I've recently setup a cisco 871 to act as a firewall for my cable internet at home. My goal is to configure a zone based firewall. I've got an access list on the internet facing interface which allows bootp, echo, echo reply, and traceroute. Everything else is denied. I want to be able to initiate traffic on the trusted interface(vlan1) and have the router dynamically allow the return traffic on the outside interface(fastethernet 4). The problem is that when I have the access list on the outside interface I can't access the internet. I expect to initiate http traffic from the trusted interface and have the return traffic be allowed but this isn't working. See the relevant config below:
class-map type inspect match-any WEB_TRAFFIC match protocol bittorrent match protocol edonkey match protocol http match protocol https match protocol icmp match protocol tcp match protocol dns ! ! policy-map type inspect WEB_POLICY class type inspect WEB_TRAFFIC inspect class class-default drop ! zone security TRUSTED zone security INTERNET zone-pair security TRUSTED-TO-INTERNET source TRUSTED destination INTERNET service-policy type inspect WEB_POLICY ! ! ! interface FastEthernet0 ! interface FastEthernet1 switchport access vlan 100 duplex full speed 10 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 ip address dhcp ip nat outside ip virtual-reassembly zone-member security INTERNET ip tcp adjust-mss 1460 duplex auto speed auto no cdp enable ! interface Vlan1 description Internal Network ip address 192.168.0.1 255.255.255.0 ip nat inside ip virtual-reassembly zone-member security TRUSTED ! interface Vlan100 ip address 192.168.100.1 255.255.255.0
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...