Forgive my elementary question.  If I remove the inspect and zone firewall, then what will be left in my configuration to provide me with firewall protection?  My Cisco skills were much sharper 7 years ago when ACLs were the only way to apply firewall rules.  I know little about zone firewall configurations.

Thanks very much!

James E

With NAT, you don't need firewall. No packets from outside can reach inside, unless the connection is initiated from inside.

Got it.

Any suggestions on how I might be able to narrow down the problem if it in fact ends up being a problem with the zones or the inspection?

Thanks!

James

I have an 850 modem loaded with them.  When I took the inspection rules and firewall rules the speed went faster.

What risks do you run by removing the INSPECT rules?

Any thoughts on my INSPECT and FIREWALL rules pasted below?

I'm running this configuration at home with a bunch of consumer devices behind it.  Nothing sophisticated.

James E

------------------------

parameter-map type inspect global

log dropped-packets enable

license udi pid CISCO881W-GN-A-K9 sn FTX132880G9

!

class-map type inspect match-any ccp-cls-insp-traffic

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-insp-traffic

  inspect

class type inspect ccp-protocol-http

class class-default

  drop

policy-map type inspect ccp-permit

class class-default

  drop

!

zone security out-zone

zone security in-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

!

!

interface Null0

no ip unreachables

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

duplex auto

speed auto

pppoe-client dial-pool-number 1

!

interface wlan-ap0

description Service module interface to manage the embedded AP

ip unnumbered Vlan1

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

arp timeout 0

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 192.168.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

ip tcp adjust-mss 1412

!

interface Dialer0

description $FW_OUTSIDE$

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1452

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly in

zone-member security out-zone

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip flow-top-talkers

top 12

sort-by bytes

!

ip nat inside source list 1 interface Dialer0 overload

ip route 0.0.0.0 0.0.0.0 Dialer0

!

logging esm config

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

dialer-list 1 protocol ip permit

no cdp run

!

As mentioned above. There is no risk whatsoever.

Note also. All IP commands under Fa4 are unnecessy as no IP is enabled there.

ip mtu 1452

should be instead

mtu 1491

if you're not using flow, remove it as well.

basically you have a GUI-polluted config and need to clean it up for optimal results.

Paolo - Thank you.  What other clean up suggestions do you recommend?

I'm leaving on NetFlow as I periodically check the data.

THank you for the help!

James E

Leave flow on one interface only.

Clean it up then repost.

Ok.  I will do that tonight (around 9pm EST) and repost the config.

James