IOS ZFW and ACLs

remi-reszka · ‎03-19-2009

Hi,

From the documents Cisco guys wrote on new concept of the IOS firewall ZFW I assume nothing has changed in regards to ACLs and the way of applying them to the interfaces.

I am actually migrating from CBAC to ZFW and found out that if I keep my existing ACL on the outside interface I don't get the new ZFW config to work properly but as soon as I remove the ACL from the outside interface all works great. What does it mean? Do we need to now apply the ACLs through class-map statements and just add a new security zone-pair for the traffic coming in from outside?

Thanks in advance for any suggestions.

Remi

Thotsaphon Lueangwattanaphong · ‎03-19-2009

Hi Remi,

I'm not sure that I clearly understand your question. The short answer is "Yes,we do". You can migrate the existing policies on CBAC to Outside(untrust)-to-Inside(trust) zone-pair. Just use class-map with the match ip address option to match the ACL you want.

HTH,

Toshi

remi-reszka · ‎03-20-2009

Hi Toshi,

Thanks and indeed you understood my question ;-). Yes, that's what I meant to apply an ACL to the outside interface through a class map. When I keep my ACL on the outside (untrusted interface) the zone-pair inspects the outgoing traffic but the ACL on the outside interface does not allow the returning traffic.

In the Cisco book CCNA Security there is a statement: "An ACL on an interface that is a zone member should no be restrictive". I don't really understand what that means but it may have something to do with my problem.

Anyway, I am going to apply my ACLs through the class-maps and see what happens. By the way you meant to attach a ACL to a class-map with use "match access-group ..." not match ip address right?

Saludos,

Remi