Are you saying this does not work in the first instance? Anyway, this looks
good to me. Although there is some redundant configuration in the class map,
matching more than necessary traffic. This alone would do the job for you:
class-map type inspect match-any inspecttraffic
match protocol tcp
match protocol udp
match protocol icmp
As for the hosts able to access the various zones, yes, an ACL would be in
order.
Still not sure what you are asking here to be honest.
HTH a little bit in the mean time,
Sadiq
On Wed, Aug 26, 2009 at 4:53 AM, Fake Name <fname84_at_gmail.com> wrote:
> I have done the following configuration for the zone based firewall for 3
> interfaces. A private, dmz, and internet interface. I am seeking that the
> private interface can talk through the dmz and internet interface and
> traffic be inspected. The dmz interface can talk through the internet
> interface and traffic be inspected. If a host from the dmz interface needs
> to reach a host on the inside interface without any initiating traffic
> coming from the inside there must be an acl statement. If a host from the
> outside interface needs to reach a host on the inside interface or dmz
> interface without any initiating traffic coming from the inside there must
> be an acl statement.
>
> Can anyone spot my configuration mistake?
>
>
>
>
> class-map type inspect match-any inspecttraffic
> match protocol tcp
> match protocol udp
> match protocol icmp
> match protocol ssh
> match protocol ftp
> match protocol imap
> match protocol http
> match protocol https
> match protocol dns
>
> policy-map type inspect inspecttrafficpolicy
> class type inspect inspecttraffic
> inspect
>
> zone security private
> zone security internet
> zone security dmz
>
> zone-pair security private-internet source private destination internet
> service-policy type inspect inspecttrafficpolicy
>
>
> zone-pair security private-dmz source private destination dmz
> service-policy type inspect inspecttrafficpolicy
>
> zone-pair security dmz-internet source dmz destination internet
> service-policy type inspect inspecttrafficpolicy
>
>
> !
> interface FastEthernet0/0
> zone-member internet
> !
> interface FastEthernet0/1
> zone-member private
>
> int vlan 150
> zone-member dmz
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- CCIE #19963 Blogs and organic groups at http://www.ccie.netReceived on Wed Aug 26 2009 - 10:17:01 ART
This archive was generated by hypermail 2.2.0 : Tue Sep 01 2009 - 05:43:57 ART