Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Zone based configuration


I'm testing a 2811 router with IOS 12.4(9)T2 (IOS Firewall enabled). As I'm interested in Cisco new approach to firewalls, with Zone Based design, I tried to use it to build my configuration.

My scenario is as follows:

- Router 2801

- Router 2811 with Cisco IOS (the one I'm configuring), with one HWIC-1ADSL (not working now) and one HWIC-4ESW.

- The 2811 is connected to the 2801 router with FastEthernet0/0, IP address

- Two separate offices connected to the HWIC-4ESW. In that module I've configured two VLANs, one for office1 in ports 0-1, and one for office2 in ports 2-3. Office1 is in a 10.100.0.x network, and office2 is in 192.168.3.x network.

- See pic attached (networkmap.jpg).

My goals are:

- Permit all outbound traffic (from inside to internet)

- Permit only certain traffic from office2 to office1

- Permit only certain inbound traffic to office1

- Do not permit traffic from office1 to office2

- VPN with headquarters site. That site has 10.1.0.x network.

- Remote access from internet via http, ssh.

Information about networks, NATs and policies are attached in the following pic. With attached configuration, outound traffic works, inbound traffic works, but I have no remote access to the 2811, and no VPN.

With the configuration of the self-zone I want to achieve remote access, permitting only https and ssh traffic to self interface, and permitting all traffic originating in self zone (that's why I use class-default in self zone). When I try remote access, with "show policy-map type inspect zone-pair to-self-pmap" see ssh and https traffic to self zone, but it doesn't work (no https, no ssh to the management IP addresses).

With the VPN, I think the problem is in NAT. I need to avoid NATting with vpn packets, that's the reason of access-lists 101 and 102. The error log doesn't offer much help, it's in debugg level, so I'm overloaded with information, I can't see exactly where is the problem.

I have other problems, like no ping from inside office1 to internet, or no mail sending (smtp) from office1. Is there any error in class-maps, policies or zone-pair? Other protocols works without problems, what's the difference with smtp or icmp?

Maybe my best option is abandon zone based design, and use old-fashioned access-list with SDM, isn't it? It's very difficult to find info about zone based...

Thank you very much,

Ignacio Siles


Re: Zone based configuration

SMTP or simple mail transfer protocol is used for mail communication

ICMP - Internet Control Message Protocol (ICMP) is used to communicate to the original source, the errors encountered while routing the packets, and exercise control on the traffic. This document discusses ICMP redirects and when redirects happen in a network

CreatePlease to create content