02-28-2011 03:05 PM - edited 03-11-2019 12:58 PM
I know how zbf general works with class-maps that match traffic somehow, policy-maps that have groups of class maps and zone-pair that show what policy map to apply to traffic depending on it's direction.
I have some simple setups going and working fine. At the moment i have customer who has an absolutely massive list of very explicit firewall rules. I have attempted to convert them to ZBF and they appear to be not working.
Here is a sample of the ACL that I want inspected:
ip access-list extended inside_access_in
permit ip object-group Servers any
permit ip object-group DM_INLINE_NETWORK_3 any
permit ip any object-group DM_INLINE_NETWORK_4
deny ip any object-group RFC1918
remark Internet Access
permit tcp object-group WWWAccess any eq www 443
remark Secure http access only
permit tcp object-group SecureWWW any eq 443
remark FTP Access
permit object-group FTP object-group FTPAccess any
remark FTP access for all users to these FTP sites
permit object-group FTP any object-group FTPSites
deny tcp object-group BlockSMTP any eq smtp
remark Netbios
deny udp any object-group DM_INLINE_NETWORK_1
deny tcp host 10.254.248.194 any eq 771
....
permit udp any any eq snmp snmptrap
deny ip any any
Can anyone suggest the correct class map syntax and policy-map syntax that will acheive the correct affect?
03-01-2011 01:45 AM
Hi,
AFAIK zbf isn't using object-grouping so first you need to tell us the contents of these groups.
then in which zones are the different subnets and on which interface is this ACL put in.
Regards.
Alain.
03-01-2011 04:54 AM
The ACL is built with source being private side (inside) and destination being public (outside)
As to the contents of the object group for examples sake just say the sources are 10.0.0.0/8 ips and the destinations are some random public ips.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide