ZBFW and NAT

Unanswered Question
Jun 8th, 2010
User Badges:

Hi,


I am setting up a zone-based firewall and NAT for inbound public traffic to internal private IP addresses.  I am using a 2911 router with all the security bells and whistles. Do I set the destination as the public address or the private? I found a flow diagram that shows when CBAC happens, but nothing about zone-based.


Thanks.


-shawn

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kureli Sankar Tue, 06/08/2010 - 05:20
User Badges:
  • Cisco Employee,

So you are asking what IP address to use for out to in zone to allow inbound connections from the internet to your web, e-mail or other server on the inside?  You should use the public (translated) address of the server in the acl that you will apply in the out to in zone.



-KS

bentoncentral Tue, 06/08/2010 - 05:58
User Badges:

Ok I think we're on the same page. So to put it another way. The firewall inspects the traffic before the Outside to Inside NAT happens?

Kureli Sankar Tue, 06/08/2010 - 06:24
User Badges:
  • Cisco Employee,

Shawn,

Check this link: https://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml


Watch the outside to inside table. You can substitue inspect CBAC with inspect ZBF.


Firewall creates session from pre-nat src to post-nat dst.


webserver (10.10.10.1)——router—internet


Let us say we are translating 10.10.10.1 to look like 1.1.1.1 on the internet and it is a webserver
In the out to in zone will have policy-map, class-map and acl
In this acl you would specify


per tcp any host 1.1.1.1 eq 80


Whe you look at the session in the table you will see

session from internet<-->10.10.10.1


-KS

Actions

This Discussion

Related Content