04-05-2021 10:24 AM
Good afternoon. I am in the process of upgrading from a Cisco 892F to a Cisco 1111 IOS XE router and am having an issue routing traffic from the LAN network to the WAN interface utilizing a zone based firewall setup. When I am logged into the router I can ping/etc to the outside internet and when I am on a device connected to the LAN interface I can ping the Vlan gateway of 192.168.0.1 configured in my router. I am just not able to transition from that to the outside interface/network. Can someone please assist in what I am doing incorrectly. Thanks.
Solved! Go to Solution.
04-05-2021 03:06 PM
Hello
Your ZBFW is very convoluted however from what i can see is your inside-outside zone isn't allowing for icmp, http or dns.
try the following:
class-map type inspect match-any sdm-cls-access
match protocol icmp
match protocol dns
match protocol http
04-05-2021 12:07 PM
Hello,
the first thing I noticed is that your access list 197 is empty. Add the line marked in bold to that access list:
ip access-list extended 197
--> 10 permit 192.168.0.0 0.0.0.255 any
04-05-2021 12:25 PM
Thank you. I went ahead and added but it did not resolve. It is a strange problem and being new to both IOS XE and the zone based firewall I am sure it is just a misconfiguration somewhere. From my LAN device, I can ping the 192.168.0.1 gateway in the router and also the static IP address on the GigabitEthernet0/0/0 (WAN interface) but can not get to the gateway of the WAN interface.
04-05-2021 01:55 PM
04-05-2021 03:06 PM
Hello
Your ZBFW is very convoluted however from what i can see is your inside-outside zone isn't allowing for icmp, http or dns.
try the following:
class-map type inspect match-any sdm-cls-access
match protocol icmp
match protocol dns
match protocol http
04-05-2021 03:35 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide