https://community.cisco.com/t5/network-security/zbf-setup-question/m-p/1647928#M564852 <P>I know how zbf general works with class-maps that match traffic somehow, policy-maps that have groups of class maps and zone-pair that show what policy map to apply to traffic depending on it's direction.</P><P></P><P>I have some simple setups going and working fine. At the moment i have customer who has an absolutely massive list of very explicit firewall rules. I have attempted to convert them to ZBF and they appear to be not working.</P><P></P><P>Here is a sample of the ACL that I want inspected:</P><P>ip access-list extended inside_access_in<BR /> permit ip object-group Servers any<BR /> permit ip object-group DM_INLINE_NETWORK_3 any<BR /> permit ip any object-group DM_INLINE_NETWORK_4<BR /> deny&nbsp;&nbsp; ip any object-group RFC1918<BR /> remark Internet Access<BR /> permit tcp object-group WWWAccess any eq www 443<BR /> remark Secure http access only<BR /> permit tcp object-group SecureWWW any eq 443<BR /> remark FTP Access<BR /> permit object-group FTP object-group FTPAccess any<BR /> remark FTP access for all users to these FTP sites<BR /> permit object-group FTP any object-group FTPSites<BR /> deny&nbsp;&nbsp; tcp object-group BlockSMTP any eq smtp<BR /> remark Netbios<BR /> deny&nbsp;&nbsp; udp any object-group DM_INLINE_NETWORK_1<BR /> deny&nbsp;&nbsp; tcp host 10.254.248.194 any eq 771</P><P>....</P><P>permit udp any any eq snmp snmptrap</P><P>deny ip any any</P><P></P><P></P><P>Can anyone suggest the correct class map syntax and policy-map syntax that will acheive the correct affect?</P> Mon, 11 Mar 2019 19:58:46 GMT mloraditch 2019-03-11T19:58:46Z https://community.cisco.com/t5/network-security/zbf-setup-question/m-p/1647928#M564852 <P>I know how zbf general works with class-maps that match traffic somehow, policy-maps that have groups of class maps and zone-pair that show what policy map to apply to traffic depending on it's direction.</P><P></P><P>I have some simple setups going and working fine. At the moment i have customer who has an absolutely massive list of very explicit firewall rules. I have attempted to convert them to ZBF and they appear to be not working.</P><P></P><P>Here is a sample of the ACL that I want inspected:</P><P>ip access-list extended inside_access_in<BR /> permit ip object-group Servers any<BR /> permit ip object-group DM_INLINE_NETWORK_3 any<BR /> permit ip any object-group DM_INLINE_NETWORK_4<BR /> deny&nbsp;&nbsp; ip any object-group RFC1918<BR /> remark Internet Access<BR /> permit tcp object-group WWWAccess any eq www 443<BR /> remark Secure http access only<BR /> permit tcp object-group SecureWWW any eq 443<BR /> remark FTP Access<BR /> permit object-group FTP object-group FTPAccess any<BR /> remark FTP access for all users to these FTP sites<BR /> permit object-group FTP any object-group FTPSites<BR /> deny&nbsp;&nbsp; tcp object-group BlockSMTP any eq smtp<BR /> remark Netbios<BR /> deny&nbsp;&nbsp; udp any object-group DM_INLINE_NETWORK_1<BR /> deny&nbsp;&nbsp; tcp host 10.254.248.194 any eq 771</P><P>....</P><P>permit udp any any eq snmp snmptrap</P><P>deny ip any any</P><P></P><P></P><P>Can anyone suggest the correct class map syntax and policy-map syntax that will acheive the correct affect?</P> Mon, 11 Mar 2019 19:58:46 GMT https://community.cisco.com/t5/network-security/zbf-setup-question/m-p/1647928#M564852 mloraditch 2019-03-11T19:58:46Z https://community.cisco.com/t5/network-security/zbf-setup-question/m-p/1647929#M564853 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>AFAIK&nbsp; zbf isn't using object-grouping so first you need to tell us the contents of these groups.</P><P>then&nbsp; in which zones are the different subnets and on which interface is this ACL put in.</P><P></P><P></P><P>Regards.</P><P></P><P></P><P>Alain.</P></BODY></HTML> Tue, 01 Mar 2011 09:45:48 GMT https://community.cisco.com/t5/network-security/zbf-setup-question/m-p/1647929#M564853 cadet alain 2011-03-01T09:45:48Z https://community.cisco.com/t5/network-security/zbf-setup-question/m-p/1647930#M564854 <HTML><HEAD></HEAD><BODY><P><SPAN style="background-color: #f8fafd;">The ACL is built with source being private side (inside) and destination being public (outside)</SPAN></P><P><SPAN style="background-color: #f8fafd;">As to the contents of the object group for examples sake just say the sources are 10.0.0.0/8 ips and the destinations are some random public ips.</SPAN></P></BODY></HTML> Tue, 01 Mar 2011 12:54:37 GMT https://community.cisco.com/t5/network-security/zbf-setup-question/m-p/1647930#M564854 mloraditch 2011-03-01T12:54:37Z