zone based for IOS

Unanswered Question
Aug 14th, 2008


I have to chose between zone based vs cbac for branch office configurations.

Any recommendations? I have configured cbac before and it seems simpler

Also - i notice that an outbound acl on zonebased restricting where users can go doesn't appear to be as simple as a regular acl - any idea why this is?

Comments welcome

thank you


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Fri, 08/15/2008 - 07:00

Karl, please have a look at this link, it should help you learn the differences more.

A considerable quote from the doc:

"Cisco IOS Software Classic Firewall will continue to be

maintained for the foreseeable future, but will not be significantly enhanced with new features.

Instead, the strategic development direction for Cisco IOS Software's stateful inspection firewall is

carried by Zone-Based Policy firewall."



robertson.michael Fri, 08/15/2008 - 14:33

Hi Karl,

As you noted, CBAC has a much simpler configuration which still allows you to get basic firewall functionality out of an IOS device. However, as Farrukh noted, much of the development focus will be on zone-based firewall in future releases.

Zone-based firewall's configuration is more complex, but because of this it is much more granular and allows you to do a lot more with it. If you decide to go with zone-based firewall, you'll want to make sure you understand all of the traffic flows in your network before writing the configuration or you might find yourself doing a lot of troubleshooting after the config is implemented.

Hope that helps.


karljonesTZ Fri, 08/15/2008 - 16:04

thanks everyone

I have a couple of questions:


I created a zone policy for outside-to-self and allow IPSEC

I also created a policy for self-to-out to allow IPSEC from the router, is this the correct configuration?

2) I created a zone policy inside-to-outside and in this i put match access-group 101

access-list 101 permits branch office clients as follows

permit tcp 192.168.x.x any eq 80

permit tcp 192.168.x.x any eq 443

permit tcp 192.168.x.x any eq 5060


When i look at the config through SDM, there is a no-entry sign on the acl.

Is there a problem with applyign an ACL such as the one above?

advice welcome




This Discussion