cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

759
Views
0
Helpful
1
Replies
ttoney
Beginner

Zone Based Firewall bypass verification

Greetings,

I am building a ZBF that will require certain networks to be allowed inbound and not inspected. MOST of the traffic will be from the INSIDE o the OUTSIDE but some management of INSIDE hosts will be required etc.

I would like to verify that I can use an extended ACL to allow that traffic to the INSIDE zone hosts.

Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(3)T1

access-list 101 deny (don't inspect this OUTBOUND private network traffic addresses)

access-list 101 permit (do inspect this all of the rest OUTBOUND traffic addresses)

!

access-list 102 permit (inbound don't inspect this INBOUND traffic addresses)

!

class-map type inspect match-all ALL-PRIVATE

match access-group 101

!

!

policy-map type inspect priv-pub-pmap

class type inspect ALL-PRIVATE

  inspect

class class-default

!

zone security INSIDE

description INSIDE interface PRIVATE network

!

zone security OUTSIDE

description OUTSIDE interface PUBLIC Internet and Corp connection

!

zone-pair security priv-pub source INSIDE destination OUTSIDE

service-policy type inspect priv-pub-pmap

!

interface multilink 1

ip address 67.x.x.x

zone-member security OUTSIDE

ip access-group 102 in

!

interface g0/0

ip address 192.168.x.x

zone-member security INSIDE

!

interface g0/1

ip address 67.x.x.x

zone-member security INSIDE

!

Thanks,

Tim

1 REPLY 1
Luis Silva Benavides
Cisco Employee

HI,

The best way to avoid inspection is using the "pass" action in the policy map.

So you way want to create 2 different class-maps. One matching the the traffic that you don't want to inspect and the other one with the traffic you wish to inspect.

Other thing to add is that when you use PASS you need to also allow the retrurn traffic. So you need a class map with a Pass action from Inside to Outisde and another one from Outside to Inside.

HTH

Luis Silva

"If you need PDI (Planning, Design, Implement) assistance feel free to reach us"

http://www.cisco.com/web/partners/tools/pdihd.html

Luis Silva
Create
Recognize Your Peers
Content for Community-Ad