07-11-2010 10:43 AM - edited 03-11-2019 11:09 AM
I have a DMZ configured that should normally only allow traffic to http, mail, etc. However, I would like to allow admin traffic like ssh from certain IPs as well. For example, my DMZs are behind one IP range from one ISP. My LAN is behind another IP range from another ISP. I'd like admin traffic from my LAN ISP range access to the DMZ.
DMZ configuration to allow access to the http servers, etc. is pretty straightforward. However, I can't figure out how to allow that traffic and only allow admin traffic from my LAN ISP IP address range.
Any suggestions?
Thanks,
Greg
Here's the basic DMZ zone configuration:
class-map type inspect match-any ccp-dmz-protocols
match protocol http
match protocol smtp
match protocol https
match protocol imap
07-12-2010 10:35 AM
Here is what I would suggest
access-list 101 permit tcp
class-map type inspect match-any ccp-dmz-admin
match access-group 101
class-map type inspect match-any ccp-dmz-protocols
match protocol http
match protocol smtp
match protocol https
match protocol imap
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide