I'm trying to configure a zone-based firewall on an SR520 and am confused about the 'not' criterion. The 'zone-design-guide' says (my stress):
Class-maps define the traffic that the firewall selects for policy application. Layer 4 class-maps sort the traffic based on these criteria listed here. These criteria are specified using the match
command in a class-map:
Access-group—A standard, extended, or named ACL can filter traffic based on source and destination IP address and source and destination port.
Protocol—The Layer 4 protocols (TCP, UDP, and ICMP) and application services such as HTTP, SMTP, DNS, etc. Any well-known or user-defined service known to Port-Application Mapping can be specified.
Class-map—A subordinate class-map that provides additional match criteria can be nested inside another class-map.
Not—The not criterion specifies that any traffic that does not match a specified service (protocol), access-group
or subordinate class-map will be selected for the class-map.
but it doesn't give any examples of use of the 'not' criterion and I can't get our SR520 to accept anything I try. I can't find any other help on this either.
What I'm trying to do is allow only a restricted set of hosts on the LAN out-bound access through the firewall. eg
class-map type inspect match-all allowed-LAN-hosts
match not access-group 108 ???? - router won't allow! - what is the correct syntax?
policy-map type inspect pm-in-out
class type inspect allowed-LAN-hosts
drop
....
access-list 108 permit ip 192.168.1.0 0.0.0.248 any
where my intention is to let only LAN hosts with IPs in the range 192.168.1.1 to 192.168.1.7 out through the firewall.
There may be an easier way of doing this which I'd be pleased to hear about. But, even if there is, I'd also be interested to know what I'm doing wrong in the above.
Thanks, Ian.
