03-10-2010 08:42 AM - edited 03-11-2019 10:19 AM
I currently use IOS Classic Firewall on my routers and I am now testing the Zone Based Firewall feature, but it is behaviing differently with NAT than I expected. My requirement is to allow only certain hosts access to the Internet, and currently I use an Interface ACL to control this.
In my testing, I have two zones - Inside & Internet, with NAT "overload" configured on my public interface. It appears that ZBFW can only see the NATed public (Inside Global) address when going from Inside zone to Internet zone. So in this case, all NATed traffic is treated as the same source IP address. Is this expected behavior? Can ZBFW ever see the private (Inside Local) address when NAT is involved?
What is the recommend way to accomplish this when deploying ZBFW? It seems that interface ACLs are no longer proper - perhaps within my NAT config (i.e. source list or route-map) is most appropriate?
Thanks, Jordan
03-16-2010 01:30 PM
There is something different happening.
ZBF only sees the inside locals. For example if x is translated to y, if you match on x in an ZBF inspection it will match the traffic and work. If you match on y it will not work.
PK
03-16-2010 02:01 PM
Ok, it must be something I'm doing in my test config.
Do you know of any Cisco documentation that shows NAT deployed with ZBFW?
Thanks, Jordan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide