Re: ZBF Setup Question

mloraditch · ‎02-28-2011

I know how zbf general works with class-maps that match traffic somehow, policy-maps that have groups of class maps and zone-pair that show what policy map to apply to traffic depending on it's direction.

I have some simple setups going and working fine. At the moment i have customer who has an absolutely massive list of very explicit firewall rules. I have attempted to convert them to ZBF and they appear to be not working.

Here is a sample of the ACL that I want inspected:

ip access-list extended inside_access_in
permit ip object-group Servers any
permit ip object-group DM_INLINE_NETWORK_3 any
permit ip any object-group DM_INLINE_NETWORK_4
deny   ip any object-group RFC1918
remark Internet Access
permit tcp object-group WWWAccess any eq www 443
remark Secure http access only
permit tcp object-group SecureWWW any eq 443
remark FTP Access
permit object-group FTP object-group FTPAccess any
remark FTP access for all users to these FTP sites
permit object-group FTP any object-group FTPSites
deny   tcp object-group BlockSMTP any eq smtp
remark Netbios
deny   udp any object-group DM_INLINE_NETWORK_1
deny   tcp host 10.254.248.194 any eq 771

....

permit udp any any eq snmp snmptrap

deny ip any any

Can anyone suggest the correct class map syntax and policy-map syntax that will acheive the correct affect?

cadet alain · ‎03-01-2011

Hi,

AFAIK zbf isn't using object-grouping so first you need to tell us the contents of these groups.

then in which zones are the different subnets and on which interface is this ACL put in.

Regards.

Alain.

Don't forget to rate helpful posts.

mloraditch · ‎03-01-2011

The ACL is built with source being private side (inside) and destination being public (outside)

As to the contents of the object group for examples sake just say the sources are 10.0.0.0/8 ips and the destinations are some random public ips.