cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


173
Views
0
Helpful
1
Replies
Highlighted
Beginner

Zone-Based Policy Firewall help

Looking for necessary commands to do the following policy:

You should allow web traffic (HTTP and HTTPS  ONLY) to get to the Server (192.168.2.3 /24) in the DMZ of R1 (R1 G0/0 – 192.168.2.1 / 24). Allow pings to the DMZ server as well.

Everyone's tags (1)
1 REPLY 1
VIP Advocate

Re: Zone-Based Policy Firewall help

You could do something like the following:

 

ip access-list extended web-to-dmzServer-acl

 permit tcp any host 192.168.2.3 80

 permit tcp any host 192.168.2.3 443

 

class-map type inspect match-any web-to-dmzServer-cmap

 match access-group web-to-dmzServer-acl

 

policy-map type inspect web-to-dmzServer-pmap

 class type inspect web-to-dmzServer-cmap

  inspect

 

zone security dmz

 description DMZ services

 

zone security web

 description Internet

 

zone-pair security web-to-dmz-pair source web destination dmz

 

interface Gig0/0/0

 description Internet

 zone-member security web

 

interface Gig0/0/1

 description DMZ

 zone-member security dmz

 

Verification:

show policy-map type inspect zone web

show policy-map type inspect zone dmz

show policy-map type inspect zone-pair web-to-dmz-pair

 

Keep in mind that inspect allows return traffic of the same flow.  However if you require the DMZ servers to initiate traffic to other servers, PCs, or the internet, then this needs to be taken into account and added into the configuration.  The configuration I have provided only allows for HTTP and HTTPS towards the DMZ server.

--
Please remember to rate and select a correct answer
CreatePlease to create content
Content for Community-Ad
FusionCharts will render here