I currently use IOS Classic Firewall on my routers and I am now testing the Zone Based Firewall feature, but it is behaviing differently with NAT than I expected. My requirement is to allow only certain hosts access to the Internet, and currently I use an Interface ACL to control this.
In my testing, I have two zones - Inside & Internet, with NAT "overload" configured on my public interface. It appears that ZBFW can only see the NATed public (Inside Global) address when going from Inside zone to Internet zone. So in this case, all NATed traffic is treated as the same source IP address. Is this expected behavior? Can ZBFW ever see the private (Inside Local) address when NAT is involved?
What is the recommend way to accomplish this when deploying ZBFW? It seems that interface ACLs are no longer proper - perhaps within my NAT config (i.e. source list or route-map) is most appropriate?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...