Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
376
Views
0
Helpful
3
Replies

zone based for IOS

karljonesTZ
Level 1
Level 1

‎08-14-2008 03:00 PM - edited ‎03-11-2019 06:31 AM

Hi

I have to chose between zone based vs cbac for branch office configurations.

Any recommendations? I have configured cbac before and it seems simpler

Also - i notice that an outbound acl on zonebased restricting where users can go doesn't appear to be as simple as a regular acl - any idea why this is?

Comments welcome

thank you

Karl

Labels:
0 Helpful
3 Replies 3

Farrukh Haroon
VIP Alumni
VIP Alumni

‎08-15-2008 07:00 AM

Karl, please have a look at this link, it should help you learn the differences more.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_white_paper0900aecd806f31f9.pdf

A considerable quote from the doc:

"Cisco IOS Software Classic Firewall will continue to be

maintained for the foreseeable future, but will not be significantly enhanced with new features.

Instead, the strategic development direction for Cisco IOS Software's stateful inspection firewall is

carried by Zone-Based Policy firewall."

Regards

Farrukh

0 Helpful

robertson.michael
Level 3
Level 3

‎08-15-2008 02:33 PM

Hi Karl,

As you noted, CBAC has a much simpler configuration which still allows you to get basic firewall functionality out of an IOS device. However, as Farrukh noted, much of the development focus will be on zone-based firewall in future releases.

Zone-based firewall's configuration is more complex, but because of this it is much more granular and allows you to do a lot more with it. If you decide to go with zone-based firewall, you'll want to make sure you understand all of the traffic flows in your network before writing the configuration or you might find yourself doing a lot of troubleshooting after the config is implemented.

Hope that helps.

-Mike

0 Helpful

karljonesTZ
Level 1
Level 1
In response to robertson.michael

‎08-15-2008 04:04 PM

thanks everyone

I have a couple of questions:

1)

I created a zone policy for outside-to-self and allow IPSEC

I also created a policy for self-to-out to allow IPSEC from the router, is this the correct configuration?

2) I created a zone policy inside-to-outside and in this i put match access-group 101

access-list 101 permits branch office clients as follows

permit tcp 192.168.x.x any eq 80

permit tcp 192.168.x.x any eq 443

permit tcp 192.168.x.x any eq 5060

etc

When i look at the config through SDM, there is a no-entry sign on the acl.

Is there a problem with applyign an ACL such as the one above?

advice welcome

cheers

karl

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card