Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
587
Views
4
Helpful
2
Replies

Zone based firewall

rgonzalch
Level 1
Level 1

‎03-08-2011 03:09 PM - edited ‎03-09-2019 11:26 PM

Hi,

I have been controlling traffic with ACL  but i want to configure ZFW and i want to ask  how can i migrate ACL´s to policy with ZFW. I mean for example

i have acl

permit ip any 64.x.x.x 0.0.0.255

deny ip any any 

how can i do to do this with ZFW???

Thanks in advance!

Regards.

Labels:
0 Helpful
2 Replies 2

wzhang
Cisco Employee
Cisco Employee

‎03-08-2011 08:11 PM

Hi,

For generic ZBF configuration examples, please take a look at:

http://www.cisco.com/en/US/partner/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew_ps10592_TSD_Products_Configuration_Guide_Chapter.html#wp1124453

Specifically, if you have traffic you want to permit as in your example here, you'd have something like this:

class-map type inspect match-any permit-64-net

match access-group permit-64-acl

!

policy-map type inspect fw

class type inspect permit-64-net

  pass

class class-default

  drop log

where permit-64-net refers to the ACL you have, and apply this policy to the appropriate zone pair. Obviously you'd also have other inspect classes where you'd configure the "inspect" action as you normally would.
Hope this helps.
Thanks,
Wen

rgonzalch
Level 1
Level 1
In response to wzhang

‎03-28-2011 08:17 AM

Hi,

Thanks for your answer!

I configured inspect in class map for acl and it is works fine.

Best Regards

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents