×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ZBF Firewall Config Questions

Unanswered Question
Dec 17th, 2013
User Badges:

So I am working on a CBAC to ZBF conversion and am running into a couple of questions. When converting to a ZBF, does the need for ACL's on the interface go away? I have the following configuration and can't seem to get any stats genrerated when I do a "sh policy-map type inspect zone-pair"



Can someone see if I am missing anything? The ACL I have applied to the incoming traffic on the OUTSIDE interface is dropping the traffic I need to come through. Does ZBF work differently with the ACL's? It does begin to work when I remove the ACL from the interface but when I run the "sh policy-map type inspect zone-pair", I am still not getting any traffic generated in the inspection.


I have attached the relevant config and the output from a Show Policy-Firewall Config command.


Any help on this would be much appreciated. Just wondering if someone can see something I am missing on this.



Thanks in advance,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Julio Carvajal Tue, 12/17/2013 - 09:26
User Badges:
  • Purple, 4500 points or more

Hello Jason,


when converting to a ZBF, does the need for ACL's on the interface go away?

With CBAC the firewall inspection would open a pinhole in the incoming ACL. Due to the security features of ZBFW this will not happend and the ACL check will go first than the inspection. So if you are using ZBFW I would encourage you to remove any existing ACL.



Remove it and let us know bud


Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Jason Spring Tue, 12/17/2013 - 13:02
User Badges:

That makes sense but when I removed the ACL from the interface, I was able to surf the net but I wasn't getting any stats in the Show Policy-map type inspect zone-pair. I should get stats from this right?


I guess I am just a little gun shy removing that ACL becasue I have been so used to CBAC! LOL


I am assuming i would also need to create an inbound zone pair for traffic that needs to be allowed that is initiated from the outside correct?


Is it best practice to remove the access-class from the vty lines as well?


thanks for your input. 

Julio Carvajal Tue, 12/17/2013 - 13:05
User Badges:
  • Purple, 4500 points or more

I am assuming i would also need to create an inbound zone pair for traffic that needs to be allowed that is initiated from the outside correct?


Yes, that will need to be set



Is it best practice to remove the access-class from the vty lines as well?

Well, you can leave those if you want but remember with ZBFW you have the Self-Zone as well. So if you use the Self-Zone get ridd of those too



Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Jason Spring Tue, 12/17/2013 - 14:39
User Badges:

What about verifying the firewall is functioning. Does just doing a sh policy-firewall sessions suffice for this?


Shouldn't I see packets being counted in the sh policy-map type inspect zone-pair?

Actions

This Discussion