Hi,
I have a 3-zone Zone Based Firewall setup on a CISCO 877.
The configuration works fine for the blocking of ports, protocols, or IP's. HTTP/HTTPS access is disallowed, however I would like to allow access to a limited number of URL's from the 'DMZ zone' (for argument sake, let's say www.microsoft.com.
As the domain www.microsoft.com may contain a number of IP Addresses, can anyone suggest a url config to allow access only to this website?
I've tried with these url-specific settings, but it does not seem to be completed correctly:
parameter-map type urlf-glob Microsoft
pattern *.microsoft.com
class-map type urlfilter match-any Microsoft
match server-domain urlf-glob Microsoft
policy-map type inspect urlfilter URLFILTER
class type urlfilter Microsoft allow
The working config (apart from the needed URL filtering) is:
------------------------------------------------------------------------------------------------------------------
ip domain lookup source-interface Vlan10
ip domain name xxx.xxxx.x
ip name-server x.x.x.x
class-map type inspect match-any DMZ-SharedLAN-traffic
match protocol icmp
match access-group 112
class-map type inspect match-any SharedLAN-DMZ-traffic
match protocol icmp
match access-group 111
class-map type inspect match-any InternetPCs-DMZ-traffic
match protocol icmp
match protocol dns
match access-group 110
class-map type inspect match-any DMZ-InternetPCs-traffic
match protocol http
match access-group 113
policy-map type inspect DMZ-SharedLAN-policy
class type inspect DMZ-SharedLAN-traffic
inspect
class class-default
drop
policy-map type inspect SharedLAN-DMZ-policy
class type inspect SharedLAN-DMZ-traffic
inspect
class class-default
drop
policy-map type inspect InternetPCs-DMZ-policy
class type inspect InternetPCs-DMZ-traffic
inspect
class class-default
drop
policy-map type inspect DMZ-InternetPCs-policy
class type inspect DMZ-InternetPCs-traffic
inspect
class class-default
drop
zone security InternetPCs
zone security DMZ
zone security SharedLAN
zone-pair security InternetPCs-DMZ-pair source InternetPCs destination DMZ
service-policy type inspect InternetPCs-DMZ-policy
zone-pair security DMZ-SharedLAN-pair source DMZ destination SharedLAN
service-policy type inspect DMZ-SharedLAN-policy
zone-pair security SharedLAN-DMZ-pair source SharedLAN destination DMZ
service-policy type inspect SharedLAN-DMZ-policy
zone-pair security DMZ-InternetPCs-pair source DMZ destination InternetPCs
service-policy type inspect DMZ-InternetPCs-policy
interface Vlan20
description SharedLAN
ip address 192.168.20.250 255.255.255.0
zone-member security SharedLAN
!
interface Vlan30
description DMZ
ip address 192.168.30.250 255.255.255.0
zone-member security DMZ
!
interface Vlan10
description InternetPCs
ip address 192.168.10.250 255.255.255.0
zone-member security InternetPCs
ip default-gateway 192.168.10.1
access-list 110 remark ACL_InternetPCs_to_DMZ
access-list 110 permit tcp host 192.168.10.33 host 192.168.30.35 eq 445
access-list 111 remark ACL_SharedLAN_to_DMZ
access-list 111 permit tcp host 192.168.20.71 host 192.168.30.35 eq 3389
access-list 112 remark ACL_DMZ_tp_SharedLAN
access-list 112 permit tcp host 192.168.30.35 host 192.168.20.31 eq 445
access-list 113 remark ACL_DMZ_to_InternetPCs
access-list 113 permit udp host 192.168.30.35 host 192.168.10.30 eq domain
------------------------------------------------------------------------------------------------------------------
Any advice or tips would be appreciated..
Thanks,
