Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
941
Views
0
Helpful
1
Replies

Zone Based Firewall bypass verification

ttoney
Level 1
Level 1

‎10-09-2013 01:07 PM - edited ‎03-11-2019 07:49 PM

Greetings,

I am building a ZBF that will require certain networks to be allowed inbound and not inspected. MOST of the traffic will be from the INSIDE o the OUTSIDE but some management of INSIDE hosts will be required etc.

I would like to verify that I can use an extended ACL to allow that traffic to the INSIDE zone hosts.

Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(3)T1

access-list 101 deny (don't inspect this OUTBOUND private network traffic addresses)

access-list 101 permit (do inspect this all of the rest OUTBOUND traffic addresses)

!

access-list 102 permit (inbound don't inspect this INBOUND traffic addresses)

!

class-map type inspect match-all ALL-PRIVATE

match access-group 101

!

!

policy-map type inspect priv-pub-pmap

class type inspect ALL-PRIVATE

  inspect

class class-default

!

zone security INSIDE

description INSIDE interface PRIVATE network

!

zone security OUTSIDE

description OUTSIDE interface PUBLIC Internet and Corp connection

!

zone-pair security priv-pub source INSIDE destination OUTSIDE

service-policy type inspect priv-pub-pmap

!

interface multilink 1

ip address 67.x.x.x

zone-member security OUTSIDE

ip access-group 102 in

!

interface g0/0

ip address 192.168.x.x

zone-member security INSIDE

!

interface g0/1

ip address 67.x.x.x

zone-member security INSIDE

!

Thanks,

Tim

Labels:
0 Helpful
1 Reply 1

Luis Silva Benavides
Cisco Employee
Cisco Employee

‎10-10-2013 04:32 PM

HI,

The best way to avoid inspection is using the "pass" action in the policy map.

So you way want to create 2 different class-maps. One matching the the traffic that you don't want to inspect and the other one with the traffic you wish to inspect.

Other thing to add is that when you use PASS you need to also allow the retrurn traffic. So you need a class map with a Pass action from Inside to Outisde and another one from Outside to Inside.

HTH

Luis Silva

"If you need PDI (Planning, Design, Implement) assistance feel free to reach us"

http://www.cisco.com/web/partners/tools/pdihd.html

Luis Silva
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card