From the documents Cisco guys wrote on new concept of the IOS firewall ZFW I assume nothing has changed in regards to ACLs and the way of applying them to the interfaces.
I am actually migrating from CBAC to ZFW and found out that if I keep my existing ACL on the outside interface I don't get the new ZFW config to work properly but as soon as I remove the ACL from the outside interface all works great. What does it mean? Do we need to now apply the ACLs through class-map statements and just add a new security zone-pair for the traffic coming in from outside?
I'm not sure that I clearly understand your question. The short answer is "Yes,we do". You can migrate the existing policies on CBAC to Outside(untrust)-to-Inside(trust) zone-pair. Just use class-map with the match ip address option to match the ACL you want.
Thanks and indeed you understood my question ;-). Yes, that's what I meant to apply an ACL to the outside interface through a class map. When I keep my ACL on the outside (untrusted interface) the zone-pair inspects the outgoing traffic but the ACL on the outside interface does not allow the returning traffic.
In the Cisco book CCNA Security there is a statement: "An ACL on an interface that is a zone member should no be restrictive". I don't really understand what that means but it may have something to do with my problem.
Anyway, I am going to apply my ACLs through the class-maps and see what happens. By the way you meant to attach a ACL to a class-map with use "match access-group ..." not match ip address right?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :