https://community.cisco.com/t5/network-security/zone-based-firewall-bypass-verification/m-p/2298973#M311248 <HTML><HEAD></HEAD><BODY><P>HI,</P><P></P><P>The best way to avoid inspection is using the "pass" action in the policy map.</P><P></P><P>So you way want to create 2 different class-maps. One matching the the traffic that you don't want to inspect and the other one with the traffic you wish to inspect.</P><P></P><P>Other thing to add is that when you use PASS you need to also allow the retrurn traffic. So you need a class map with a Pass action from Inside to Outisde and another one from Outside to Inside.</P><P></P><P>HTH</P><P></P><P>Luis Silva <BR /> <BR />"If you need PDI (Planning, Design, Implement) assistance feel free to reach us" <BR /> <BR /><A class="jive-link-external-small" href="http://www.cisco.com/web/partners/tools/pdihd.html">http://www.cisco.com/web/partners/tools/pdihd.html</A></P></BODY></HTML> Thu, 10 Oct 2013 23:32:45 GMT Luis Silva Benavides 2013-10-10T23:32:45Z https://community.cisco.com/t5/network-security/zone-based-firewall-bypass-verification/m-p/2298972#M311246 <P>Greetings,</P><P></P><P>I am building a ZBF that will require certain networks to be allowed inbound and not inspected. MOST of the traffic will be from the INSIDE o the OUTSIDE but some management of INSIDE hosts will be required etc.</P><P></P><P>I would like to verify that I can use an extended ACL to allow that traffic to the INSIDE zone hosts.</P><P></P><P>Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(3)T1</P><P></P><P>access-list 101 deny (don't inspect this OUTBOUND private network traffic addresses)</P><P>access-list 101 permit (do inspect this all of the rest OUTBOUND traffic addresses)</P><P>!</P><P>access-list 102 permit (inbound don't inspect this INBOUND traffic addresses)</P><P>!</P><P>class-map type inspect match-all ALL-PRIVATE</P><P> match access-group 101</P><P>!</P><P>!</P><P>policy-map type inspect priv-pub-pmap</P><P> class type inspect ALL-PRIVATE</P><P>&nbsp; inspect</P><P> class class-default</P><P>!</P><P>zone security INSIDE</P><P>description INSIDE interface PRIVATE network</P><P>!</P><P>zone security OUTSIDE</P><P> description OUTSIDE interface PUBLIC Internet and Corp connection</P><P>!</P><P><SPAN style="font-size: 10pt;">zone-pair security priv-pub source INSIDE destination OUTSIDE</SPAN></P><P> service-policy type inspect priv-pub-pmap</P><P>! </P><P>interface multilink 1</P><P> ip address 67.x.x.x</P><P> zone-member security OUTSIDE</P><P> ip access-group 102 in</P><P>!</P><P>interface g0/0</P><P><SPAN style="font-size: 10pt;"> ip address 192.168.x.x</SPAN></P><P> zone-member security INSIDE</P><P>!</P><P>interface g0/1</P><P><SPAN style="font-size: 10pt;"> ip address 67.x.x.x</SPAN></P><P> zone-member security INSIDE</P><P>!</P><P></P><P>Thanks,</P><P>Tim</P> Tue, 12 Mar 2019 02:49:32 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-bypass-verification/m-p/2298972#M311246 ttoney 2019-03-12T02:49:32Z https://community.cisco.com/t5/network-security/zone-based-firewall-bypass-verification/m-p/2298973#M311248 <HTML><HEAD></HEAD><BODY><P>HI,</P><P></P><P>The best way to avoid inspection is using the "pass" action in the policy map.</P><P></P><P>So you way want to create 2 different class-maps. One matching the the traffic that you don't want to inspect and the other one with the traffic you wish to inspect.</P><P></P><P>Other thing to add is that when you use PASS you need to also allow the retrurn traffic. So you need a class map with a Pass action from Inside to Outisde and another one from Outside to Inside.</P><P></P><P>HTH</P><P></P><P>Luis Silva <BR /> <BR />"If you need PDI (Planning, Design, Implement) assistance feel free to reach us" <BR /> <BR /><A class="jive-link-external-small" href="http://www.cisco.com/web/partners/tools/pdihd.html">http://www.cisco.com/web/partners/tools/pdihd.html</A></P></BODY></HTML> Thu, 10 Oct 2013 23:32:45 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-bypass-verification/m-p/2298973#M311248 Luis Silva Benavides 2013-10-10T23:32:45Z