ZBF, ACL, and NAT

_maurice_maurice Member Posts: 142
I am changing my Cisco 871 from the classic firewall to the zone based firewall. I have a web server that should be available to the internet. The web server is currently in the LAN zone. The router interface in the LAN zone is the inside nat interface using the 10.0.0.0/24 subnet.

My service policy applied to the WAN_to_LAN zone pair is:

ip access-list extended WAN_IN
permit tcp any host 10.0.0.2 eq http

class-map type inspect match-any class1
match access-group name WAN_IN

policy-map type inspect policy1
class type inspect class1
inspect
class class-default
drop log

zone-pair security WAN_to_LAN source WAN destination LAN
service-policy type inspect policy1


My question: Why does the ACL need to allow the private IP address of the web server? Every other firewall vendor I have worked with allows the public IP address in the ACL, not the private IP address.. Anybody else find this confusing?
Sign In or Register to comment.