It is about time that Cisco came out with this. I was never really a fan of CBAC – it worked but never really gave me the control I desired. Lets hope they add this functionality to the ASA to allow for Interface to Interface Control.
My testing started off with a basic CBAC configuration for a Secure Router connected to the Internet. Once I was happy with the configuration I migrated to a Zone based Configuration and although in the beginning is was a little confusing I soon got the hang of it…. I must admit that in a very large configuration this could get quite complex, but gives you the kind of control you need in todays environment.
Once I had the basic configuration running I was able to implement a more complex configuration and thats where I started to run into some snags…
For now stay away from the nested class-maps – altohugh they work they don’t currently support statistics, so you can’t really see your configuration in action.
WebVPN anyconnect client also isn’t supported (today) as the SSL SVI interface cannot be configured via command line and therefore can’t have a zone added to it. I am told by Cisco that they should have a fix for this in May in the 12.4(24)T2 software.
I really like the ability the Zone Based Firewall gives you of being able to block P2P data and even data embedded inside the HTTP protocol….
Nice work Cisco – keep it up.