I recently setup our Cisco 890 in zone firewall mode, rathern than the ACL method.

I feel like I have most of this under control, however one specific area.

I am trying to block some of our QA resources from ever reaching production, you know the developer screw up and all.

Anyway, If someone could give me a hand with these rules, that would be great.

object-group network Production_Resources

description Group of Public Production Resources

10.87.1.0 255.255.255.0

64.87.17.0 255.255.255.224

64.87.26.232 255.255.255.248

!

object-group network QA_Resources

description Workstations and Servers to be used with the QA enviornment

host 10.87.42.81

host 10.87.42.93

host 10.87.42.101

host 10.87.42.102

!

class-map type inspect match-any DROP_TRAFFIC

match access-group name DROP_QA_TRAFFIC

match protocol bittorrent

match protocol kazaa2

match protocol edonkey

class-map type inspect match-any TrafficToOutside

match protocol tcp

match protocol udp

match protocol icmp

match protocol ipsec-msft

match protocol smtp

class-map type inspect match-any FIREWALL_EXCEPTIONS

match access-group name FIREWALL_EXCEPTIONS

!

!

policy-map type inspect IN-TO-OUT

class type inspect DROP_TRAFFIC

  drop log

class type inspect TrafficToOutside

  inspect

class class-default

  drop log

policy-map type inspect OUT-TO-IN

class type inspect FIREWALL_EXCEPTIONS

  inspect

class class-default

  drop

!

zone security inside

zone security outside

zone-pair security ZONE-IN-TO-OUT source inside destination outside

service-policy type inspect IN-TO-OUT

zone-pair security ZONE-OUT-TO-IN source outside destination inside

service-policy type inspect OUT-TO-IN

!

interface GigabitEthernet0

bandwidth 10240

ip address 24.43.xxx.yyy 255.255.255.248 secondary

ip address 24.43.xxx.yy1 255.255.255.248 secondary

ip address 24.43.xxx.yy2 255.255.255.248

ip nat outside

no ip virtual-reassembly

zone-member security outside

duplex auto

speed auto

!

!

interface Vlan10

bandwidth 102400

ip address 172.16.42.1 255.255.255.0

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

zone-member security inside

ip tcp adjust-mss 1452

ip ospf mtu-ignore

!

ip route 10.87.42.0 255.255.255.0 172.16.42.2 permanent name SDOfficeL3Switch

ip route 10.87.43.0 255.255.255.0 172.16.42.3 permanent name soPhoneRoute

ip access-list extended DROP_QA_TRAFFIC

remark Rule to prevent QA resources from reaching production

remark CCP_ACL Category=128

deny   ip object-group QA_Resources object-group Production_Resources

permit ip object-group QA_Resources any

ip access-list extended FIREWALL_EXCEPTIONS

permit tcp any any eq 8080

permit tcp any any eq 8090

permit tcp any any eq 8091

permit tcp any any eq 8100

permit tcp any any eq 8789

permit udp any any eq 8080

permit udp any any eq 8091

permit udp any any eq 8100

permit udp any any eq 8789

permit udp any any eq 443

permit tcp any any eq 443

permit udp any any eq 1194

!

cerberus#sh ip access-lists DROP_QA_TRAFFIC

Extended IP access list DROP_QA_TRAFFIC

    10 deny ip object-group QA_Resources object-group Production_Resources (24 matches)

    20 permit ip object-group QA_Resources any (1039 matches)

cerberus#sh policy-map type inspect zone-pair ZONE-IN-TO-OUT

policy exists on zp ZONE-IN-TO-OUT

Zone-pair: ZONE-IN-TO-OUT

  Service-policy inspect : IN-TO-OUT

    Class-map: DROP_TRAFFIC (match-any)

      Match: access-group name DROP_QA_TRAFFIC

        1177 packets, 39856 bytes

        30 second rate 0 bps

      Match: protocol bittorrent

        0 packets, 0 bytes

        30 second rate 0 bps

      Match: protocol kazaa2

        0 packets, 0 bytes

        30 second rate 0 bps

      Match: protocol edonkey

        0 packets, 0 bytes

        30 second rate 0 bps

      Drop

        1177 packets, 39856 bytes

    Class-map: TrafficToOutside (match-any)

      Match: protocol tcp

        29387 packets, 975759 bytes

        30 second rate 1000 bps

      Match: protocol udp

        24002 packets, 1395741 bytes

        30 second rate 1000 bps

      Match: protocol icmp

        112 packets, 2348 bytes

        30 second rate 0 bps

      Match: protocol ipsec-msft

        0 packets, 0 bytes

        30 second rate 0 bps

      Match: protocol smtp

        0 packets, 0 bytes

        30 second rate 0 bps

   Inspect

        Packet inspection statistics [process switch:fast switch]

        tcp packets: [2992:2786067]

        udp packets: [46590:3698]

        icmp packets: [204:949]

        Session creations since subsystem startup or last reset 53345

        Current session counts (estab/half-open/terminating) [901:4:0]

        Maxever session counts (estab/half-open/terminating) [1057:61:47]

        Last session created 00:00:00

        Last statistic reset never

        Last session creation rate 620

        Maxever session creation rate 1660

        Last half-open session total 4

        TCP reassembly statistics

        received 0 packets out-of-order; dropped 0

        peak memory usage 0 KB; current usage: 0 KB

        peak queue length 0

    Class-map: class-default (match-any)

      Match: any

      Drop

        15 packets, 1332 bytes

cerberus#

And yet it's not blocked, I can open a browser to the production page and view the site(S)

I think this covers the revelant lines of the config.

As always, any help is greatly appreciated !