27-2010 11:46 PM - edited ‎03-11-2019 12:15 PM

I've recently setup a cisco 871 to act as a firewall for my cable internet at home.  My goal is to configure a zone based firewall.  I've got an access list on the internet facing interface which allows bootp, echo, echo reply, and traceroute.  Everything else is denied.  I want to be able to initiate traffic on the trusted interface(vlan1)  and have the router dynamically allow the return traffic on the outside interface(fastethernet 4).  The problem is that when I have the access list on the outside interface I can't access the internet.  I expect to initiate http traffic from the trusted interface and have the return traffic be allowed but this isn't working.  See the relevant config below:


class-map type inspect match-any WEB_TRAFFIC
match protocol bittorrent
match protocol edonkey
match protocol http
match protocol https
match protocol icmp
match protocol tcp
match protocol dns
!
!
policy-map type inspect WEB_POLICY
class type inspect WEB_TRAFFIC
  inspect
class class-default
  drop
!
zone security TRUSTED
zone security INTERNET
zone-pair security TRUSTED-TO-INTERNET source TRUSTED destination INTERNET
service-policy type inspect WEB_POLICY
!
!
!
interface FastEthernet0
!
interface FastEthernet1
switchport access vlan 100
duplex full
speed 10
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address dhcp
ip nat outside
ip virtual-reassembly
zone-member security INTERNET
ip tcp adjust-mss 1460
duplex auto
speed auto
no cdp enable
!
interface Vlan1
description Internal Network
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security TRUSTED
!
interface Vlan100
ip address 192.168.100.1 255.255.255.0


Can anyone assist with what I'm doing wrong.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎11-28-2010 02:10 AM

Hi,

When doing ZBF it's best to get rid of previous ACLs and replace with ZBF config.

Your ACL is denying the traffic you are inspecting and as ACLs are parsed first then your ZBF config is of no use.

Regards.

Don't forget to rate helpful posts.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎11-28-2010 02:10 AM

Hi,

When doing ZBF it's best to get rid of previous ACLs and replace with ZBF config.

Your ACL is denying the traffic you are inspecting and as ACLs are parsed first then your ZBF config is of no use.

Regards.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to cadet alain

‎11-28-2010 07:01 AM

cadetalain is correct.

Your config looks correct.  No need for ACL applied on the interface facing the internet.

-KS

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card