Preview Tool

Cisco Bug: CSCte78548 - ZBF: class-map ACL matches on post-NAT IP for outbound traffic in 22T

Last Modified

Feb 08, 2017

Products (1)

  • Cisco IOS

Known Affected Releases


Description (partial)


Zone-based firewall uses ACLs in class-maps to match traffic that is subject to stateful inspection. In the IOS 12.4(22)T it is necessary to use post-NAT IP addresses in ACLs to match outbound (inside to outside) traffic. This is not a correct behavior as it doesn't allow to create different firewall policies for different inside hosts in case of PAT.


This happens in IOS 12.4(22)T only. IOS 12.4(20)T and IOS 12.4(24)T matches on pre-NAT (private IP address) for outbound traffic.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.