Welcome to the Cisco Support Community Ask the Expert conversation. Learn from Cisco expert Ashish Jhaldiyal about Zone-Based Policy Firewall also known as Zone-Policy Firewall, or ZFW.
Ashish is a senior TAC engineer at Cisco Systems and his expertise is in Network Security, Intrusion Prevention Systems and Zone based firewall. He has over 5 years of experience in the field of networking and specializes in Firewall and Wireshark.
Remember to use the rating system to let Ashish know if you have received an adequate response.
Ashish might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event. This event is a continuation of the Facebook Forum. Visit this forum often to view responses to your questions and the questions of other community members. This event lasts through March 30, 2012.
Currently, In zone-based firewall there is no way to defined a VPN encrypted traffic in a policy-map. This means after decrypting an ESP packet router will treat it as a normal packet and it will enforce all rules applied for outside to inside traffic.
Router can't differentiate between a normal packet and packet which came through VPN tunnel. Cisco ASA's has this feature "sysopt connection permit-vpn" which allows esp packets to bypass any Access-list applied on Inerface.
Only ICMP,H323,UDP and TCP can be inspected on self interface.
Under "controlling router access" they give an example of using the "inspect" statements on the self zone for both in and out as below:
class-map type inspect match-any self—service-cmap
match protocol tcp
match protocol udp
match protocol icmp
match protocol h323
I notice they apply a separate policy to allow TFTP traffic with the "pass" command:
policy-map type inspect from-self-pmap
class type inspect from-self-cmap
class type inspect tftp-out-cmap
Where I have attempted this in practice, the "match protocol" commands on the self-zone with TCP, UDP, ICMP, and H323 appear to have no affect on the traffic flow in either direction. I had to create separate rules for my traffic with the "pass" associated just as the above example. Can you clarify that part of the document and tell me why I would both need to "match" the protocol and then create an ACL to allow the traffic to pass as the above document is written?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...