Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1663
Views
0
Helpful
1
Replies

Traffic Redirection to SFR

fatalXerror
Level 5
Level 5

‎07-25-2016 07:16 AM - edited ‎03-12-2019 01:03 AM

Hi Experts,

Good Day!

Please see my diagram which I attached here.

I wanted to know if it is possible this scenario, my inside subnet WILL BE redirected to the SFR module for application inspection before going to the internet but it WILL NOT redirect to SFR if the inside subnet will access the server located in the DMZ zone? Is this possible?

In addition, is it a good design to enable the SFR module while the firewall will also provide site-to-site and remote-access VPN capabilities?

Thank you and have a nice day!

Cheers,

Labels:
Preview file
58 KB
0 Helpful
1 Reply 1

Greg Smalley
Level 1
Level 1

‎07-25-2016 01:25 PM

Create an ACL that denies traffic from the inside to the server located in the DMZ zone, and secondly permits traffic from the inside to the internet.  Then call this ACL from your class/policy map.  

I would certainly enable the SFR for inbound traffic via VPN.

access-list sfr_redirect extended deny ip <inside_net> host <server ip>
access-list sfr_redirect extended permit ip <inside_net> any

class-map sfr
match access-list sfr_redirect

policy-map global_policy
class sfr
sfr fail-open

-Greg

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card