Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1837
Views
0
Helpful
5
Replies

Cisco IOS XE routing issue

Go to solution
childebrecht
Level 1
Level 1

‎04-05-2021 10:24 AM

Good afternoon.   I am in the process of upgrading from a Cisco 892F to a Cisco 1111 IOS XE router and am having an issue routing traffic from the LAN network to the WAN interface utilizing a zone based firewall setup.  When I am logged into the router I can ping/etc to the outside internet and when I am on a device connected to the LAN interface I can ping the Vlan gateway of 192.168.0.1 configured in my router.  I am just not able to transition from that to the outside interface/network.  Can someone please assist in what I am doing incorrectly.  Thanks.

Labels:
Preview file
24 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul driver
VIP
VIP

‎04-05-2021 03:06 PM

Hello
Your ZBFW is very convoluted however from what i can see is your inside-outside zone isn't allowing for icmp, http or dns.
try the following:

class-map type inspect match-any sdm-cls-access
match protocol icmp
match protocol dns
match protocol http


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Georg Pauwen
VIP
VIP

‎04-05-2021 12:07 PM

Hello,

 

the first thing I noticed is that your access list 197 is empty. Add the line marked in bold to that access list:

 

ip access-list extended 197
--> 10 permit 192.168.0.0 0.0.0.255 any

0 Helpful

Go to solution
childebrecht
Level 1
Level 1
In response to Georg Pauwen

‎04-05-2021 12:25 PM

Thank you.  I went ahead and added but it did not resolve.   It is a strange problem and being new to both IOS XE and the zone based firewall I am sure it is just a misconfiguration somewhere.   From my LAN device, I can ping the 192.168.0.1 gateway in the router and also the static IP address on the GigabitEthernet0/0/0 (WAN interface) but can not get to the gateway of the WAN interface.

0 Helpful

Go to solution
childebrecht
Level 1
Level 1
In response to childebrecht

‎04-05-2021 01:55 PM

So it's definitely something with my zones or firewall rules. If I remove
the interfaces from the zone-member security out/in zones then I pass
traffic just fine. I am going to keep digging.
0 Helpful

Go to solution
paul driver
VIP
VIP

‎04-05-2021 03:06 PM

Hello
Your ZBFW is very convoluted however from what i can see is your inside-outside zone isn't allowing for icmp, http or dns.
try the following:

class-map type inspect match-any sdm-cls-access
match protocol icmp
match protocol dns
match protocol http


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
childebrecht
Level 1
Level 1
In response to paul driver

‎04-05-2021 03:35 PM

Thank you for the response. I will test this when I am back in office tomorrow. A lot of the current config is probably irrelevant now. It was converted over from a previous router that was in service for years. Once I get the traffic functioning correctly then I can start going back through and cleaning up the other rules.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card