ZBFW and inspection of NATed traffic

jmiller_dart · ‎03-10-2010

I currently use IOS Classic Firewall on my routers and I am now testing the Zone Based Firewall feature, but it is behaviing differently with NAT than I expected. My requirement is to allow only certain hosts access to the Internet, and currently I use an Interface ACL to control this.

In my testing, I have two zones - Inside & Internet, with NAT "overload" configured on my public interface. It appears that ZBFW can only see the NATed public (Inside Global) address when going from Inside zone to Internet zone. So in this case, all NATed traffic is treated as the same source IP address. Is this expected behavior? Can ZBFW ever see the private (Inside Local) address when NAT is involved?

What is the recommend way to accomplish this when deploying ZBFW? It seems that interface ACLs are no longer proper - perhaps within my NAT config (i.e. source list or route-map) is most appropriate?

Thanks, Jordan

Panos Kampanakis · ‎03-16-2010

There is something different happening.

ZBF only sees the inside locals. For example if x is translated to y, if you match on x in an ZBF inspection it will match the traffic and work. If you match on y it will not work.

PK

jmiller_dart · ‎03-16-2010

Ok, it must be something I'm doing in my test config.

Do you know of any Cisco documentation that shows NAT deployed with ZBFW?

Thanks, Jordan