ZBF and the default security zone

A customer had a hardware failure the other day and I went and replaced the router. It was an ISR4231 and was running Zone Based Firewall. I originally had set this router up so I know at one time everything was working. After the replacement, we were getting one-way audio (PSTN connection via FXO). We had this problem initially, but the fix was not well documented in the TAC case. However if I removed the ZBF then audio would work in both directions. I rebuilt the firewall from scratch allowing SIP, RTP, etc but audio was still being blocked. I had but all interfaces in the same zone (INSIDE) except for the internet connection. This is supposed to allow all communications between interfaces in the same zone, but no bueno. Added it to the self zone but that didn’t make a difference either. In doing some research I found that you can also create a ‘default’ zone.

From the Security Configuration Guide: Traffic from a zone interface to a nonzone interface or from a nonzone interface to a zone interface is always dropped; unless default zones are enabled (default zone is a nonzone interface).

I think I’m starting to get it. What if I only have one zone (OUTSIDE) and all the others are in the default zone?? That works. I still don’t know why/where the audio was being blocked, but not having the internal interfaces in a zone fixed the issue. You have to manually add the default zone in the firewall config!

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *