Unanswered Question
Mar 19th, 2009
User Badges:


From the documents Cisco guys wrote on new concept of the IOS firewall ZFW I assume nothing has changed in regards to ACLs and the way of applying them to the interfaces.

I am actually migrating from CBAC to ZFW and found out that if I keep my existing ACL on the outside interface I don't get the new ZFW config to work properly but as soon as I remove the ACL from the outside interface all works great. What does it mean? Do we need to now apply the ACLs through class-map statements and just add a new security zone-pair for the traffic coming in from outside?

Thanks in advance for any suggestions.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
thotsaphon Thu, 03/19/2009 - 20:33
User Badges:
  • Gold, 750 points or more

Hi Remi,

I'm not sure that I clearly understand your question. The short answer is "Yes,we do". You can migrate the existing policies on CBAC to Outside(untrust)-to-Inside(trust) zone-pair. Just use class-map with the match ip address option to match the ACL you want.



remi-reszka Fri, 03/20/2009 - 08:01
User Badges:

Hi Toshi,

Thanks and indeed you understood my question ;-). Yes, that's what I meant to apply an ACL to the outside interface through a class map. When I keep my ACL on the outside (untrusted interface) the zone-pair inspects the outgoing traffic but the ACL on the outside interface does not allow the returning traffic.

In the Cisco book CCNA Security there is a statement: "An ACL on an interface that is a zone member should no be restrictive". I don't really understand what that means but it may have something to do with my problem.

Anyway, I am going to apply my ACLs through the class-maps and see what happens. By the way you meant to attach a ACL to a class-map with use "match access-group ..." not match ip address right?




This Discussion