cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2153
Views
0
Helpful
5
Replies

Need Help Whit Cisco 4331 Zone Base Firewall To Secure Local Network

Yair
Level 1
Level 1

Hello,

so I got free of charge cisco 4331

I configured for internet access from my LAN

but I'm facing difficulty whit ZBF I cannot find a way to secure my LAN from outside

If I run port scan whit nmap on my wan IP all ports are showing up closed and not hidden.

also if I run port scans on GRC shields up all know ports show up as closed but not hidden.

( uploaded a screenshot from the last scan on GRC shields up. )

 

also, I can ping my router from wan, and port 53 also open

Here is my config I removed only sensitive information

 

By the way, Is there any way to reduce the fan's RPM??

this cisco is very loud!

Noise like I have airbus 380 taking off from my roof.

 

Thanks.

 

version 17.4
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput level 300000
!
hostname Cisco
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
! card type command needed for slot/bay 0/2

!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
!
ip name-server 9.9.9.9
ip domain name domain.local
ip dhcp excluded-address 10.10.10.1 10.10.10.99
!
ip dhcp pool Internal_Dhcp
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.10.10.1
lease 0 0 5
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
multilink bundle-name authenticated

!
!
!
!
!
!
!
voice-card 0/1
no watchdog
!
voice-card 0/4
no watchdog
!
license boot level securityk9
memory free low-watermark processor 68302
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
redundancy
mode none
!
!
!
!
!
!
class-map type control match-none External_To_Internal
!
!
class-map type inspect match-all Internal_To_External_Class
match access-group name Internal_To_External_Group

match protocal dns

match protocol http

match protocol https
match protocol icmp
match protocol udp
match protocol tcp
class-map type inspect match-all External_To_Internal_Class
!
policy-map type inspect External_To_Internal_Policy
class type inspect External_To_Internal_Class
inspect
class class-default
drop log
policy-map type inspect Internal_To_External_Policy
class type inspect Internal_To_External_Class
inspect
class class-default
pass
!
zone security Internal
zone security External
zone-pair security External_To_Internal source External destination Internal
service-policy type inspect External_To_Internal_Policy
zone-pair security Internal_To_External source Internal destination External
service-policy type inspect Internal_To_External_Policy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description External
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
zone-member security External
negotiation auto
!
interface GigabitEthernet0/0/1
description Internal
ip address 10.10.10.1 255.255.255.0
ip nat inside
zone-member security Internal
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface Service-Engine0/1/0
no ip address
!
interface Service-Engine0/4/0
no ip address
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
no ip http server
no ip http secure-server
no ip forward-protocol nd
ip dns server
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
ip ssh port 2020 rotary 1
ip ssh version 2
!
!
ip access-list extended BlockSSH22
10 deny tcp any any eq 22
20 permit ip any any
!
ip access-list standard 1
10 permit 10.10.10.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
voice-port 0/1/0
!
voice-port 0/1/1
!
voice-port 0/1/2
!
voice-port 0/1/3
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
line con 0
logging synchronous
stopbits 1
line aux 0
line vty 0 4
access-class BlockSSH22 in
rotary 1
transport input ssh
!
!
!
!
!
!
!
end

5 Replies 5

Hi @Yair 

Your "internal" and "external" zones and the associated zone pairs are controlling traffic"through" the router, not "to" the router. To control traffic destined to one of the routers interfaces, you need to create class/policy maps and zone pairs to and from the "self" zone. The "self" zone is predefined, no need to create it.

 

https://community.cisco.com/t5/security-documents/zbfw-self-zone-integration/ta-p/3154572

 

Thanks for the replay @Rob Ingram So the config that i have now for ZBF i need to delete and create a new ZBF that is controlling traffic to and from the router?

 

@Yair no you don't need to remove the current configuration, you need your current configuration to control traffic "through" the router.

You just need to add additional configuration to control traffic to and from the router itself, using the "self" zone.

@Rob Ingramok can you help me whit the correct commands?

i don't have any vlan's only one lan, basic setup lan to wan

jigsawloves
Level 1
Level 1

One factor regarding the graphs, the only for the 1830/50 is the wrong way up. If you look at the two knobs on each AP, that is the wall mounting side. The photo for the 1700 indicates it established to the virtual "roof" whilst the 1830 indicates it established to the digital "floor".

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: