Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
435
Views
0
Helpful
1
Replies

C117 and ZBFW

HumptyD-UK
Frequent Visitor
Frequent Visitor

‎03-22-2026 10:32 AM

G'day all

Cisco C1117-4PWE
Cisco C1117-4PWE Built-In NIM controller
VADSL_A - Multi-mode xDSL with VDSL and ADSL1/2/2+ Annex A over POTS
Wireless LAN Module
Cisco IOS XE Software, Version 17.09.08


I had some spare cash, so purchased a second hand C117 off that well know auction site  
this was to replace the 897, 15.9(3)M9  which hasn't missed a beat.  but dose struggle on VPNs

I've set the C117 up, using ZBFW, and is my default gateway on to t'internet but...
Using the C117 some websites refuse to load (DuckDuck, BBC) .   
The browesrs FF and LW, show a handshake in progress., and then times out - Edge, also just times out...
Dr Google says this is a browser issue, but this is on multiple instances (VMs, laptop etc.)
but can't be a browser issue as works perfectly on the 897. 

The ZBFW I more or less copied default ports from the 897.
DNS works so it's not that... he says. 

I've opened it up for testing use TCP etc, but still get the same issue. 

Could the ZBFW, be struggling with TLS > =1.2 ? I can't seem to find a answer?! That is only thing I can think of. 

Thoughts?

Many thanks

Mark

 

class-map type inspect match-any CLASS-ALLOWED-LANS
match access-group name GLOBAL-ACL-NAT-TO-INTERNET
class-map type inspect match-any CLASS-UDP
match protocol udp
class-map type inspect match-any CLASS-TCP
match protocol tcp
class-map type inspect match-any CLASS-DNS
match protocol dns
class-map type inspect match-any CLASS-ICMP
match protocol icmp
class-map type inspect match-any CLASS-SMTP
match protocol smtp
class-map type inspect match-any CLASS-HTTP
match protocol http
match protocol https
class-map type inspect match-any CLASS-INTERNET-TO-INSIDE
match access-group name ACL-INTERNET-TO-INSIDE
class-map type inspect match-any CLASS-INSIDE-TO-INTERNET
match access-group name CLASS-ALLOWED-LANS

policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
description Everything TOWARDS THE INTERNET
class type inspect CLASS-INSIDE-TO-INTERNET
pass
class type inspect CLASS-TCP
inspect
class type inspect CLASS-UDP
inspect
class type inspect CLASS-ICMP
inspect
class class-default
drop log

zone security INTERNET
description External Interface
zone security INSIDE
description Internal Interface
zone security default
zone-pair security ZP-INSIDE-TO-OUTSIDE source INSIDE destination INTERNET
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY

 

 

 

 

Labels:
0 Helpful
1 Reply 1

Rob Ingram
VIP
VIP

‎03-22-2026 02:33 PM

@HumptyD-UK why have CLASS-INSIDE-TO-INTERNET with pass and not inspect?  "Pass only allows the traffic in one direction. A parallel policy must be applied to allow return traffic to pass in the opposite direction" https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html

Without seeing the ACL I assume all traffic matches that class? You could remove that class as you'd expect traffic to match the other classes TCP, UDP and ICMP.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card