11-23-2011 07:57 AM - edited 03-07-2019 03:33 AM
Cicco 2911 Router
CCP 2.5
Hi Guys,
Please bear with me. I’m new to Cisco IOS.
I’m “attempting” to configure a 2911 Router utilizing Cisco Configuration Professional 2.5
Zone based Firewall Policy is configured.
Traffic is flowing out without a problem.
The only way I can get NAT policies such as ICMP, SMTP, RDP to work, is creating a Rule for New Traffic under Security, Firewall, Edit Firewall Policy, ccp-permit (out-zone to self).
When I configure ACL’s via the ACL Editor, should I see the resulting rule under Firewall Policy?
Shouldn’t the ACL create the Firewall Policy?
Thanks!
Chip
11-23-2011 08:19 AM
Hi,
ZBF is using ACL to match traffic not for filtering like so you'll have to create the rules under the firewall Policy.
But for static NAT to work from Outside to Inside you must have a service-policy applied for source outside and destination inside not self which is the zonz for traffic coming to/originated from the router not traffic traversing the router.
Regards.
Alain
11-23-2011 08:55 AM
Hi Alan,
Thanks for the information and taking the time
Is it possible to add a ACL Service Object Group to the Firewall Policy, out-zone to in-zone, Rule for new traffic? (didn't see this as an option in drop down). Or does each service need a seperate policy?
Thank you!
Chip
11-23-2011 11:12 AM
Hi,
I've never implemented ZBF with a GUI but if you tell me what you want and post the running config, I can tell you the CLI commands to do it.
Regards.
Alain
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: