so you mean like this?
class-map type inspect match-any inspecttraffic
match protocol tcp
match protocol udp
match protocol icmp
!
!
policy-map type inspect inspect-private-to-internet
class type inspect inspecttraffic
inspect
policy-map type inspect inspect-private-to-dmz
class type inspect inspecttraffic
inspect
policy-map type inspect inspect-dmz-to-internet
class type inspect inspecttraffic
inspect
class class-default
drop
zone security private
zone security internet
zone security dmz
zone-pair security private-internet source private destination internet
service-policy type inspect inspect-private-to-internet
zone-pair security private-dmz source private destination dmz
service-policy type inspect inspect-private-to-dmz
zone-pair security dmz-internet source dmz destination internet
service-policy type inspect inspect-dmz-to-internet
On Wed, Aug 26, 2009 at 9:38 AM, Tony Schaffran (GS) <
groupstudy_at_cconlinelabs.com> wrote:
> You need to setup a separate policy for inbound traffic from the internet
> and then configure your zone-pair from internet to dmz and internet to
> inside as well if you want traffic to be allowed from the internet.
>
> Tony Schaffran
> Sr. Network Consultant
> CCIE #11071
> CCNP, CCNA, CCDA,
> NNCDS, NNCSS, CNE, MCSE
>
> cconlinelabs.com
> Your #1 choice for online Cisco rack rentals.
>
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Fake
> Name
> Sent: Tuesday, August 25, 2009 8:53 PM
> To: Cisco certification
> Subject: zone based firewall
>
> I have done the following configuration for the zone based firewall for 3
> interfaces. A private, dmz, and internet interface. I am seeking that the
> private interface can talk through the dmz and internet interface and
> traffic be inspected. The dmz interface can talk through the internet
> interface and traffic be inspected. If a host from the dmz interface needs
> to reach a host on the inside interface without any initiating traffic
> coming from the inside there must be an acl statement. If a host from the
> outside interface needs to reach a host on the inside interface or dmz
> interface without any initiating traffic coming from the inside there must
> be an acl statement.
>
> Can anyone spot my configuration mistake?
>
>
>
>
> class-map type inspect match-any inspecttraffic
> match protocol tcp
> match protocol udp
> match protocol icmp
> match protocol ssh
> match protocol ftp
> match protocol imap
> match protocol http
> match protocol https
> match protocol dns
>
> policy-map type inspect inspecttrafficpolicy
> class type inspect inspecttraffic
> inspect
>
> zone security private
> zone security internet
> zone security dmz
>
> zone-pair security private-internet source private destination internet
> service-policy type inspect inspecttrafficpolicy
>
>
> zone-pair security private-dmz source private destination dmz
> service-policy type inspect inspecttrafficpolicy
>
> zone-pair security dmz-internet source dmz destination internet
> service-policy type inspect inspecttrafficpolicy
>
>
> !
> interface FastEthernet0/0
> zone-member internet
> !
> interface FastEthernet0/1
> zone-member private
>
> int vlan 150
> zone-member dmz
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Wed Aug 26 2009 - 09:46:21 ART
This archive was generated by hypermail 2.2.0 : Tue Sep 01 2009 - 05:43:57 ART