Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ZBFW and inspection of NATed traffic

I currently use IOS Classic Firewall on my routers and I am now testing the Zone Based Firewall feature, but it is behaviing differently with NAT than I expected. My requirement is to allow only certain hosts access to the Internet, and currently I use an Interface ACL to control this.

In my testing, I have two zones - Inside & Internet, with NAT "overload" configured on my public interface. It appears that ZBFW can only see the NATed public (Inside Global) address when going from Inside zone to Internet zone. So in this case, all NATed traffic is treated as the same source IP address.  Is this expected behavior? Can ZBFW ever see the private (Inside Local) address when NAT is involved?

What is the recommend way to accomplish this when deploying ZBFW? It seems that interface ACLs are no longer proper - perhaps within my NAT config (i.e. source list or route-map) is most appropriate?

Thanks, Jordan

Everyone's tags (2)
Cisco Employee

Re: ZBFW and inspection of NATed traffic

There is something different happening.

ZBF only sees the inside locals. For example if x is translated to y, if you match on x in an ZBF inspection it will match the traffic and work. If you match on y it will not work.


New Member

Re: ZBFW and inspection of NATed traffic

Ok, it must be something I'm doing in my test config.

Do you know of any Cisco documentation that shows NAT deployed with ZBFW?

Thanks, Jordan