Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1181
Views
0
Helpful
17
Replies

Basic router security / NAT question

an_ho
Level 1
Level 1

‎03-15-2022 02:31 AM

Hi everyone,

 

In my setup, I have a cisco ISR1000 router servicing a small LAN (DHCP and static IPs for a few servers, private address range) and connecting it to the WAN using NAT. There is a dedicated (transparent) firewall filtering all network traffic from the router to the LAN and vice versa.

 

Now, I have the option to activate Zone-based firewalling (ZBF) in the router, but have a few questions prior to doing so:

- I want to drop any unsolicited traffic from the WAN before entering the LAN. Since all hosts in the LAN have private IP addresses and NAT is active, I wonder if I would actually need to activatre ZBF to achieve this...what would be the added benefit of activating ZBF (and thus decreasing network throughput)?

- I do not want the external/WAN interface to allow access to the WebGUI/CLR via SSH/HTTP(S) - this should only be able from the local network. Is there a way to configure the management interface this way or do I need to set an ACL?

 

Thanks!

 

Andrew

 

 

 

Labels:
0 Helpful
17 Replies 17

an_ho
Level 1
Level 1
In response to Georg Pauwen

‎03-16-2022 12:20 PM

Thanks, that did the trick. Unfortunately, speedtests are still not good. I have a 1 GBit/s fiber line and am able to reach 940Mbit/s using a Ubiquiti EdgeRouter 4 both upload and download. After your editing, I am also getting 930Mbit/s upload with the cisco router in place, but download still sits still at 630 Mbit/s.

0 Helpful

Georg Pauwen
VIP
VIP
In response to an_ho

‎03-16-2022 12:26 PM

Hello,

 

the ZBF configuration I sent is the most basic one. Try and disable the entire ZBF using the command 'platform inspect disable-all' and check what the difference in speed is.

 

You can re-enable the ZBF using the 'no platform inspect disable-all' command.

0 Helpful

paul driver
VIP
VIP

‎03-15-2022 06:56 AM

Hello

If you want to negate unsolicited ingress traffic from the wan applying a context based acl could be less resourceful intensive on the rtr 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card