Solved: Struggeling with Self Zone Security

florian.hanig1 · ‎08-27-2025

i,

my Hardware:
C1131X-8PLTEPWE
IOS Version 17.15.3a

I’m currently trying to map my classic ACLs into ZBF.
That has worked fine so far, but I don’t understand the Self-Zone logic.

Even if I activate the zone member to my wan interface:

interface GigabitEthernet0/0/0
zone-member security OUTSIDE

As soon as I try to do this – even with inbound and outbound permit ip any any – I can no longer ping or SSH from the remote location,
for example from IP 10.1.9.5.

Without these commands, and acitvated interface GigabitEthernet0/0/0 zone-member security OUTSIDE it works...

zone-pair security ZP_OUTSIDE_TO_SELF source OUTSIDE destination self
 service-policy type inspect PM_SELF_IN

zone-pair security ZP_SELF_TO_OUTSIDE source self destination OUTSIDE
 service-policy type inspect PM_SELF_OUT

Here’s a snippet of my config:

ip access-list extended ACL_SELF_IN
 permit udp any object-group OG_WAN-IP eq 500       
 permit udp any object-group OG_WAN-IP eq 4500     
 permit esp any object-group OG_WAN-IP              
 permit tcp any any eq 22
 permit icmp any any 


ip access-list extended ACL_SELF_OUT
 permit tcp any any eq 443
 permit udp any any eq 53
 permit tcp any any eq 53
 permit udp any any eq 123
 permit icmp any any 
 permit tcp any eq 22 any
  permit esp any any
 permit udp any eq 500 any
 permit udp any eq 4500 any

class-map type inspect match-all CM_SELF_IN
 match access-group name ACL_SELF_IN

class-map type inspect match-all CM_SELF_OUT
 match access-group name ACL_SELF_OUT

policy-map type inspect PM_SELF_IN
 class type inspect CM_SELF_IN
  pass
 class class-default
  drop 

policy-map type inspect PM_SELF_OUT
 class type inspect CM_SELF_OUT
  inspect
 class class-default
  drop 

zone-pair security ZP_OUTSIDE_TO_SELF source OUTSIDE destination self
 service-policy type inspect PM_SELF_IN

zone-pair security ZP_SELF_TO_OUTSIDE source self destination OUTSIDE
 service-policy type inspect PM_SELF_OUT

interface GigabitEthernet0/0/0
ip address 195.xxx.xxx.xxx 255.255.255.248
 ip nat outside
 zone-member security OUTSIDE
 load-interval 30
 negotiation auto
 crypto map VPN
 service-policy output prio-pol

interface GigabitEthernet0/0/1.90
 description *** VLAN 90 ***
 encapsulation dot1Q 90
 ip address 10.8.9.1 255.255.255.0
 ip helper-address 10.1.1.2
 ip nat inside
 zone-member security Z_VLAN90
 ip tcp adjust-mss 1360

crypto map VPN 500 ipsec-isakmp
 set peer 80.xxx.xxx.xxx
 set transform-set ESP-GCM-256
 set pfs group21
 set ikev2-profile VPN_L
 match address L_VPN
 qos pre-classify

ip access-list extended L_VPN
 10 permit ip 10.8.0.0 0.0.255.255 any

florian.hanig1 · ‎08-29-2025

Found the Solution...

have to pass ssh and icmp instead of inspect on both sides.

Thats worked for me now.
And the Match-All also works !!!

View solution in original post

MHM Cisco World · ‎08-27-2025

show policy-map type inspect zone-pair <<- ping 100 times and share output of this command

MHM

florian.hanig1 · ‎08-27-2025

Cant do this, because its a remote location and if i try to create the self zone pair, i'm not connected anymore with ssh session.

MHM Cisco World · ‎08-27-2025

Share command without ping' let me see old drop

MHM

florian.hanig1 · ‎08-27-2025

  Zone-pair: ZP_OUT_TO_V10
  Service-policy inspect : PM_OUTSIDE_IN

    Class-map: CM_V10_IN (match-all)
      Match: access-group name ACL_V10_IN
      Pass
        972440 packets, 216019102 bytes

    Class-map: CM_V20_IN (match-all)
      Match: access-group name ACL_V20_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V30_IN (match-all)
      Match: access-group name ACL_V30_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V40_IN (match-all)
      Match: access-group name ACL_V40_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V50_BLOCK_RFC1918_IN (match-all)
      Match: access-group name ACL_V50_BLOCK_RFC1918_IN
      Drop
        0 packets, 0 bytes

    Class-map: CM_V60_IN (match-all)
      Match: access-group name ACL_V60_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V70_IN (match-all)
      Match: access-group name ACL_V70_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V90_IN (match-all)
      Match: access-group name ACL_V90_IN
      Pass
        0 packets, 0 bytes

    Class-map: class-default (match-any)
      Match: any
      Drop
        25 packets, 1990 bytes
  Zone-pair: ZP_OUT_TO_V20
  Service-policy inspect : PM_OUTSIDE_IN

    Class-map: CM_V10_IN (match-all)
      Match: access-group name ACL_V10_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V20_IN (match-all)
      Match: access-group name ACL_V20_IN
      Pass
        28745 packets, 6252176 bytes

    Class-map: CM_V30_IN (match-all)
      Match: access-group name ACL_V30_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V40_IN (match-all)
      Match: access-group name ACL_V40_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V50_BLOCK_RFC1918_IN (match-all)
      Match: access-group name ACL_V50_BLOCK_RFC1918_IN
      Drop
        0 packets, 0 bytes

    Class-map: CM_V60_IN (match-all)
      Match: access-group name ACL_V60_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V70_IN (match-all)
      Match: access-group name ACL_V70_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V90_IN (match-all)
      Match: access-group name ACL_V90_IN
      Pass
        0 packets, 0 bytes

    Class-map: class-default (match-any)
      Match: any
      Drop
        0 packets, 0 bytes
  Zone-pair: ZP_OUT_TO_V30
  Service-policy inspect : PM_OUTSIDE_IN

    Class-map: CM_V10_IN (match-all)
      Match: access-group name ACL_V10_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V20_IN (match-all)
      Match: access-group name ACL_V20_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V30_IN (match-all)
      Match: access-group name ACL_V30_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V40_IN (match-all)
      Match: access-group name ACL_V40_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V50_BLOCK_RFC1918_IN (match-all)
      Match: access-group name ACL_V50_BLOCK_RFC1918_IN
      Drop
        0 packets, 0 bytes

    Class-map: CM_V60_IN (match-all)
      Match: access-group name ACL_V60_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V70_IN (match-all)
      Match: access-group name ACL_V70_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V90_IN (match-all)
      Match: access-group name ACL_V90_IN
      Pass
        0 packets, 0 bytes

    Class-map: class-default (match-any)
      Match: any
      Drop
        0 packets, 0 bytes
  Zone-pair: ZP_OUT_TO_V40
  Service-policy inspect : PM_OUTSIDE_IN

    Class-map: CM_V10_IN (match-all)
      Match: access-group name ACL_V10_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V20_IN (match-all)
      Match: access-group name ACL_V20_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V30_IN (match-all)
      Match: access-group name ACL_V30_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V40_IN (match-all)
      Match: access-group name ACL_V40_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V50_BLOCK_RFC1918_IN (match-all)
      Match: access-group name ACL_V50_BLOCK_RFC1918_IN
      Drop
        0 packets, 0 bytes

    Class-map: CM_V60_IN (match-all)
      Match: access-group name ACL_V60_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V70_IN (match-all)
      Match: access-group name ACL_V70_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V90_IN (match-all)
      Match: access-group name ACL_V90_IN
      Pass
        0 packets, 0 bytes

    Class-map: class-default (match-any)
      Match: any
      Drop
        0 packets, 0 bytes
  Zone-pair: ZP_OUT_TO_V50
  Service-policy inspect : PM_OUTSIDE_IN

    Class-map: CM_V10_IN (match-all)
      Match: access-group name ACL_V10_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V20_IN (match-all)
      Match: access-group name ACL_V20_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V30_IN (match-all)
      Match: access-group name ACL_V30_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V40_IN (match-all)
      Match: access-group name ACL_V40_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V50_BLOCK_RFC1918_IN (match-all)
      Match: access-group name ACL_V50_BLOCK_RFC1918_IN
      Drop
        0 packets, 0 bytes

    Class-map: CM_V60_IN (match-all)
      Match: access-group name ACL_V60_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V70_IN (match-all)
      Match: access-group name ACL_V70_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V90_IN (match-all)
      Match: access-group name ACL_V90_IN
      Pass
        0 packets, 0 bytes

    Class-map: class-default (match-any)
      Match: any
      Drop
        7 packets, 462 bytes
  Zone-pair: ZP_OUT_TO_V60
  Service-policy inspect : PM_OUTSIDE_IN

    Class-map: CM_V10_IN (match-all)
      Match: access-group name ACL_V10_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V20_IN (match-all)
      Match: access-group name ACL_V20_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V30_IN (match-all)
      Match: access-group name ACL_V30_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V40_IN (match-all)
      Match: access-group name ACL_V40_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V50_BLOCK_RFC1918_IN (match-all)
      Match: access-group name ACL_V50_BLOCK_RFC1918_IN
      Drop
        0 packets, 0 bytes

    Class-map: CM_V60_IN (match-all)
      Match: access-group name ACL_V60_IN
      Pass
        204 packets, 18249 bytes

    Class-map: CM_V70_IN (match-all)
      Match: access-group name ACL_V70_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V90_IN (match-all)
      Match: access-group name ACL_V90_IN
      Pass
        0 packets, 0 bytes

    Class-map: class-default (match-any)
      Match: any
      Drop
        0 packets, 0 bytes
  Zone-pair: ZP_OUT_TO_V70
  Service-policy inspect : PM_OUTSIDE_IN

    Class-map: CM_V10_IN (match-all)
      Match: access-group name ACL_V10_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V20_IN (match-all)
      Match: access-group name ACL_V20_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V30_IN (match-all)
      Match: access-group name ACL_V30_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V40_IN (match-all)
      Match: access-group name ACL_V40_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V50_BLOCK_RFC1918_IN (match-all)
      Match: access-group name ACL_V50_BLOCK_RFC1918_IN
      Drop
        0 packets, 0 bytes

    Class-map: CM_V60_IN (match-all)
      Match: access-group name ACL_V60_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V70_IN (match-all)
      Match: access-group name ACL_V70_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V90_IN (match-all)
      Match: access-group name ACL_V90_IN
      Pass
        0 packets, 0 bytes

    Class-map: class-default (match-any)
      Match: any
      Drop
        0 packets, 0 bytes
  Zone-pair: ZP_OUT_TO_V90
  Service-policy inspect : PM_OUTSIDE_IN

    Class-map: CM_V10_IN (match-all)
      Match: access-group name ACL_V10_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V20_IN (match-all)
      Match: access-group name ACL_V20_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V30_IN (match-all)
      Match: access-group name ACL_V30_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V40_IN (match-all)
      Match: access-group name ACL_V40_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V50_BLOCK_RFC1918_IN (match-all)
      Match: access-group name ACL_V50_BLOCK_RFC1918_IN
      Drop
        0 packets, 0 bytes

    Class-map: CM_V60_IN (match-all)
      Match: access-group name ACL_V60_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V70_IN (match-all)
      Match: access-group name ACL_V70_IN
      Pass
        0 packets, 0 bytes

    Class-map: CM_V90_IN (match-all)
      Match: access-group name ACL_V90_IN
      Pass
        0 packets, 0 bytes

    Class-map: class-default (match-any)
      Match: any
      Drop
        4606 packets, 414540 bytes
  Zone-pair: ZP_V10_OUT
  Service-policy inspect : PM_V10_OUT

    Class-map: CM_V10_WEB_OUT (match-all)
      Match: access-group name ACL_V10_WEB_OUT
      Inspect
        Packet inspection statistics [process switch:fast switch]
        tcp packets: [0:2850]
        Session creations since subsystem startup or last reset 278
        Current session counts (estab/half-open/terminating) [0:1:0]
        Maxever session counts (estab/half-open/terminating) [2:6:0]
        Last session created 00:01:03
        Last statistic reset never
        Last session creation rate 0
        Last half-open session total 0

    Class-map: CM_V10_OUT (match-all)
      Match: access-group name ACL_V10_OUT
      Pass
        1100924 packets, 82843377 bytes

    Class-map: class-default (match-any)
      Match: any
      Drop
        32837 packets, 2300090 bytes
  Zone-pair: ZP_V20_OUT
  Service-policy inspect : PM_V20_OUT

    Class-map: CM_V20_OUT (match-all)
      Match: access-group name ACL_V20_OUT
      Pass
        33311 packets, 6648485 bytes

    Class-map: class-default (match-any)
      Match: any
      Drop
        63 packets, 5481 bytes
  Zone-pair: ZP_V30_OUT
  Service-policy inspect : PM_V30_OUT

    Class-map: CM_V30_OUT (match-all)
      Match: access-group name ACL_V30_OUT
      Pass
        0 packets, 0 bytes

    Class-map: class-default (match-any)
      Match: any
      Drop
        0 packets, 0 bytes
  Zone-pair: ZP_V40_OUT
  Service-policy inspect : PM_V40_OUT

    Class-map: CM_V40_OUT (match-all)
      Match: access-group name ACL_V40_OUT
      Pass
        0 packets, 0 bytes

    Class-map: class-default (match-any)
      Match: any
      Drop
        0 packets, 0 bytes
  Zone-pair: ZP_V50_OUT
  Service-policy inspect : PM_V50_OUT

    Class-map: CM_V50_BLOCK_RFC1918_OUT (match-all)
      Match: access-group name ACL_V50_BLOCK_RFC1918_OUT
      Drop
        0 packets, 0 bytes

    Class-map: CM_V50_ANY_OUT (match-all)
      Match: access-group name ACL_V50_ANY_OUT
      Inspect
        Packet inspection statistics [process switch:fast switch]
        tcp packets: [0:1041]
        http packets: [0:93]
        dns packets: [0:64]
        Session creations since subsystem startup or last reset 49
        Current session counts (estab/half-open/terminating) [0:0:0]
        Maxever session counts (estab/half-open/terminating) [9:0:0]
        Last session created 02:58:53
        Last statistic reset never
        Last session creation rate 0
        Last half-open session total 0

    Class-map: class-default (match-any)
      Match: any
      Drop
        41 packets, 3454 bytes
  Zone-pair: ZP_V60_OUT
  Service-policy inspect : PM_V60_OUT

    Class-map: CM_V60_OUT (match-all)
      Match: access-group name ACL_V60_OUT
      Pass
        402 packets, 32553 bytes

    Class-map: class-default (match-any)
      Match: any
      Drop
        345 packets, 201943 bytes
  Zone-pair: ZP_V70_OUT
  Service-policy inspect : PM_V70_OUT

    Class-map: CM_V70_OUT (match-all)
      Match: access-group name ACL_V70_OUT
      Pass
        0 packets, 0 bytes

    Class-map: class-default (match-any)
      Match: any
      Drop
        0 packets, 0 bytes
  Zone-pair: ZP_V90_OUT
  Service-policy inspect : PM_V90_OUT

    Class-map: CM_V90_OUT (match-all)
      Match: access-group name ACL_V90_OUT
      Pass
        5380 packets, 519085 bytes

    Class-map: class-default (match-any)
      Match: any
      Drop
        0 packets, 0 bytes
  Zone-pair: ZP_V90_TO_V10
  Service-policy inspect : PM_V90_TO_LAN_LOCAL

    Class-map: CM_V90_TO_LAN_LOCAL (match-all)
      Match: access-group name ACL_V90_TO_OG_LAN_LOCAL
      Inspect
        Session creations since subsystem startup or last reset 0
        Current session counts (estab/half-open/terminating) [0:0:0]
        Maxever session counts (estab/half-open/terminating) [0:0:0]
        Last session created never
        Last statistic reset never
        Last session creation rate 0
        Last half-open session total 0

    Class-map: class-default (match-any)
      Match: any
      Drop
        0 packets, 0 bytes
  Zone-pair: ZP_V90_TO_V20
  Service-policy inspect : PM_V90_TO_LAN_LOCAL

    Class-map: CM_V90_TO_LAN_LOCAL (match-all)
      Match: access-group name ACL_V90_TO_OG_LAN_LOCAL
      Inspect
        Session creations since subsystem startup or last reset 0
        Current session counts (estab/half-open/terminating) [0:0:0]
        Maxever session counts (estab/half-open/terminating) [0:0:0]
        Last session created never
        Last statistic reset never
        Last session creation rate 0
        Last half-open session total 0

    Class-map: class-default (match-any)
      Match: any
      Drop
        0 packets, 0 bytes
  Zone-pair: ZP_V90_TO_V30
  Service-policy inspect : PM_V90_TO_LAN_LOCAL

    Class-map: CM_V90_TO_LAN_LOCAL (match-all)
      Match: access-group name ACL_V90_TO_OG_LAN_LOCAL
      Inspect
        Session creations since subsystem startup or last reset 0
        Current session counts (estab/half-open/terminating) [0:0:0]
        Maxever session counts (estab/half-open/terminating) [0:0:0]
        Last session created never
        Last statistic reset never
        Last session creation rate 0
        Last half-open session total 0

    Class-map: class-default (match-any)
      Match: any
      Drop
        0 packets, 0 bytes
  Zone-pair: ZP_V90_TO_V40
  Service-policy inspect : PM_V90_TO_LAN_LOCAL

    Class-map: CM_V90_TO_LAN_LOCAL (match-all)
      Match: access-group name ACL_V90_TO_OG_LAN_LOCAL
      Inspect
        Session creations since subsystem startup or last reset 0
        Current session counts (estab/half-open/terminating) [0:0:0]
        Maxever session counts (estab/half-open/terminating) [0:0:0]
        Last session created never
        Last statistic reset never
        Last session creation rate 0
        Last half-open session total 0

    Class-map: class-default (match-any)
      Match: any
      Drop
        0 packets, 0 bytes
  Zone-pair: ZP_V90_TO_V50
  Service-policy inspect : PM_V90_TO_LAN_LOCAL

    Class-map: CM_V90_TO_LAN_LOCAL (match-all)
      Match: access-group name ACL_V90_TO_OG_LAN_LOCAL
      Inspect
        Session creations since subsystem startup or last reset 0
        Current session counts (estab/half-open/terminating) [0:0:0]
        Maxever session counts (estab/half-open/terminating) [0:0:0]
        Last session created never
        Last statistic reset never
        Last session creation rate 0
        Last half-open session total 0

    Class-map: class-default (match-any)
      Match: any
      Drop
        0 packets, 0 bytes
  Zone-pair: ZP_V90_TO_V60
  Service-policy inspect : PM_V90_TO_LAN_LOCAL

    Class-map: CM_V90_TO_LAN_LOCAL (match-all)
      Match: access-group name ACL_V90_TO_OG_LAN_LOCAL
      Inspect
        Session creations since subsystem startup or last reset 0
        Current session counts (estab/half-open/terminating) [0:0:0]
        Maxever session counts (estab/half-open/terminating) [0:0:0]
        Last session created never
        Last statistic reset never
        Last session creation rate 0
        Last half-open session total 0

    Class-map: class-default (match-any)
      Match: any
      Drop
        0 packets, 0 bytes
  Zone-pair: ZP_V90_TO_V70
  Service-policy inspect : PM_V90_TO_LAN_LOCAL

    Class-map: CM_V90_TO_LAN_LOCAL (match-all)
      Match: access-group name ACL_V90_TO_OG_LAN_LOCAL
      Inspect
        Session creations since subsystem startup or last reset 0
        Current session counts (estab/half-open/terminating) [0:0:0]
        Maxever session counts (estab/half-open/terminating) [0:0:0]
        Last session created never
        Last statistic reset never
        Last session creation rate 0
        Last half-open session total 0

    Class-map: class-default (match-any)
      Match: any
      Drop
        0 packets, 0 bytes

Sure....

MHM Cisco World · ‎08-27-2025

But I dont see zone pair between out and self

MHM

florian.hanig1 · ‎08-27-2025

I just said that I can't apply this configuration because it would kick me out of my remote session.
That's why it's not there.

Rob Ingram · ‎08-27-2025

@florian.hanig1 your VPN ACL encrypts traffic from source 10.8.0.0/16 to any, so for traffic to be encrypted over the tunnel the traffic must come from GigabitEthernet0/0/1.90? that interface is a member of zone Z_VLAN50.

Do you have a zone pair for Z_VLAN50 to OUTSIDE and vice versa?

florian.hanig1 · ‎08-27-2025

GigabitEthernet0/0/1.90 is a member of zone "Z_VLAN90" not 50...

Zone pair for Z_VLAN90 to OUSIDE is:

zone-pair security ZP_V90_OUT source Z_VLAN90 destination OUTSIDE
 service-policy type inspect PM_V90_OUT

policy-map type inspect PM_V90_OUT
 class type inspect CM_V90_OUT
  pass
 class class-default
  drop

class-map type inspect match-all CM_V90_OUT
 match access-group name ACL_V90_OUT

ip access-list extended ACL_V90_OUT
 10 permit ip 10.8.9.0 0.0.0.255 10.0.0.0 0.255.255.255

and other side...

zone-pair security ZP_OUT_TO_V90 source OUTSIDE destination Z_VLAN90
 service-policy type inspect PM_OUTSIDE_IN

ip access-list extended ACL_V90_IN
 10 permit ip 10.0.9.0 0.255.0.255 10.8.9.0 0.0.0.255

class-map type inspect match-all CM_V90_IN
 match access-group name ACL_V90_IN

 class type inspect CM_V90_IN
  pass
 class class-default
  drop

policy-map type inspect PM_OUTSIDE_IN
 class type inspect CM_V10_IN
  pass
 class type inspect CM_V20_IN
  pass
 class type inspect CM_V30_IN
  pass
 class type inspect CM_V40_IN
  pass
 class type inspect CM_V50_BLOCK_RFC1918_IN
  drop
 class type inspect CM_V60_IN
  pass
 class type inspect CM_V70_IN
  pass
 class type inspect CM_V90_IN
  pass
 class class-default
  drop

Rob Ingram · ‎08-27-2025

@florian.hanig1 do you have a policy from outside to Z_VLAN90 to allow the return traffic as you are only passing (rather than inspect) the traffic?

florian.hanig1 · ‎08-27-2025

yes.. I edited my post... please see.

Rob Ingram · ‎08-27-2025

@florian.hanig1 do you have NAT exemption to ensure traffic is not unintentially translated and thus not matching the correct ZBFW rule?

florian.hanig1 · ‎08-27-2025

ip nat inside source route-map nonat_coco interface GigabitEthernet0/0/0 overload

route-map nonat_coco permit 10
 match ip address coco_nat
 match interface GigabitEthernet0/0/0

ip access-list extended coco_nat
 10 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
 30 permit ip host 10.8.1.100 any

I would like to emphasize again that it works without restricting the Self Zone.

MHM Cisco World · ‎08-27-2025

You config is correct there is no issue at all

You allow icmp any any and action pass for both directions

Now only thing that make me suspect this config not work is use object network' please use subnet instead of it.

MHM

florian.hanig1 · ‎08-27-2025

What do you mean?

Where I have to replace Network with Subnet?