Cisco Support Community
Community Member

Multible zone IOS firewal (ZBF)

Hi guys,

I am migrating CBAC IOS FW to IOS Zone based Firewall and i have some question. My scenario has one interface for my LAN and multiple, more than 100 GRE tunnel interfaces for my branches. For CBAC if i wanted to do inspection for a particular interface i could specify my Inspection and then apply the inspection to the specific interface. The traffic direction is from each tunnel towards the inside interface and from the inside interface towards the tunnel. i want to accomplish the same thing with zone based firewall. If i assign the inside interface to a zone in order to form a zone pair with the tunnel i want inspection on, i will have to create a zone pair for each of the tunnel i have so that  traffic can flow from tunnel to inside and then do another pair from inside to tunnel. so i will end up doing at least 100 zone pairs for traffic flowing from inside to tunnel and 100 zone pairs for traffic flowing from tunnel to inside and that is because i want to enable ftp inspection for only one tunnel to inside flow. is this correct? is there another way to accomplish this  without so much hassle?

I hope i made my self clear to you.

Please note that i cannot use CBAC since my router don't support it.

Any answer will be appreciated.


Multible zone IOS firewal (ZBF)


This is interesting scenario and requires lot of traffic matching and typing. Never thought about this one. I am trying to configure with all the options but the only way could find is the way you mentioned. But I will check more on this. Please share if you have the solution already.


CreatePlease to create content