https://community.cisco.com/t5/network-security/zone-based-firewall-questions/m-p/1771151#M496748 <P>I am trying to understand this following sentence regarding zone-based firewalls on a Cisco router, why they are wrong,</P><P></P><P>1. "Interface ACLs are applied before zone-base policy firewalls when they are applied outbound."</P><P></P><P>2. "The firewalls can be configured simultaneously on the same interface as classic CBAC using the IP inspect CLI command"</P><P></P><P></P><P>Any light shed would be appreciated.</P><P></P><P>Han</P> Mon, 11 Mar 2019 21:32:11 GMT hanwucisco 2019-03-11T21:32:11Z https://community.cisco.com/t5/network-security/zone-based-firewall-questions/m-p/1771151#M496748 <P>I am trying to understand this following sentence regarding zone-based firewalls on a Cisco router, why they are wrong,</P><P></P><P>1. "Interface ACLs are applied before zone-base policy firewalls when they are applied outbound."</P><P></P><P>2. "The firewalls can be configured simultaneously on the same interface as classic CBAC using the IP inspect CLI command"</P><P></P><P></P><P>Any light shed would be appreciated.</P><P></P><P>Han</P> Mon, 11 Mar 2019 21:32:11 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-questions/m-p/1771151#M496748 hanwucisco 2019-03-11T21:32:11Z https://community.cisco.com/t5/network-security/zone-based-firewall-questions/m-p/1771152#M496749 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>1) interface ACLs always take precedence over ZBF , I don't think the direction matters.</P><P>2) CBAC and ZBF are mutually exclusive on an interface to my best knowledge.</P><P></P><P>Just to be sure I will lab it up later tonight and give you the results.</P><P></P><P>Regards.</P><P></P><P>Alain.</P></BODY></HTML> Thu, 29 Sep 2011 17:23:31 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-questions/m-p/1771152#M496749 cadet alain 2011-09-29T17:23:31Z https://community.cisco.com/t5/network-security/zone-based-firewall-questions/m-p/1771153#M496750 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>just tested ACL and ZBF and direction doesn't matter, it will always be taken into account if it denies a flow permitted by ZBF.</P><P>And CBAC and ZBF are mutually exclusive.</P><P></P><P>Regards.</P><P></P><P>Alain.</P></BODY></HTML> Fri, 30 Sep 2011 09:46:43 GMT https://community.cisco.com/t5/network-security/zone-based-firewall-questions/m-p/1771153#M496750 cadet alain 2011-09-30T09:46:43Z