https://community.cisco.com/t5/network-security/problems-with-ios-zone-based-firewall/m-p/1528123#M615694 <HTML><HEAD></HEAD><BODY><P><A class="jiveTT-hover-user jive-username-link" href="https://community.cisco.com/people/cadetalain" id="jive-7121041,538,446,665,988,816">cadetalain</A> is correct.</P><P>Your config looks correct.&nbsp; No need for ACL applied on the interface facing the internet.</P><P></P><P>-KS</P></BODY></HTML> Sun, 28 Nov 2010 15:01:52 GMT Kureli Sankar 2010-11-28T15:01:52Z https://community.cisco.com/t5/network-security/problems-with-ios-zone-based-firewall/m-p/1528121#M615691 <P>I've recently setup a cisco 871 to act as a firewall for my cable internet at home.&nbsp; My goal is to configure a zone based firewall.&nbsp; I've got an access list on the internet facing interface which allows bootp, echo, echo reply, and traceroute.&nbsp; Everything else is denied.&nbsp; I want to be able to initiate traffic on the trusted interface(vlan1)&nbsp; and have the router dynamically allow the return traffic on the outside interface(fastethernet 4).&nbsp; The problem is that when I have the access list on the outside interface I can't access the internet.&nbsp; I expect to initiate http traffic from the trusted interface and have the return traffic be allowed but this isn't working.&nbsp; See the relevant config below:</P><P></P><P></P><P><BR />class-map type inspect match-any WEB_TRAFFIC<BR /> match protocol bittorrent<BR /> match protocol edonkey<BR /> match protocol http<BR /> match protocol https<BR /> match protocol icmp<BR /> match protocol tcp<BR /> match protocol dns<BR />!<BR />!<BR />policy-map type inspect WEB_POLICY<BR /> class type inspect WEB_TRAFFIC<BR />&nbsp; inspect <BR /> class class-default<BR />&nbsp; drop<BR />!<BR />zone security TRUSTED<BR />zone security INTERNET<BR />zone-pair security TRUSTED-TO-INTERNET source TRUSTED destination INTERNET<BR /> service-policy type inspect WEB_POLICY<BR />!<BR />!<BR />!<BR />interface FastEthernet0<BR />!<BR />interface FastEthernet1<BR /> switchport access vlan 100<BR /> duplex full<BR /> speed 10<BR />!<BR />interface FastEthernet2<BR />!<BR />interface FastEthernet3<BR />!<BR />interface FastEthernet4<BR /> ip address dhcp<BR /> ip nat outside<BR /> ip virtual-reassembly<BR /> zone-member security INTERNET<BR /> ip tcp adjust-mss 1460<BR /> duplex auto<BR /> speed auto<BR /> no cdp enable<BR />!<BR />interface Vlan1<BR /> description Internal Network<BR /> ip address 192.168.0.1 255.255.255.0<BR /> ip nat inside<BR /> ip virtual-reassembly<BR /> zone-member security TRUSTED<BR />!<BR />interface Vlan100<BR /> ip address 192.168.100.1 255.255.255.0</P><P></P><P><BR />Can anyone assist with what I'm doing wrong.</P> Mon, 11 Mar 2019 19:15:27 GMT https://community.cisco.com/t5/network-security/problems-with-ios-zone-based-firewall/m-p/1528121#M615691 marvin-thomas 2019-03-11T19:15:27Z https://community.cisco.com/t5/network-security/problems-with-ios-zone-based-firewall/m-p/1528122#M615692 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>When doing ZBF it's best to get rid of previous ACLs and replace with ZBF config.</P><P>Your ACL is denying the traffic you are inspecting and as ACLs are parsed first then your ZBF config is of no use.</P><P></P><P>Regards.</P></BODY></HTML> Sun, 28 Nov 2010 10:10:10 GMT https://community.cisco.com/t5/network-security/problems-with-ios-zone-based-firewall/m-p/1528122#M615692 cadet alain 2010-11-28T10:10:10Z https://community.cisco.com/t5/network-security/problems-with-ios-zone-based-firewall/m-p/1528123#M615694 <HTML><HEAD></HEAD><BODY><P><A class="jiveTT-hover-user jive-username-link" href="https://community.cisco.com/people/cadetalain" id="jive-7121041,538,446,665,988,816">cadetalain</A> is correct.</P><P>Your config looks correct.&nbsp; No need for ACL applied on the interface facing the internet.</P><P></P><P>-KS</P></BODY></HTML> Sun, 28 Nov 2010 15:01:52 GMT https://community.cisco.com/t5/network-security/problems-with-ios-zone-based-firewall/m-p/1528123#M615694 Kureli Sankar 2010-11-28T15:01:52Z