Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
299
Views
0
Helpful
2
Replies

Zone based firewall suddens stops routing traffic

wallacescott
Level 1
Level 1

‎04-27-2015 10:31 PM - edited ‎03-11-2019 10:51 PM

Hi All

 

I have configured 3 zones on my router using the zone based firewall. Everything was working fine for a few hours but then traffic suddenly all Internet traffic was blocked on the Outside interface. I could access the router from the inside and could route to the inside interfaces. When i tried to do a traceroute or ping to the Internet traffic was dropped. I removed the zone configuration from all Interface to see if this helped but it did'nt. I also shut down and reopend the outside Interface to see if this made a difference but traffic was still not being routed out the outside Interface. I rebooted the router and this resloved the issue.

Below is the basic configuration. Im not sure why the Interface woud suddenly stop passing traffic as this was working fine for  several hours.

 

class-map type inspect match-any Guest_Protocols
 match protocol ftp
 match protocol tcp
 match protocol udp
 match protocol icmp
class-map type inspect match-any All_Protocols
 match protocol http
 match protocol https
 match protocol dns
 match protocol icmp
class-map type inspect match-all IPSEC-cmap
 match access-group name ISAKMP_IPSEC
class-map type inspect match-all SSHaccess-cmap
 match access-group name SSHaccess
!
policy-map type inspect Trusted_to_Internet
 class type inspect All_Protocols
  inspect
 class type inspect IPSEC-cmap
  pass
 class type inspect SSHaccess-cmap
  pass
 class class-default
  drop
policy-map type inspect Guest_to_Internet
 class type inspect Guest_Protocols
  inspect
 class class-default
  drop
!
zone security Trusted
zone security Guest
zone security Internet
zone-pair security Trusted->Internet source Trusted destination Internet
 service-policy type inspect Trusted_to_Internet
zone-pair security Guest->Internet source Guest destination Internet
 service-policy type inspect Guest_to_Internet

 

interface GigabitEthernet0/0

description Outside Interface
 ip address x.x.x.x
 ip nat outside
 ip virtual-reassembly in
 zone-member security Internet
 duplex auto

interface GigabitEthernet0/1.10
 description Inside Interface
 encapsulation dot1Q 10
 ip address x.x.x.x x.x.x.x
 ip nat inside
 zone-member security Trusted

!
interface GigabitEthernet0/1.20
 description Guest Interface
 encapsulation dot1Q 20
 ip address x.x.x.x x.x.x.x
 ip nat inside
 zone-member security Guest

 

Thanks

Scott

 

 

 

 

 

Labels:
0 Helpful
2 Replies 2

Vibhor Amrodia
Cisco Employee
Cisco Employee

‎04-27-2015 11:37 PM

Hi,

I don't see any issues with the configuration. I think the "ip inspect drop-log" at the time of issue would have helped as that would show if the policy is dropping any traffic on the router or not ?

Also , were you able to see the hits on the policies at the time of issue ?

Thanks and Regards,

Vibhor Amrodia

0 Helpful

wallacescott
Level 1
Level 1
In response to Vibhor Amrodia

‎04-28-2015 01:55 AM

Hi Vibhor,

 

I did not check the policies hits at the time. I will configure ip inspect drop-log and renable access to see if I can replicate the issue.

 

Thanks

Scott

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card