03-15-2022 02:31 AM
Hi everyone,
In my setup, I have a cisco ISR1000 router servicing a small LAN (DHCP and static IPs for a few servers, private address range) and connecting it to the WAN using NAT. There is a dedicated (transparent) firewall filtering all network traffic from the router to the LAN and vice versa.
Now, I have the option to activate Zone-based firewalling (ZBF) in the router, but have a few questions prior to doing so:
- I want to drop any unsolicited traffic from the WAN before entering the LAN. Since all hosts in the LAN have private IP addresses and NAT is active, I wonder if I would actually need to activatre ZBF to achieve this...what would be the added benefit of activating ZBF (and thus decreasing network throughput)?
- I do not want the external/WAN interface to allow access to the WebGUI/CLR via SSH/HTTP(S) - this should only be able from the local network. Is there a way to configure the management interface this way or do I need to set an ACL?
Thanks!
Andrew
03-16-2022 12:20 PM
Thanks, that did the trick. Unfortunately, speedtests are still not good. I have a 1 GBit/s fiber line and am able to reach 940Mbit/s using a Ubiquiti EdgeRouter 4 both upload and download. After your editing, I am also getting 930Mbit/s upload with the cisco router in place, but download still sits still at 630 Mbit/s.
03-16-2022 12:26 PM
Hello,
the ZBF configuration I sent is the most basic one. Try and disable the entire ZBF using the command 'platform inspect disable-all' and check what the difference in speed is.
You can re-enable the ZBF using the 'no platform inspect disable-all' command.
03-15-2022 06:56 AM
Hello
If you want to negate unsolicited ingress traffic from the wan applying a context based acl could be less resourceful intensive on the rtr
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide