ISR 4K zone based firewall issues

Greg Dent — Tue, 12 Mar 2019 09:44:09 GMT

Hi all. It's been a while since I had to build a Cisco router for pure internet, but here I am. And along with most of the platform, they've changed the firewall on the ISR4K's to a zone-based one.

I have done a lot of reading, and it looks to be very straightforward, however, we're trying to configure a zone-based firewall for bog standard internet use, along with a very basic access-list to prevent intrusion.

We're using a brand new ISR 4321, and so far, with the firewall applied to both inside and outside interfaces (physical and virtual), we get at best, intermittent internet access. It works for a few minutes, then stops working. Then the client reconnects to the network and it works again, then stops after a few minutes. Repeat ad nauseum.

I cant figure out why. It's definitely something the firewall is doing, since when I remove the zones, it works fine.

Has anyone run into similar issues with ther ISR4K zone-based firewall? I'm hoping its something I'm doing wrong with the config.

Here is my config:

access-list 160 remark STD_ACL
access-list 160 permit tcp any any eq www
access-list 160 permit tcp any any eq 443
access-list 160 permit udp any any eq domain
access-list 160 permit tcp any any established
access-list 160 permit tcp any any eq ftp-data
access-list 160 permit tcp any any eq ftp
access-list 160 permit udp host 208.67.222.222 any
access-list 160 permit udp host 208.67.220.220 any
access-list 160 deny   ip any any log
!
class-map type inspect match-any FIREWALL
match protocol tcp
match protocol udp
match protocol ftp
match protocol h323
match protocol icmp
match protocol netshow
match protocol realmedia
match protocol rtsp
match protocol sip
match protocol skinny
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
!
Policy-map type inspect INTERNET
class type inspect FIREWALL
inspect
class class-default
!
zone security inside
 description LAN
zone security outside
 description WAN
zone-pair security INSPECT source inside destination outside
 service-policy type inspect INTERNET
!
int g0/0/0
description WAN
zone-member security outside
ip access-group 160 in
exit
!
int g0/0/1
description LAN-TRUNK
zone-member security inside
exit
!
int g0/0/1.3
description GUEST-VLAN
zone-member security inside
exit

thanks 🙂

We have not long configured a

GRANT3779 — Tue, 25 Jul 2017 13:46:32 GMT

We have not long configured a 4321 with similar setup.

Only main difference I see is we have only the following protocols being matched, some of which may not be relevant to you.

class-map type inspect match-any ALLOWED-PROTOCOLS
match protocol icmp
match protocol http
match protocol https
match protocol dns
match access-group name SCANSAFE
match protocol ftp
match protocol ssh

I ended up taking the

Greg Dent — Thu, 03 Aug 2017 15:22:10 GMT

I ended up taking the firewall off - issues were too intermittent and made no sense. Its working fine now though!

topic I ended up taking the in Network Security

ISR 4K zone based firewall issues

We have not long configured a

I ended up taking the