zone based firewall

I have done the following configuration for the zone based firewall for 3
interfaces. A private, dmz, and internet interface. I am seeking that the
private interface can talk through the dmz and internet interface and
traffic be inspected. The dmz interface can talk through the internet
interface and traffic be inspected. If a host from the dmz interface needs
to reach a host on the inside interface without any initiating traffic
coming from the inside there must be an acl statement. If a host from the
outside interface needs to reach a host on the inside interface or dmz
interface without any initiating traffic coming from the inside there must
be an acl statement.

Can anyone spot my configuration mistake?

class-map type inspect match-any inspecttraffic
 match protocol tcp
 match protocol udp
 match protocol icmp
  match protocol ssh
  match protocol ftp
  match protocol imap
  match protocol http
 match protocol https
 match protocol dns

policy-map type inspect inspecttrafficpolicy
 class type inspect inspecttraffic
  inspect

zone security private
zone security internet
zone security dmz

zone-pair security private-internet source private destination internet
  service-policy type inspect inspecttrafficpolicy

zone-pair security private-dmz source private destination dmz
  service-policy type inspect inspecttrafficpolicy

zone-pair security dmz-internet source dmz destination internet
  service-policy type inspect inspecttrafficpolicy

!
interface FastEthernet0/0
 zone-member internet
!
interface FastEthernet0/1
 zone-member private

int vlan 150
zone-member dmz

Blogs and organic groups at http://www.ccie.net
Received on Tue Aug 25 2009 - 23:53:04 ART