Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1348
Views
0
Helpful
2
Replies

ISR 4K zone based firewall issues

Greg Dent
Level 1
Level 1

‎07-25-2017 05:12 AM - edited ‎03-12-2019 02:44 AM

Hi all. It's been a while since I had to build a Cisco router for pure internet, but here I am. And along with most of the platform, they've changed the firewall on the ISR4K's to a zone-based one.

I have done a lot of reading, and it looks to be very straightforward, however, we're trying to configure a zone-based firewall for bog standard internet use, along with a very basic access-list to prevent intrusion.

We're using a brand new ISR 4321, and so far, with the firewall applied to both inside and outside interfaces (physical and virtual), we get at best, intermittent internet access. It works for a few minutes, then stops working. Then the client reconnects to the network and it works again, then stops after a few minutes. Repeat ad nauseum.

I cant figure out why. It's definitely something the firewall is doing, since when I remove the zones, it works fine.

Has anyone run into similar issues with ther ISR4K zone-based firewall? I'm hoping its something I'm doing wrong with the config.

Here is my config:

access-list 160 remark STD_ACL
access-list 160 permit tcp any any eq www
access-list 160 permit tcp any any eq 443
access-list 160 permit udp any any eq domain
access-list 160 permit tcp any any established
access-list 160 permit tcp any any eq ftp-data
access-list 160 permit tcp any any eq ftp
access-list 160 permit udp host 208.67.222.222 any
access-list 160 permit udp host 208.67.220.220 any
access-list 160 deny   ip any any log
!
class-map type inspect match-any FIREWALL
match protocol tcp
match protocol udp
match protocol ftp
match protocol h323
match protocol icmp
match protocol netshow
match protocol realmedia
match protocol rtsp
match protocol sip
match protocol skinny
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
!
Policy-map type inspect INTERNET
class type inspect FIREWALL
inspect
class class-default
!
zone security inside
 description LAN
zone security outside
 description WAN
zone-pair security INSPECT source inside destination outside
 service-policy type inspect INTERNET
!
int g0/0/0
description WAN
zone-member security outside
ip access-group 160 in
exit
!
int g0/0/1
description LAN-TRUNK
zone-member security inside
exit
!
int g0/0/1.3
description GUEST-VLAN
zone-member security inside
exit

thanks :)

Labels:
0 Helpful
2 Replies 2

GRANT3779
Spotlight
Spotlight

‎07-25-2017 06:46 AM

We have not long configured a 4321 with similar setup.

Only main difference I see is we have only the following protocols being matched, some of which may not be relevant to you.


class-map type inspect match-any ALLOWED-PROTOCOLS
match protocol icmp
match protocol http
match protocol https
match protocol dns
match access-group name SCANSAFE
match protocol ftp
match protocol ssh

0 Helpful

Greg Dent
Level 1
Level 1
In response to GRANT3779

‎08-03-2017 08:22 AM

I ended up taking the firewall off - issues were too intermittent and made no sense. Its working fine now though!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card