Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

where does ZBF/IPSEC fit in the 'Order of operations'?

When IPSEC traffic is de-crypted on a cisco 877 Dialer interface, what is the next step? If the Dialer interface is a member of the 'outside-zone' (ZBF) and the packet SA is and the DA is (which is part of the 'inside-zone'), does the packet go through the 'service-policy' associated with the zone-pair out-to-in? The reason I ask the question is b/c I have a class-map associated with the out-to-in zone-pair that drops all 10.x.x.x, 172.16.x.x, 192.168.x.x, but once my private traffic that just traversed the IPSEC tunnel hits the out-to-in zone-pair it is blocked.

How do I block RFC 1918 on my outside-zone without killing my RFC 1918 tunnel traffic?

Cisco Employee

Re: where does ZBF/IPSEC fit in the 'Order of operations'?


I hope you are doing great. You can create a class map, matching an access list from the remote network to the inside network, that traffic will have the inspect action, then, create another class map with the rest of 1918 rfc addreses and put a drop action.

On the policy map, make sure that the first class map is the one where you are permitting the traffic from the remote network and as a second class map on that policy map put the one that is blocking the rest of the private ranges.

If you have any doubts please let me know.


Community Member

Re: where does ZBF/IPSEC fit in the 'Order of operations'?


I do have what you mentioned in place already, I just didn't think this order of operation was correct. So I basically can't block ALL RFC 1918 on my DSL interface if I have a site-to-site tunnel using a private network?

Thanks for the response.

Cisco Employee

Re: where does ZBF/IPSEC fit in the 'Order of operations'?


I think I do understand your concern now, and the answer will be no. If someone directly connected on the outside comes with an address that is on the IP scheme of the tunnel (or in Zone based perspective, allowed from outside to inside), he will be allowed to come in. However, is very unlikely that someone from the internet can come with an IP address that is not routable, it should die on the ISP network.

Hope this helps.

If you have any doubt please let me know.



CreatePlease to create content