Re: zone based firewall from Iwan Hoogendoorn on 2009-08-26 (Ccielab archives 08/2009)

From: Iwan Hoogendoorn <iwan_at_ipexpert.com>
Date: Wed, 26 Aug 2009 13:44:04 +0200

Hi,

I think that should work ...
your config looks good.

Maybe you can do some verification using this?:
http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a008060f6dd.html#wp1560845

-- 
Regards,
Iwan Hoogendoorn
CCIE #13084 (R&S / Security / SP)
Sr. Support Engineer  IPexpert, Inc.
URL: http://www.IPexpert.com
On Wed, Aug 26, 2009 at 5:53 AM, Fake Name<fname84_at_gmail.com> wrote:
> I have done the following configuration for the zone based firewall for 3
> interfaces.  A private, dmz, and internet interface.  I am seeking that the
> private interface can talk through the dmz and internet interface and
> traffic be inspected.  The dmz interface can talk through the internet
> interface and traffic be inspected.  If a host from the dmz interface needs
> to reach a host on the inside interface without any initiating traffic
> coming from the inside there must be an acl statement.  If a host from the
> outside interface needs to reach a host on the inside interface or dmz
> interface without any initiating traffic coming from the inside there must
> be an acl statement.
>
> Can anyone spot my configuration mistake?
>
>
>
>
> class-map type inspect match-any inspecttraffic
>  match protocol tcp
>  match protocol udp
>  match protocol icmp
>  match protocol ssh
>  match protocol ftp
>  match protocol imap
>  match protocol http
>  match protocol https
>  match protocol dns
>
> policy-map type inspect inspecttrafficpolicy
>  class type inspect inspecttraffic
>  inspect
>
> zone security private
> zone security internet
> zone security dmz
>
> zone-pair security private-internet source private destination internet
>  service-policy type inspect inspecttrafficpolicy
>
>
> zone-pair security private-dmz source private destination dmz
>  service-policy type inspect inspecttrafficpolicy
>
> zone-pair security dmz-internet source dmz destination internet
>  service-policy type inspect inspecttrafficpolicy
>
>
> !
> interface FastEthernet0/0
>  zone-member internet
> !
> interface FastEthernet0/1
>  zone-member private
>
> int vlan 150
> zone-member dmz
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- 
Regards,
Iwan Hoogendoorn
CCIE #13084 (R&S / Security / SP)
Sr. Support Engineer  IPexpert, Inc.
URL: http://www.IPexpert.com
Blogs and organic groups at http://www.ccie.net

Received on Wed Aug 26 2009 - 13:44:04 ART

This archive was generated by hypermail 2.2.0 : Tue Sep 01 2009 - 05:43:57 ART