Customer requirement dictates that I need to use Cisco ZBF between these vrf 'Zones'.
Customer requirement also dictates I need to allow only one particular packet to traverse this boundary. The packet in question has a specific hex value at a particular byte in the payload.
ZBF does not support deep packet inspection as standard.
I can match the required packet using simple FPM config to match the nth packet from the start of the IP header. When called from a corresponding policy-map and applied to a sub-interface (inbound and outbound) this can restrict all traffic between the zones other than the requires packet type.
FPM effectively meets the customer requirements but for security reasons I'm still required to implement ZBF as well !
I'm struggling to get my head around if there is a way to join these features together to make a more elegant solution. Maybe by nesting a FPM 'access-control' class-map within a ZBF 'inspect' class map and using the ZBF for stateful inspection.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...