Unanswered Question
Jun 8th, 2010
User Badges:


I am setting up a zone-based firewall and NAT for inbound public traffic to internal private IP addresses.  I am using a 2911 router with all the security bells and whistles. Do I set the destination as the public address or the private? I found a flow diagram that shows when CBAC happens, but nothing about zone-based.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kureli Sankar Tue, 06/08/2010 - 05:20
User Badges:
  • Cisco Employee,

So you are asking what IP address to use for out to in zone to allow inbound connections from the internet to your web, e-mail or other server on the inside?  You should use the public (translated) address of the server in the acl that you will apply in the out to in zone.


bentoncentral Tue, 06/08/2010 - 05:58
User Badges:

Ok I think we're on the same page. So to put it another way. The firewall inspects the traffic before the Outside to Inside NAT happens?

Kureli Sankar Tue, 06/08/2010 - 06:24
User Badges:
  • Cisco Employee,


Check this link: https://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

Watch the outside to inside table. You can substitue inspect CBAC with inspect ZBF.

Firewall creates session from pre-nat src to post-nat dst.

webserver (——router—internet

Let us say we are translating to look like on the internet and it is a webserver
In the out to in zone will have policy-map, class-map and acl
In this acl you would specify

per tcp any host eq 80

Whe you look at the session in the table you will see

session from internet<-->



This Discussion

Related Content