cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1662
Views
17
Helpful
8
Replies

Help with Class-map configuration - ZBFW

Yadhu Tony
Level 1
Level 1

Hello,

I need some clarification regarding the class-map configuration in a ZBFW. I need to allow https,http,ftp & rdp traffic from Internet to few of the servers inside our LAN. So I put the below configuration to accomplish the task (example shows class-map for only https protocol) :

a.)

class-map type inspect match-all HTTPS-ACCESS

match protocol https

match access-group name HTTPS-SERVER-ACCESS

ip access-list extended HTTPS-SERVER-ACCESS

permit tcp any host 172.17.0.55 eq 443

permit tcp any host 172.17.0.56 eq 443

permit tcp any host 172.17.0.36 eq 443

permit tcp any host 172.17.0.45 eq 443

permit tcp any host 172.17.0.60 eq 443

Where 55,56,36,45,60 are the servers inside the LAN (12 more servers are there) that need to be accessed via https,http,ftp & rdp from Internet.

Is it a correct approach? or do I need to change my configuation so that I have to match ACL with my class-map like below:

b.)

ip access-list extended OUTSIDE-TO-INSIDE-ACL

permit tcp any host 172.17.0.55 eq 443

permit tcp any host 172.17.0.55 eq www

permit tcp any host 172.17.0.55 eq 21

permit tcp any host 172.17.0.55 eq 3389

permit tcp any host 172.17.0.56 eq 443

permit tcp any host 172.17.0.56 eq www

permit tcp any host 172.17.0.56 eq 21

permit tcp any host 172.17.0.56 eq 3389

permit tcp any host 172.17.0.36 eq 443

permit tcp any host 172.17.0.36 eq www

permit tcp any host 172.17.0.36 eq 21

permit tcp any host 172.17.0.36 eq 3389

permit tcp any host 172.17.0.45 eq 443

permit tcp any host 172.17.0.45 eq www

permit tcp any host 172.17.0.45 eq 21

permit tcp any host 172.17.0.45 eq 3389

class-map type inspect match-all OUT-IN-CLASS

match access-group name OUTSIDE-TO-INSIDE-ACL

Which one is the correct approach when we consider the performance of the firewall ? Please help me.

Regards,

Yadhu

Regards,
Tony

http://yadhutony.blogspot.com
1 Accepted Solution

Accepted Solutions

varrao
Level 10
Level 10