Showing results for 
Search instead for 
Did you mean: 

Cisco IOS ZBF Firewall


Hi Guys,

I have an odd issue, and I have a tac case open on this, and the response from the TAC engineer doesn't make me feel like zone based firewall works how I would expect it to.

So I have Zone A and Zone B.  I setup a class map to match protocol ssh.  I then setup policies to 'pass' ssh traffic between the two sites (which requires 2 zone pairs).  Then I do a default deny all

When the packet traverses from Zone A to Zone B, it matches the traffic and allows the traffic to flow to Zone B.  However when that packet attempts to return from Zone B to Zone A the packet is dropped by the policy because it doesn't match the protocol ssh even though it is a response to the original packet.

What TAC engineer indicates is that everyone should only use inspect (exception is for vpn traffic from outside to self) for everything from zone to zone.  My response back was that pass (since it is not inspecting the data) is less cpu intensive and it should work.  Apparently the only fix to this, if I want to use pass is to utilize ACL's.

Is it just me, or does this seem somewhat wrong?  Especially since the original packet from Zone A to Zone B matches using the match protocol and passes the packet fine.

Apparently there is a document that Cisco has related to this, and describes that I am doing things wrong.

Does anyone else use the 'pass' for their zone to zone traffic?




you can use 'pass' to allow SSH from zone A to B and B to A.

you should have a zone pair security policy on the reverse or return flow, i.e. zone B to A.

could you post your ZBF policy?

Marius Gunnerud
VIP Advisor VIP Advisor
VIP Advisor

Let me see if I understand your setup correctly:

So you have a zone pair from A to B matching SSH with the pass function.  You also have a zone pair from B to A matching SSH with a pass function.  

Do you have any ACLs configured on the interfaces?  If not then I suspect that the match protocol command matches on SSH as the destination port and since the return traffic will have SSH as the source port it will not match the class-map rule.

If you set up Netflow on the router and capture the traffic in question I am sure we will see that this is what is happening.


Please remember to select a correct answer and rate helpful posts

Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: