topic You can use a class-map that in Network Security

Help in configuring zone based firewall

l.buschi — Tue, 12 Mar 2019 07:33:39 GMT

Can anybody help me in configuring the following?

I have a router with zone based firewall configured.

I have the following port redirect:

ip nat inside source static tcp 192.168.1.100 80 172.24.10.100 8888 extendable

172.24.10.x is my pool of outside addresses.

I need to reach the server 192.168.1.100:80 from any outside address (by the address 172.24.10.100:8888 )

which class map type inspect do I have to configure?

Thanks

Johnny

You can use a class-map that

Karsten Iwen — Thu, 31 Mar 2016 09:54:57 GMT

You can use a class-map that references an ACL. This ACL allows the traffic to the real IP/Port of the server.

do you mean the following?

l.buschi — Thu, 31 Mar 2016 10:10:40 GMT

do you mean the following?

access-list 101 permit tcp any host 192.168.1.100 eq 80

in the policy map do I have to put an inspect or a pass statement?

Thanks

Johnny

Yes, the ACL is ok, although

Karsten Iwen — Thu, 31 Mar 2016 10:17:44 GMT

Yes, the ACL is ok, although I would use a named ACL.

The action "pass" is for unidirectional flows. If you want that your server can send answers back to the client (probably yes 😉 ) then you need to "inspect" that traffic.