https://community.cisco.com/t5/network-security/zone-based-for-ios/m-p/1086341#M914478 <P>Hi</P><P></P><P>I have to chose between zone based vs cbac for branch office configurations. </P><P></P><P>Any recommendations? I have configured cbac before and it seems simpler</P><P></P><P>Also - i notice that an outbound acl on zonebased restricting where users can go doesn't appear to be as simple as a regular acl - any idea why this is?</P><P></P><P>Comments welcome</P><P></P><P>thank you</P><P></P><P>Karl</P> Mon, 11 Mar 2019 13:31:37 GMT karljonesTZ 2019-03-11T13:31:37Z https://community.cisco.com/t5/network-security/zone-based-for-ios/m-p/1086341#M914478 <P>Hi</P><P></P><P>I have to chose between zone based vs cbac for branch office configurations. </P><P></P><P>Any recommendations? I have configured cbac before and it seems simpler</P><P></P><P>Also - i notice that an outbound acl on zonebased restricting where users can go doesn't appear to be as simple as a regular acl - any idea why this is?</P><P></P><P>Comments welcome</P><P></P><P>thank you</P><P></P><P>Karl</P> Mon, 11 Mar 2019 13:31:37 GMT https://community.cisco.com/t5/network-security/zone-based-for-ios/m-p/1086341#M914478 karljonesTZ 2019-03-11T13:31:37Z https://community.cisco.com/t5/network-security/zone-based-for-ios/m-p/1086342#M914479 <HTML><HEAD></HEAD><BODY><P>Karl, please have a look at this link, it should help you learn the differences more.</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_white_paper0900aecd806f31f9.pdf" target="_blank">http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_white_paper0900aecd806f31f9.pdf</A></P><P></P><P>A considerable quote from the doc:</P><P></P><P>"Cisco IOS Software Classic Firewall will continue to be</P><P>maintained for the foreseeable future, but will not be significantly enhanced with new features.</P><P>Instead, the strategic development direction for Cisco IOS Software's stateful inspection firewall is</P><P>carried by Zone-Based Policy firewall."</P><P></P><P>Regards</P><P></P><P>Farrukh</P><P></P></BODY></HTML> Fri, 15 Aug 2008 14:00:37 GMT https://community.cisco.com/t5/network-security/zone-based-for-ios/m-p/1086342#M914479 Farrukh Haroon 2008-08-15T14:00:37Z https://community.cisco.com/t5/network-security/zone-based-for-ios/m-p/1086343#M914480 <HTML><HEAD></HEAD><BODY><P>Hi Karl,</P><P></P><P>As you noted, CBAC has a much simpler configuration which still allows you to get basic firewall functionality out of an IOS device. However, as Farrukh noted, much of the development focus will be on zone-based firewall in future releases.</P><P></P><P>Zone-based firewall's configuration is more complex, but because of this it is much more granular and allows you to do a lot more with it. If you decide to go with zone-based firewall, you'll want to make sure you understand all of the traffic flows in your network before writing the configuration or you might find yourself doing a lot of troubleshooting after the config is implemented.</P><P></P><P>Hope that helps.</P><P></P><P>-Mike</P></BODY></HTML> Fri, 15 Aug 2008 21:33:11 GMT https://community.cisco.com/t5/network-security/zone-based-for-ios/m-p/1086343#M914480 robertson.michael 2008-08-15T21:33:11Z https://community.cisco.com/t5/network-security/zone-based-for-ios/m-p/1086344#M914481 <HTML><HEAD></HEAD><BODY><P>thanks everyone</P><P></P><P>I have a couple of questions:</P><P>1)</P><P>I created a zone policy for outside-to-self and allow IPSEC</P><P></P><P>I also created a policy for self-to-out to allow IPSEC from the router, is this the correct configuration?</P><P></P><P>2) I created a zone policy inside-to-outside and in this i put match access-group 101</P><P></P><P>access-list 101 permits branch office clients as follows</P><P></P><P>permit tcp 192.168.x.x any eq 80</P><P>permit tcp 192.168.x.x any eq 443</P><P>permit tcp 192.168.x.x any eq 5060</P><P></P><P>etc</P><P></P><P>When i look at the config through SDM, there is a no-entry sign on the acl.</P><P></P><P>Is there a problem with applyign an ACL such as the one above?</P><P></P><P>advice welcome</P><P></P><P>cheers</P><P>karl</P><P></P><P></P><P></P></BODY></HTML> Fri, 15 Aug 2008 23:04:36 GMT https://community.cisco.com/t5/network-security/zone-based-for-ios/m-p/1086344#M914481 karljonesTZ 2008-08-15T23:04:36Z