Hi guys,
I am migrating CBAC IOS FW to IOS Zone based Firewall and i have some question. My scenario has one interface for my LAN and multiple, more than 100 GRE tunnel interfaces for my branches. For CBAC if i wanted to do inspection for a particular interface i could specify my Inspection and then apply the inspection to the specific interface. The traffic direction is from each tunnel towards the inside interface and from the inside interface towards the tunnel. i want to accomplish the same thing with zone based firewall. If i assign the inside interface to a zone in order to form a zone pair with the tunnel i want inspection on, i will have to create a zone pair for each of the tunnel i have so that traffic can flow from tunnel to inside and then do another pair from inside to tunnel. so i will end up doing at least 100 zone pairs for traffic flowing from inside to tunnel and 100 zone pairs for traffic flowing from tunnel to inside and that is because i want to enable ftp inspection for only one tunnel to inside flow. is this correct? is there another way to accomplish this without so much hassle?
I hope i made my self clear to you.
Please note that i cannot use CBAC since my router don't support it.
Any answer will be appreciated.