I currently use IOS Classic Firewall on my routers and I am now testing the Zone Based Firewall feature, but it is behaviing differently with NAT than I expected. My requirement is to allow only certain hosts access to the Internet, and currently I use an Interface ACL to control this.
In my testing, I have two zones - Inside & Internet, with NAT "overload" configured on my public interface. It appears that ZBFW can only see the NATed public (Inside Global) address when going from Inside zone to Internet zone. So in this case, all NATed traffic is treated as the same source IP address. Is this expected behavior? Can ZBFW ever see the private (Inside Local) address when NAT is involved?
What is the recommend way to accomplish this when deploying ZBFW? It seems that interface ACLs are no longer proper - perhaps within my NAT config (i.e. source list or route-map) is most appropriate?