Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

zone based for IOS


I have to chose between zone based vs cbac for branch office configurations.

Any recommendations? I have configured cbac before and it seems simpler

Also - i notice that an outbound acl on zonebased restricting where users can go doesn't appear to be as simple as a regular acl - any idea why this is?

Comments welcome

thank you



Re: zone based for IOS

Karl, please have a look at this link, it should help you learn the differences more.

A considerable quote from the doc:

"Cisco IOS Software Classic Firewall will continue to be

maintained for the foreseeable future, but will not be significantly enhanced with new features.

Instead, the strategic development direction for Cisco IOS Software's stateful inspection firewall is

carried by Zone-Based Policy firewall."



Re: zone based for IOS

Hi Karl,

As you noted, CBAC has a much simpler configuration which still allows you to get basic firewall functionality out of an IOS device. However, as Farrukh noted, much of the development focus will be on zone-based firewall in future releases.

Zone-based firewall's configuration is more complex, but because of this it is much more granular and allows you to do a lot more with it. If you decide to go with zone-based firewall, you'll want to make sure you understand all of the traffic flows in your network before writing the configuration or you might find yourself doing a lot of troubleshooting after the config is implemented.

Hope that helps.


Community Member

Re: zone based for IOS

thanks everyone

I have a couple of questions:


I created a zone policy for outside-to-self and allow IPSEC

I also created a policy for self-to-out to allow IPSEC from the router, is this the correct configuration?

2) I created a zone policy inside-to-outside and in this i put match access-group 101

access-list 101 permits branch office clients as follows

permit tcp 192.168.x.x any eq 80

permit tcp 192.168.x.x any eq 443

permit tcp 192.168.x.x any eq 5060


When i look at the config through SDM, there is a no-entry sign on the acl.

Is there a problem with applyign an ACL such as the one above?

advice welcome



CreatePlease to create content