topic Create an ACL that denies in Network Security

Traffic Redirection to SFR

fatalXerror — Tue, 12 Mar 2019 08:03:34 GMT

Hi Experts,

Good Day!

Please see my diagram which I attached here.

I wanted to know if it is possible this scenario, my inside subnet WILL BE redirected to the SFR module for application inspection before going to the internet but it WILL NOT redirect to SFR if the inside subnet will access the server located in the DMZ zone? Is this possible?

In addition, is it a good design to enable the SFR module while the firewall will also provide site-to-site and remote-access VPN capabilities?

Thank you and have a nice day!

Cheers,

Create an ACL that denies

Greg Smalley — Mon, 25 Jul 2016 20:25:19 GMT

Create an ACL that denies traffic from the inside to the server located in the DMZ zone, and secondly permits traffic from the inside to the internet. Then call this ACL from your class/policy map.

I would certainly enable the SFR for inbound traffic via VPN.

access-list sfr_redirect extended deny ip <inside_net> host <server ip>
access-list sfr_redirect extended permit ip <inside_net> any

class-map sfr
match access-list sfr_redirect

policy-map global_policy
class sfr
sfr fail-open

-Greg