10-09-2013 01:07 PM - edited 03-11-2019 07:49 PM
Greetings,
I am building a ZBF that will require certain networks to be allowed inbound and not inspected. MOST of the traffic will be from the INSIDE o the OUTSIDE but some management of INSIDE hosts will be required etc.
I would like to verify that I can use an extended ACL to allow that traffic to the INSIDE zone hosts.
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(3)T1
access-list 101 deny (don't inspect this OUTBOUND private network traffic addresses)
access-list 101 permit (do inspect this all of the rest OUTBOUND traffic addresses)
!
access-list 102 permit (inbound don't inspect this INBOUND traffic addresses)
!
class-map type inspect match-all ALL-PRIVATE
match access-group 101
!
!
policy-map type inspect priv-pub-pmap
class type inspect ALL-PRIVATE
inspect
class class-default
!
zone security INSIDE
description INSIDE interface PRIVATE network
!
zone security OUTSIDE
description OUTSIDE interface PUBLIC Internet and Corp connection
!
zone-pair security priv-pub source INSIDE destination OUTSIDE
service-policy type inspect priv-pub-pmap
!
interface multilink 1
ip address 67.x.x.x
zone-member security OUTSIDE
ip access-group 102 in
!
interface g0/0
ip address 192.168.x.x
zone-member security INSIDE
!
interface g0/1
ip address 67.x.x.x
zone-member security INSIDE
!
Thanks,
Tim
10-10-2013 04:32 PM
HI,
The best way to avoid inspection is using the "pass" action in the policy map.
So you way want to create 2 different class-maps. One matching the the traffic that you don't want to inspect and the other one with the traffic you wish to inspect.
Other thing to add is that when you use PASS you need to also allow the retrurn traffic. So you need a class map with a Pass action from Inside to Outisde and another one from Outside to Inside.
HTH
Luis Silva
"If you need PDI (Planning, Design, Implement) assistance feel free to reach us"
http://www.cisco.com/web/partners/tools/pdihd.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide