Solved: Struggeling with Self Zone Security - Page 2

florian.hanig1 · ‎08-27-2025

i,

my Hardware:
C1131X-8PLTEPWE
IOS Version 17.15.3a

I’m currently trying to map my classic ACLs into ZBF.
That has worked fine so far, but I don’t understand the Self-Zone logic.

Even if I activate the zone member to my wan interface:

interface GigabitEthernet0/0/0
zone-member security OUTSIDE

As soon as I try to do this – even with inbound and outbound permit ip any any – I can no longer ping or SSH from the remote location,
for example from IP 10.1.9.5.

Without these commands, and acitvated interface GigabitEthernet0/0/0 zone-member security OUTSIDE it works...

zone-pair security ZP_OUTSIDE_TO_SELF source OUTSIDE destination self
 service-policy type inspect PM_SELF_IN

zone-pair security ZP_SELF_TO_OUTSIDE source self destination OUTSIDE
 service-policy type inspect PM_SELF_OUT

Here’s a snippet of my config:

ip access-list extended ACL_SELF_IN
 permit udp any object-group OG_WAN-IP eq 500       
 permit udp any object-group OG_WAN-IP eq 4500     
 permit esp any object-group OG_WAN-IP              
 permit tcp any any eq 22
 permit icmp any any 


ip access-list extended ACL_SELF_OUT
 permit tcp any any eq 443
 permit udp any any eq 53
 permit tcp any any eq 53
 permit udp any any eq 123
 permit icmp any any 
 permit tcp any eq 22 any
  permit esp any any
 permit udp any eq 500 any
 permit udp any eq 4500 any

class-map type inspect match-all CM_SELF_IN
 match access-group name ACL_SELF_IN

class-map type inspect match-all CM_SELF_OUT
 match access-group name ACL_SELF_OUT

policy-map type inspect PM_SELF_IN
 class type inspect CM_SELF_IN
  pass
 class class-default
  drop 

policy-map type inspect PM_SELF_OUT
 class type inspect CM_SELF_OUT
  inspect
 class class-default
  drop 

zone-pair security ZP_OUTSIDE_TO_SELF source OUTSIDE destination self
 service-policy type inspect PM_SELF_IN

zone-pair security ZP_SELF_TO_OUTSIDE source self destination OUTSIDE
 service-policy type inspect PM_SELF_OUT

interface GigabitEthernet0/0/0
ip address 195.xxx.xxx.xxx 255.255.255.248
 ip nat outside
 zone-member security OUTSIDE
 load-interval 30
 negotiation auto
 crypto map VPN
 service-policy output prio-pol

interface GigabitEthernet0/0/1.90
 description *** VLAN 90 ***
 encapsulation dot1Q 90
 ip address 10.8.9.1 255.255.255.0
 ip helper-address 10.1.1.2
 ip nat inside
 zone-member security Z_VLAN90
 ip tcp adjust-mss 1360

crypto map VPN 500 ipsec-isakmp
 set peer 80.xxx.xxx.xxx
 set transform-set ESP-GCM-256
 set pfs group21
 set ikev2-profile VPN_L
 match address L_VPN
 qos pre-classify

ip access-list extended L_VPN
 10 permit ip 10.8.0.0 0.0.255.255 any

MHM Cisco World · ‎08-27-2025

I think I found issue'

Use match-any not/not/not/not match-all

And dont use object network use subnet in ACL

MHM

florian.hanig1 · ‎08-27-2025

I’m sorry, but I don’t quite understand.

Can you give an example of what you mean by “object Network” where I should use “subnet” instead!?

And “Match-all” is correct, isn’t it?

Because only 1 match is entered on 1 ACL, right?

MHM Cisco World · ‎08-27-2025

ip access-list extended ACL_SELF_IN
 permit udp any object-group OG_WAN-IP eq 500       
 permit udp any object-group OG_WAN-IP eq 4500     
 permit esp any object-group OG_WAN-IP

Use subnet not object-group in ACL.

And for match use match-any <<- even if traffic hit one line of ACL use match-any

MHM

florian.hanig1 · ‎08-27-2025

I don’t think it’s because of the object-group.

The rule for SSH and ICMP isn’t using an object-group anyway…

And by “Match any” you mean for example:

class-map type inspect match-any CM_SELF_IN

match access-group name ACL_SELF_IN

??

I thought that since there’s only one access-group in the class-map, it doesn’t matter whether it’s “any” or “all”?

MHM Cisco World · ‎08-27-2025

And by “Match any” you mean for example:

class-map type inspect match-any CM_SELF_IN

match access-group name ACL_SELF_IN

Correct.

it matter' Try abd update me.

MHM

florian.hanig1 · ‎08-27-2025

No, it doesnt matter..

If a class-map has only one match statement, it makes no difference whether you use match-all or match-any, because there’s nothing to combine with AND/OR logic.

The difference only matters when you configure multiple match statements inside the same class-map.

this can‘t be the issue here ??