Options
ZBF, ACL, and NAT
_maurice
Member Posts: 142
I am changing my Cisco 871 from the classic firewall to the zone based firewall. I have a web server that should be available to the internet. The web server is currently in the LAN zone. The router interface in the LAN zone is the inside nat interface using the 10.0.0.0/24 subnet.
My service policy applied to the WAN_to_LAN zone pair is:
ip access-list extended WAN_IN
permit tcp any host 10.0.0.2 eq http
class-map type inspect match-any class1
match access-group name WAN_IN
policy-map type inspect policy1
class type inspect class1
inspect
class class-default
drop log
zone-pair security WAN_to_LAN source WAN destination LAN
service-policy type inspect policy1
My question: Why does the ACL need to allow the private IP address of the web server? Every other firewall vendor I have worked with allows the public IP address in the ACL, not the private IP address.. Anybody else find this confusing?
My service policy applied to the WAN_to_LAN zone pair is:
ip access-list extended WAN_IN
permit tcp any host 10.0.0.2 eq http
class-map type inspect match-any class1
match access-group name WAN_IN
policy-map type inspect policy1
class type inspect class1
inspect
class class-default
drop log
zone-pair security WAN_to_LAN source WAN destination LAN
service-policy type inspect policy1
My question: Why does the ACL need to allow the private IP address of the web server? Every other firewall vendor I have worked with allows the public IP address in the ACL, not the private IP address.. Anybody else find this confusing?