Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2198
Views
0
Helpful
1
Replies

ISR 1100, simple ZBF configuration need review

Mowr
Level 1
Level 1

‎08-08-2020 05:43 AM - edited ‎08-09-2020 08:14 AM

Greetings,

 

First time doing ZBF configuration for brand new C1111x, and after reading posts here and on Cisco docs, with a simple target to grant users internet connection and block connections from outside to the router I did the following:

 

internet -->>   [C1111x-8P] ---- [192.168.1.0/30] --- [9200L]    <<-- End users,     static routes.

 

C1111x-8P, has IP HTTP Server disabled, but has telnet/SSH, no VPN for the time being.

Internet connection made via PPPOE dialer 1

 

 

***********

 

Interface vlan 500, IP 192.168.1.1/30,  9200L routed uplink interface 192.168.1.2/30

 

***********

 

class-map type inspect match-all INSIDE_OUTSIDE
   match access-group name INSIDE_OUTSIDE

class-map type inspect match-all OUTSIDE_INSIDE
   match access-group name OUTSIDE_INSIDE

class-map type inspect match-all OUTSIDE_SELF
   match access-group name OUTSIDE_SELF

class-map type inspect match-all SELF_OUTSIDE
   match access-group name SELF_OUTSIDE

class-map type inspect match-all INSIDE_SELF
   match access-group name INSIDE_SELF

class-map type inspect match-all SELF_INSIDE
   match access-group name SELF_INSIDE

!

policy-map type inspect INSIDE_SELF
   class type inspect INSIDE_SELF
   inspect
policy-map type inspect SELF_INSIDE
   class type inspect INSIDE_SELF
   inspect
   class class-default

policy-map type inspect OUTSIDE_SELF
   class type inspect OUTSIDE_SELF
   drop
   class class-default
policy-map type inspect SELF_OUTSIDE
   class type inspect SELF_OUTSIDE
   inspect
   class class-default
policy-map type inspect INSIDE_OUTSIDE
   class type inspect INSIDE_OUTSIDE
   inspect
   class class-default
policy-map type inspect OUTSIDE_INSIDE
   class type inspect OUTSIDE_INSIDE
   inspect
   class class-default

 

zone-pair security INSIDE_OUTSIDE source INSIDE destination OUTSIDE
   service-policy type inspect INSIDE_OUTSIDE
zone-pair security INSIDE_SELF source INSIDE destination self
   service-policy type inspect SELF_INSIDE
zone-pair security OUTSIDE_INSIDE source OUTSIDE destination INSIDE
   service-policy type inspect OUTSIDE_INSIDE
zone-pair security OUTSIDE_SELF source OUTSIDE destination self
   service-policy type inspect OUTSIDE_SELF
zone-pair security SELF_INSIDE source self destination INSIDE
   service-policy type inspect SELF_INSIDE
zone-pair security SELF_OUTSIDE source self destination OUTSIDE
   service-policy type inspect SELF_OUTSIDE

 

 

ip access-list extended INSIDE_OUTSIDE
   permit ip any any
ip access-list extended INSIDE_SELF
   permit ip any any
ip access-list extended OUTSIDE_INSIDE
   deny ip 0.0.0.0 0.255.255.255 any
   deny ip 10.0.0.0 0.255.255.255 any
   deny ip 100.64.0.0 0.63.255.255 any
   deny ip 127.0.0.0 0.255.255.255 any
   deny ip 169.254.0.0 0.0.255.255 any
   deny ip 172.16.0.0 0.15.255.255 any
   deny ip 192.0.0.0 0.0.0.255 any
   deny ip 192.0.2.0 0.0.0.255 any
   deny ip 192.168.0.0 0.0.255.255 any
   deny ip 198.18.0.0 0.1.255.255 any
   deny ip 198.51.100.0 0.0.0.255 any
   deny ip 203.0.113.0 0.0.0.255 any
   deny ip 224.0.0.0 31.255.255.255 any
ip access-list extended OUTSIDE_SELF
   deny ip any any
ip access-list extended SELF_INSIDE
   permit ip any any
ip access-list extended SELF_OUTSIDE
   permit ip any any

 

 

Interface Vlan500
ip address 192.168.1.1 255.255.255.252
ip nat inside
zone-member security INSIDE

 

interface Dialer1
ip address negotiated
ip nat outside
ip verify unicast source reachable-via rx 100
zone-member security OUTSIDE
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
ppp mtu adaptive
ppp authentication chap pap callin
ppp pap sent-username myuser password 7 mypassword
ppp ipcp dns request

 

 

 

Thank you in advance for your time reviewing this configuration.

0 Helpful
1 Reply 1

Mowr
Level 1
Level 1

‎09-16-2020 11:40 PM

I have changed it to the following, 

 

class-map type inspect match-any CLASS
match protocol tcp
match protocol udp
match protocol icmp
!
policy-map type inspect WAN-TO-SELF-POLICY
class class-default
drop
policy-map type inspect LAN-TO-SELF-POLICY
class class-default
pass
policy-map type inspect LAN-TO-WAN-POLICY
class type inspect CLASS
inspect
class class-default
drop
policy-map type inspect SELF-TO-LAN-POLICY
class class-default
pass
policy-map type inspect SELF-TO-WAN-POLICY
class type inspect CLASS
inspect
class class-default
drop
policy-map type inspect WAN-TO-LAN-POLICY
class type inspect CLASS
inspect
class class-default
drop
!
zone security WAN
description internet


zone security LAN
description default lan


zone-pair security LAN_SELF source LAN destination self
service-policy type inspect LAN-TO-SELF-POLICY
zone-pair security LAN_WAN source LAN destination WAN
service-policy type inspect LAN-TO-WAN-POLICY
zone-pair security SELF_LAN source self destination LAN
service-policy type inspect SELF-TO-LAN-POLICY
zone-pair security SELF_WAN source self destination WAN
service-policy type inspect SELF-TO-WAN-POLICY
zone-pair security WAN_LAN source WAN destination LAN
service-policy type inspect WAN-TO-LAN-POLICY
zone-pair security WAN_SELF source WAN destination self
service-policy type inspect WAN-TO-SELF-POLICY

 

Does it make any sense? it's small SMB  <20, internet only now, no VPN, no services

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card