i read it over and attached

Mike Buyarski · ‎05-05-2015

we are replacing a couple 2901 with 4331 routers since we need the increased performance that the 4300 offers. But i ran into a snag, on the 2901 I have IP inspect commands allowing those protocols back in when they originate from the inside network.

the ISR 4300 software(IOS-XE) does not have IP inspect command specifically like i have on the 2901 anymore. I can still add the ACL properly but I'm not sure on the inspect commands or what they switched it to. I included the base setup for the 2901 firewall that is in place and running currently.

Jon Marshall · ‎05-05-2015

Mike

It looks like on the 2900 you were using CBAC as the firewall.

I did a quick check in Feature Navigator and for your platform it looks like CBAC is not supported so you would need to convert to Zone Based Firewalling (ZBFW).

I say looks like because Feature Navigator is not always accurate but I also couldn't find any configuration guides covering CBAC so it does suggest it isn't supported but I haven't used those routers myself.

See this link for configuration details -

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/sec-data-zbf-xe-book/sec-zone-pol-fw.html

I have never use ZBFW but if you are struggling to convert I'm sure there are people on here who can help out.

Jon

Mike Buyarski · ‎05-06-2015

i read it over and attached is what i came up with. first does that seem correct? also what about the ACL? i still need it for the nat translations but will it give me issues with the deny any any at the bottom or is the ZBFW act like the CBAC?

Firewall on ISR 4300 Router