Zone-Based Policy Firewall help

isaiahhavoc · ‎09-28-2019

Looking for necessary commands to do the following policy:

You should allow web traffic (HTTP and HTTPS ONLY) to get to the Server (192.168.2.3 /24) in the DMZ of R1 (R1 G0/0 – 192.168.2.1 / 24). Allow pings to the DMZ server as well.

Marius Gunnerud · ‎09-29-2019

You could do something like the following:

ip access-list extended web-to-dmzServer-acl

permit tcp any host 192.168.2.3 80

permit tcp any host 192.168.2.3 443

class-map type inspect match-any web-to-dmzServer-cmap

match access-group web-to-dmzServer-acl

policy-map type inspect web-to-dmzServer-pmap

class type inspect web-to-dmzServer-cmap

inspect

zone security dmz

description DMZ services

zone security web

description Internet

zone-pair security web-to-dmz-pair source web destination dmz

interface Gig0/0/0

description Internet

zone-member security web

interface Gig0/0/1

description DMZ

zone-member security dmz

Verification:

show policy-map type inspect zone web

show policy-map type inspect zone dmz

show policy-map type inspect zone-pair web-to-dmz-pair

Keep in mind that inspect allows return traffic of the same flow. However if you require the DMZ servers to initiate traffic to other servers, PCs, or the internet, then this needs to be taken into account and added into the configuration. The configuration I have provided only allows for HTTP and HTTPS towards the DMZ server.

--
Please remember to select a correct answer and rate helpful posts