Solved: Hi,

Andy Guley · ‎01-24-2017

I am migrating from 2911's to 4331's at my remote sites. My 2911's are running CBAC. I am having some issues getting the zone based firewall working on the 4331's. I can ping and trace-route to the internet. I am also resolving google DNS. I am not able to browse the internet. I have an ACL on the outside interface that is allowing ssh connections for remote access if there is a MPLS outage. If I edit the ACL to say ip any any I am able to browse the internet. My understanding of the zone based firewall is if traffic is initiated from the inside interface it should all the traffic back in.

Here is a copy of the configuration:

class-map type inspect match-any ALLOWED-PROTOCOLS
match protocol tcp
match protocol udp
match protocol icmp
match protocol http
match protocol https
match protocol ftp

zone security INTERNET
zone security INSIDE
zone-pair security ZP-INSIDE-TO-OUTSIDE source INSIDE destination INTERNET
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY

interface GigabitEthernet0/0/0
ip address dhcp
ip nat outside
ip access-group OUTSIDE_ACCESS_IN in
zone-member security INTERNET
media-type rj45
negotiation auto
ip virtual-reassembly

interface Vlan93
description Management
ip address 10.x.x.x 255.255.255.0
ip nat inside
zone-member security INSIDE
ip virtual-reassembly

ip nat inside source route-map nonat interface GigabitEthernet0/0/0 overload

ip access-list extended OUTSIDE_ACCESS_IN
permit icmp any host x.x.x.x (outside ip)
permit tcp host x.x.x.x any eq 22
permit tcp host x.x.x.x any eq 22
permit udp any any eq bootpc
permit udp any any eq bootps

Georg Pauwen · ‎01-24-2017

Hello,

indeed the ACL shouldn't be on the outside interface, or on any interface. You control traffic exclusively by applying security zones.

View solution in original post

Georg Pauwen · ‎01-24-2017

Hello,

can you post the full config ? I cannot see the policy map configurations, such as e.g.:

policy-map type inspect ZP-INSIDE-TO-OUTSIDE
class ALLOWED-PROTOCOLS
pass

Andy Guley · ‎01-24-2017

I don't have the entire configuration in front of me right now. I was just some more reading and it appears that you cant have the ACL on the outside interface? Would you agree with that?

policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
 class type inspect ALLOWED-PROTOCOLS
  inspect

johnd2310 · ‎01-24-2017

Hi,

With zone based firewall, the ACL on the outside interface cannot be too restrictive. Try removing the outside ACL and apply those rules to the INTERNET-SELF zone pair.

Thanks

John

**Please rate posts you find helpful**

Georg Pauwen · ‎01-24-2017

Hello,

indeed the ACL shouldn't be on the outside interface, or on any interface. You control traffic exclusively by applying security zones.

Andy Guley · ‎01-24-2017

Here is the full ACL I usually run on my outside interface at my remote sites:

Extended IP access list OUTSIDE_ACCESS_IN

    11 permit udp any host x.x.x.x eq non500-isakmp (DMVPN)
    12 permit udp any host x.x.x.x eq isakmp (DMVPN)
    13 permit esp any host x.x.x.x (DMVPN)
    16 permit icmp any any echo
    17 permit icmp any any echo-reply
    18 permit icmp any any time-exceeded
    19 permit icmp any any unreachable
    30 permit tcp host x.x.x.x any eq 22
    40 permit tcp host x.x.x.x any eq 22

Would I create a class map with this ACL then apply to Self zone?

Georg Pauwen · ‎01-24-2017

Exactly, create the class map with this ACL and apply it to the self and another zone.

Zone Base Firewall