No announcement yet.

Zone-based firewall - why do I still need ACLs?

  • Filter
  • Time
  • Show
Clear All
new posts

  • Zone-based firewall - why do I still need ACLs?

    Hi all,

    I have a working zone-based firewall on my 877. However it's a bit frustrating to still need access lists in some cases. Here's the appropriate lines:

    ip port-map user-RDP-TS port tcp 3389 description Terminal Services on terminal server
    object-group network og-L1-Jim-Home 
     description Jim Willsher Home IP
    object-group network og-L1-MainServer 
     description Main server IP
    object-group network og-L2-Allow-RDP 
     description Allow access to RDP from these hosts
     group-object og-L1-Jim-Home
    class-map type inspect match-all cm-RDP
     description Remote Desktop access to server
     match protocol user-RDP-Main
     match access-group name acl-MainServer
     match access-group name acl-Allow-RDP
    policy-map type inspect pm-OutsideToInside
     description Internet to LAN (server)
     class type inspect cm-PPTP-Passthrough
     class type inspect cm-RDP
     class class-default
      drop log
    ip access-list extended acl-Allow-RDP
     permit tcp object-group og-L2-Allow-RDP any
    ip access-list extended acl-MainServer
     remark Traffic to main server
     permit ip any host
    Is there any way to avoid having acl-Allow-RDP and acl-MainServer? I'm already declaring the object-group entries so is there any way to specify those in my class maps instead of having to have an ACL just listing the object-group?

    I know that ZBF configs are easier to manage, but a 6Bb ACL-based config equates to a 10KB ZBF-based config; having these seemingly unnecessary ACLs cannot help.

    I'm using c870-advipservicesk9-mz.151-2.T2.bin.

    Many thanks,