Deploying the Cisco Zone-based Policy Firewall with ACLs and NAT

After presenting the correct way of adding ACL restrictions to a Cisco Zone-based firewall policy, it is time to examine how Network Address Translation (NAT) interacts with a Cisco ZFW deployment. Our particular environment (Figure 1) actually contains a combination of stateful inspection, an L3 rule (ACL) and NAT.

To facilitate understanding, we start by briefly describing our reference scenario:

  • Inspection (controlled by class-map TOP-CLASS2) defines that only those application protocols carried over TCP are allowed from the OUTSIDE to the INSIDE zone.
  • The ACL2 access-list limits the source hosts (subnet that can initiate inbound connections to the server
  • The two previous conditions are united under the match-all class-map JOINT2.
  • The server address is seen on the global address space (after source NAT) as

Figure 1: Reference scenario combining Cisco Zone-based Firewall, ACLs and NAT

If you ever integrated Cisco IOS regular interface ACLs with NAT, you will notice that the ACL used by ZFW now refers to the real address of the destination host (instead of the mapped address). This is a critical change to be aware of.

Figure 2 provides further visibility for the topology under analysis, in the specific case of a telnet session initiated by the outside client ( and bound to the translated address of the server (

  • The first Syslog message shows how the address translation is created.
  • The audit-trail log message highlights that the responder is (real address), meaning that the ZFW process understands NAT.
  • The show policy-firewall session command confirms that the inbound connection is established with the real address (from the ZFW standpoint).

Figure 2: Details about the Zone-based Firewall, ACLs and NAT integration

** Topics for Study:

  • Think about the integration of a classic IOS interface access-list with NAT. What is the advantage of referring to the real address (as done by ZFW) ?
  • Revisit some other categories of IOS NAT (for instance, destination NAT and Port Address Translation). How can you display the active translations ? Can you have more than one interface configured with the ip nat outside command ?
  • Consider the integration of CBAC with NAT and ACLs. Does CBAC refer to the real address ?  Or to the mapped address ? (Why ?)
  • Rebuild the ACL shown in this example using the concept of object-group.

** Related Posts:


Filed under English, Firewalls, Security

2 responses to “Deploying the Cisco Zone-based Policy Firewall with ACLs and NAT

  1. Maxime

    Really good topic about ZBF and NAT which drive me crazy for a long time !
    I have a final question, how do you display those level 6 logs ?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s