Greetings,
I am building a ZBF that will require certain networks to be allowed inbound and not inspected. MOST of the traffic will be from the INSIDE o the OUTSIDE but some management of INSIDE hosts will be required etc.
I would like to verify that I can use an extended ACL to allow that traffic to the INSIDE zone hosts.
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(3)T1
access-list 101 deny (don't inspect this OUTBOUND private network traffic addresses)
access-list 101 permit (do inspect this all of the rest OUTBOUND traffic addresses)
!
access-list 102 permit (inbound don't inspect this INBOUND traffic addresses)
!
class-map type inspect match-all ALL-PRIVATE
match access-group 101
!
!
policy-map type inspect priv-pub-pmap
class type inspect ALL-PRIVATE
inspect
class class-default
!
zone security INSIDE
description INSIDE interface PRIVATE network
!
zone security OUTSIDE
description OUTSIDE interface PUBLIC Internet and Corp connection
!
zone-pair security priv-pub source INSIDE destination OUTSIDE
service-policy type inspect priv-pub-pmap
!
interface multilink 1
ip address 67.x.x.x
zone-member security OUTSIDE
ip access-group 102 in
!
interface g0/0
ip address 192.168.x.x
zone-member security INSIDE
!
interface g0/1
ip address 67.x.x.x
zone-member security INSIDE
!
Thanks,
Tim