03-19-2009 05:35 PM - edited 03-11-2019 08:07 AM
Hi,
From the documents Cisco guys wrote on new concept of the IOS firewall ZFW I assume nothing has changed in regards to ACLs and the way of applying them to the interfaces.
I am actually migrating from CBAC to ZFW and found out that if I keep my existing ACL on the outside interface I don't get the new ZFW config to work properly but as soon as I remove the ACL from the outside interface all works great. What does it mean? Do we need to now apply the ACLs through class-map statements and just add a new security zone-pair for the traffic coming in from outside?
Thanks in advance for any suggestions.
Remi
03-19-2009 08:33 PM
Hi Remi,
I'm not sure that I clearly understand your question. The short answer is "Yes,we do". You can migrate the existing policies on CBAC to Outside(untrust)-to-Inside(trust) zone-pair. Just use class-map with the match ip address option to match the ACL you want.
HTH,
Toshi
03-20-2009 08:01 AM
Hi Toshi,
Thanks and indeed you understood my question ;-). Yes, that's what I meant to apply an ACL to the outside interface through a class map. When I keep my ACL on the outside (untrusted interface) the zone-pair inspects the outgoing traffic but the ACL on the outside interface does not allow the returning traffic.
In the Cisco book CCNA Security there is a statement: "An ACL on an interface that is a zone member should no be restrictive". I don't really understand what that means but it may have something to do with my problem.
Anyway, I am going to apply my ACLs through the class-maps and see what happens. By the way you meant to attach a ACL to a class-map with use "match access-group ..." not match ip address right?
Saludos,
Remi
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide