Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Problems with IOS zone based firewall

I've recently setup a cisco 871 to act as a firewall for my cable internet at home.  My goal is to configure a zone based firewall.  I've got an access list on the internet facing interface which allows bootp, echo, echo reply, and traceroute.  Everything else is denied.  I want to be able to initiate traffic on the trusted interface(vlan1)  and have the router dynamically allow the return traffic on the outside interface(fastethernet 4).  The problem is that when I have the access list on the outside interface I can't access the internet.  I expect to initiate http traffic from the trusted interface and have the return traffic be allowed but this isn't working.  See the relevant config below:


class-map type inspect match-any WEB_TRAFFIC
match protocol bittorrent
match protocol edonkey
match protocol http
match protocol https
match protocol icmp
match protocol tcp
match protocol dns
!
!
policy-map type inspect WEB_POLICY
class type inspect WEB_TRAFFIC
  inspect
class class-default
  drop
!
zone security TRUSTED
zone security INTERNET
zone-pair security TRUSTED-TO-INTERNET source TRUSTED destination INTERNET
service-policy type inspect WEB_POLICY
!
!
!
interface FastEthernet0
!
interface FastEthernet1
switchport access vlan 100
duplex full
speed 10
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address dhcp
ip nat outside
ip virtual-reassembly
zone-member security INTERNET
ip tcp adjust-mss 1460
duplex auto
speed auto
no cdp enable
!
interface Vlan1
description Internal Network
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security TRUSTED
!
interface Vlan100
ip address 192.168.100.1 255.255.255.0


Can anyone assist with what I'm doing wrong.

  • Firewalling
1 ACCEPTED SOLUTION

Accepted Solutions
Purple

Re: Problems with IOS zone based firewall

Hi,

When doing ZBF it's best to get rid of previous ACLs and replace with ZBF config.

Your ACL is denying the traffic you are inspecting and as ACLs are parsed first then your ZBF config is of no use.

Regards.

Don't forget to rate helpful posts.
2 REPLIES
Purple

Re: Problems with IOS zone based firewall

Hi,

When doing ZBF it's best to get rid of previous ACLs and replace with ZBF config.

Your ACL is denying the traffic you are inspecting and as ACLs are parsed first then your ZBF config is of no use.

Regards.

Don't forget to rate helpful posts.
Cisco Employee

Re: Problems with IOS zone based firewall

cadetalain is correct.

Your config looks correct.  No need for ACL applied on the interface facing the internet.

-KS

486
Views
0
Helpful
2
Replies
This widget could not be displayed.