Problems with ZFW on cisco 800 series

Mark Baggott · ‎09-20-2011

Hi,

I have recently (few months ago) passed my ccna exam, as part of the text and videos i got my hands on to train i never once saw zone based firewall or the cisco CP mentioned, which is a tad annoying as thats what i need to use. although i believe i understand the concepts of the zone based firewall i cant seem to get it configured correctly.

The router is a cisco 881 with wireless. I have configured the device through the cisco CP going from top to bottom in the menu list as i have previously found out order of operation is very important through this tool.

the two reoccuring problems i get using the zone based firewall are HTTP Downloads fail with the message "connection reset by server" removing the "in zone to out zone" service policy resolves this.

GRE is not configured to pass through to the RAS server. I configure NAT first with a rule send pptp to 192.168.0.1 (example ip) when the firewall is applied nothing for GRE is configured, i then have to do this manually.

has anyone else encounted these problems or do they have an example firewall config i can look at that allows HTTP HTTPS SMTP PPTP in and out. I have attached the config of a device encountering these problems.

Thanks in advance

Mark

Maykol Rojas · ‎09-20-2011

Hi Mark,

Congrats for your CCNA. Zone based firewall is very easy. The only thing we need to check is the logs and see where is it failing.

Turn on the following on configuration mode

ip inspect log drop-pkt

Then do

Do term mon

That will start logging the packets that zone based is dropping and it will be easier to Identify the failure. Start some flows across the Router such as PPTP and HTTP downloads and check if you see any drops related to the connections you are doing. Once you have them paste them over here and we will look at them.

Mike