I have configured zone based firewall & nat overload on C1121 IOS-XE router. Internet stops working when I apply access-list to restrict inbound traffic on WAN interface. It's mandatory to restrict access from outside on WAN interface. Appreciate any help.
! interface GigabitEthernet1 ip address 22.214.171.124 255.255.255.0 ip nat inside zone-member security IN negotiation auto no mop enabled no mop sysid end
CSR#sh run int Gi2 Building configuration...
Current configuration : 198 bytes ! interface GigabitEthernet2 ip address 126.96.36.199 255.255.255.0 ip nat outside ip access-group OUTSIDE-TO-INSIDE in zone-member security OUT negotiation auto no mop enabled no mop sysid end ! class-map type inspect match-all IN-OUT-CLASS match access-group name IN-OUT-ACL class-map type inspect match-any WEB-CLASS match protocol http ! policy-map type inspect WEB-POLICY class type inspect WEB-CLASS inspect class class-default policy-map type inspect IN-OUT-POLICY class type inspect IN-OUT-CLASS inspect class class-default ! zone-pair security IN-OUT-ZP source IN destination OUT service-policy type inspect IN-OUT-POLICY zone-pair security OUT-IN-ZP source OUT destination IN service-policy type inspect WEB-POLICY ! ip access-list extended OUTSIDE-TO-INSIDE permit tcp any host 188.8.131.52 eq 443 permit udp any host 184.108.40.206 eq isakmp permit udp any host 220.127.116.11 eq non500-isakmp permit esp any host 18.104.22.168 ! ip access-list extended nating permit ip 22.214.171.124 0.0.0.255 any ! ip nat inside source route-map NAT interface GigabitEthernet2 overload ! route-map NAT permit 5 match ip address nating !
Thank you Kureli, If I remove the ACL "OUTSIDE-TO-INSIDE" on WAN interface then how to restrict inbound packets without disturbing internet. I think ACL is blocking stateful inspection by ZBF which should not happen. Thanks a lot in advance.