cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
352
Views
5
Helpful
2
Replies
Beginner

ZBF and Question/clarification about 'policy-map type inspect' from INTERNET-ZONE to a DMZ-ZONE

Hi guys and thanks again for taking you time to help explain..

My goal is to only allow 5 ports through from INTERNET-ZONE to DMZ-ZONE and to specific ip addresses in object-groups.

  1. HTTP-HTTPS-DNS to my webserver 
  2. IMAP-SMTP to my mailserver

But I'm a little confused and not sure that I'm doing it right - if some of you could entlighte me or correct me, I would be delighted.

Is - class-map type inspect match-any CLASS-L4-IPnecessary or does it just let everything through ??

Her is my config

object-group network GROUP_DMZ_MAIL 
 description EMAIL servers in DMZ
 host XXX.XXX.XXX.100
 host XXX.XXX.XXX.115

object-group network GROUP-DMZ-WEBSERVER
 description FILE server in DMZ
 host XXX.XXX.XXX.101
 host XXX.XXX.XXX.102
 host XXX.XXX.XXX.103
 host XXX.XXX.XXX.104
 host XXX.XXX.XXX.105
ip access-list extended INTERNET-->DMZ-EMAIL
 permit ip any object-group GROUP-DMZ-MAIL

ip access-list extended INTERNET-->DMZ-WEBSERVER
 permit ip any object-group GROUP-DMZ-WEBSERVER
class-map type inspect match-any CLASS-L4-IP
 match protocol icmp
 match protocol tcp
 match protocol udp

class-map type inspect match-any CLASS-INTERNET-TRAFFIC
 match protocol http
 match protocol https
 match protocol dns
 match protocol icmp

class-map type inspect match-any CLASS-IMAP-SMTP
 match protocol imap
 match protocol smtp
 match protocol icmp

class-map type inspect match-all CLASS-MAIL-SERVER-(IP-RANGE-GROUP)

 match access-group name INTERNET-->DMZ-EMAIL
 match class-map CLASS-IMAP-SMTP

class-map type inspect match-all CLASS-FILE-SERVER-(IP-RANGE-GROUP)
 match access-group name INTERNET-->DMZ-WEBSERVER
 match class-map CLASS-INTERNET-TRAFFIC

 

policy-map type inspect POLICY-(INTERNET-->DMZ)
 class type inspect CLASS-MAIL-SERVER-(IP-RANGE-GROUP)
  inspect 
 class type inspect CLASS-FILE-SERVER-(IP-RANGE-GROUP)
  inspect 
 class type inspect CLASS-L4-IP
  inspect 
 class class-default
  drop log
zone-pair security INTERNET-TO-DMZ source INTERNET-ZONE destination DMZ-ZONE
 service-policy type inspect POLICY-(INTERNET-->DMZ)

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Hall of Fame Expert

Re: ZBF and Question/clarification about 'policy-map type inspect' from INTERNET-ZONE to a DMZ-ZONE

Hello Lars,

I think you should add DNS to the mailservers, because they are likely to need it.

So I would configure the following:

 

class-map type inspect match-any CLASS-IMAP-SMTP
match protocol imap
match protocol smtp
match protocol icmp

match protocol dns

 

>> Is - class-map type inspect match-any CLASS-L4-IPnecessary or does it just let everything through ??

 

In your case with your current configuration this additional class may allow mailservers to use DNS services.

 

With the proposed configuration change above this class should not be needed.

 

However, it would be better to use it and to see if there are any matches on this class before removing it.

 

The policy-map type inspect is applied between the two zones from INTERNET-ZONE to DMZ-ZONE.

Using the specified direction.

(You may need also a policy for the opposite direction DMZ-ZONE to INTERNET-ZONE.)

So for example it does not apply to internet access betweeen the INTERNET-ZONE and INSIDE zone.

 

Hope to help

Giuseppe

 

2 REPLIES 2
Highlighted
Hall of Fame Expert

Re: ZBF and Question/clarification about 'policy-map type inspect' from INTERNET-ZONE to a DMZ-ZONE

Hello Lars,

I think you should add DNS to the mailservers, because they are likely to need it.

So I would configure the following:

 

class-map type inspect match-any CLASS-IMAP-SMTP
match protocol imap
match protocol smtp
match protocol icmp

match protocol dns

 

>> Is - class-map type inspect match-any CLASS-L4-IPnecessary or does it just let everything through ??

 

In your case with your current configuration this additional class may allow mailservers to use DNS services.

 

With the proposed configuration change above this class should not be needed.

 

However, it would be better to use it and to see if there are any matches on this class before removing it.

 

The policy-map type inspect is applied between the two zones from INTERNET-ZONE to DMZ-ZONE.

Using the specified direction.

(You may need also a policy for the opposite direction DMZ-ZONE to INTERNET-ZONE.)

So for example it does not apply to internet access betweeen the INTERNET-ZONE and INSIDE zone.

 

Hope to help

Giuseppe

 

Beginner

Re: ZBF and Question/clarification about 'policy-map type inspect' from INTERNET-ZONE to a DMZ-ZONE

Final and Full working config - regarding ZBF

object-group network GROUP_DMZ_FILEMAKER 
 description FILEMAKER server in DMZ
 host XXX.XXX.XXX.99

object-group network GROUP_DMZ_MAIL 
 description EMAIL servers in DMZ
 host XXX.XXX.XXX.100
 host XXX.XXX.XXX.115

object-group network GROUP-DMZ-WEBSERVER
 description file servers in DMZ
 host XXX.XXX.XXX.101
 host XXX.XXX.XXX.102
 host XXX.XXX.XXX.103
 host XXX.XXX.XXX.104
 host XXX.XXX.XXX.105
class-map type inspect match-any CLASS-INTERNET-TRAFFIC
 match protocol http
 match protocol https
 match protocol dns
 match protocol icmp

class-map type inspect match-any CLASS-FTP
 match protocol ftp
 match protocol ftps

class-map type inspect match-any CLASS-SSH
 match protocol ssh

class-map type inspect match-any CLASS-IMAP-SMTP
 match protocol dns
 match access-group name EIMS-MAILSERVER
 match access-group name EIMS-MAILSERVER-ADMIN

class-map type inspect match-any CLASS-APPLE-AFP
 match access-group name APPLE-FILE-SHARING

class-map type inspect match-all CLASS-MAIL-SERVER-(IP-RANGE-GROUP)
 match access-group name INTERNET-->DMZ-EMAIL
 match class-map CLASS-IMAP-SMTP

class-map type inspect match-all CLASS-FILE-SERVER-(IP-RANGE-GROUP)
 match access-group name INTERNET-->DMZ-WEBSERVER
 match class-map CLASS-INTERNET-TRAFFIC

class-map type inspect match-all CLASS-FILEMAKER-SERVER-(IP-RANGE-GROUP)
 match access-group name INTERNET-->DMZ-FILEMAKER

class-map type inspect match-any CLASS-APPLE-REMOTE-DESKTOP
 match access-group name APPLE-REMOTE-DESKTOP

class-map type inspect match-any CLASS_CRYPTO_IPSEC_PASS
 match access-group name IPSEC_TRAFFIC

class-map type inspect match-any CLASS-L4-IP
 match protocol icmp
 match protocol tcp
 match protocol udp
policy-map type inspect POLICY-(PRIVATE-->DMZ)
 class type inspect CLASS-FTP
  inspect 
 class type inspect CLASS-SSH
  inspect 
 class type inspect CLASS-APPLE-REMOTE-DESKTOP
  inspect 
 class type inspect CLASS-APPLE-AFP
  inspect 
 class type inspect CLASS-INTERNET-TRAFFIC
  inspect 
 class type inspect CLASS-IMAP-SMTP
  inspect 
 class type inspect CLASS-L4-IP
  inspect 
 class class-default
  drop log

policy-map type inspect POLICY-(SELF-->INTERNET)
 class type inspect CLASS_CRYPTO_IPSEC_PASS
  pass
 class type inspect CLASS-L4-IP
  inspect 
 class class-default
  drop log

policy-map type inspect POLICY-(INTERNET-->SELF)
 class type inspect CLASS_CRYPTO_IPSEC_PASS
  pass
 class type inspect CLASS-L4-IP
  inspect 
 class class-default
  drop log

policy-map type inspect POLICY-(PRIVATE-->INTERNET)
 class type inspect CLASS-L4-IP
  inspect 
 class class-default
  drop log

policy-map type inspect POLICY-(INTERNET-->DMZ)
 class type inspect CLASS-MAIL-SERVER-(IP-RANGE-GROUP)
  inspect 
 class type inspect CLASS-FILE-SERVER-(IP-RANGE-GROUP)
  inspect  
 class class-default
  drop log

policy-map type inspect POLICY-(DMZ-->INTERNET)
 class type inspect CLASS-L4-IP
  inspect 
 class class-default
  drop log
zone security PRIVATE-ZONE
zone security INTERNET-ZONE
zone security DMZ-ZONE
zone-pair security PRIVATE-TO-DMZ source PRIVATE-ZONE destination DMZ-ZONE
 service-policy type inspect POLICY-(PRIVATE-->DMZ)

zone-pair security PRIVATE-TO-INTERNET source PRIVATE-ZONE destination INTERNET-ZONE
 service-policy type inspect POLICY-(PRIVATE-->INTERNET)

zone-pair security INTERNET-TO-DMZ source INTERNET-ZONE destination DMZ-ZONE
 service-policy type inspect POLICY-(INTERNET-->DMZ)

zone-pair security DMZ-TO-INTERNET source DMZ-ZONE destination INTERNET-ZONE
 service-policy type inspect POLICY-(DMZ-->INTERNET)

zone-pair security SELF-TO-VPN-INTERNET source self destination INTERNET-ZONE
 service-policy type inspect POLICY-(SELF-->INTERNET)

zone-pair security VPN-INTERNET-TO-SELF source INTERNET-ZONE destination self
 service-policy type inspect POLICY-(INTERNET-->SELF)
interface GigabitEthernet0/0
 description ISP WAN (Wide Area Network)
 ip address XXX.XXX.XXX.190 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 zone-member security INTERNET-ZONE
 duplex auto
 speed auto

interface GigabitEthernet0/1
 description LAN (Local Area Network)
 ip address pool VLAN100
 ip nat inside
 ip virtual-reassembly in
 zone-member security PRIVATE-ZONE
 duplex auto
 speed auto

interface GigabitEthernet0/2
 description LAN (Local Area Network)
 ip address pool VLAN50
 ip nat inside
 ip virtual-reassembly in
 zone-member security PRIVATE-ZONE
 duplex auto
 speed auto

 interface Vlan200
 description HWIC-4ESW_LAN - SERVER PARK
 ip address XXX.XXX.XXX.97 255.255.255.224
 ip nat inside
 ip virtual-reassembly in
 zone-member security DMZ-ZONE

interface Virtual-Template1 type tunnel
 description Virtuel VPN Forbindelse
 ip unnumbered GigabitEthernet0/0
 ip nat inside
 ip virtual-reassembly in
 zone-member security INTERNET-ZONE
 tunnel source GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SAS-VPN-VTUNNEL-PROFILE

interface Virtual-Template2 type tunnel
 description Virtuel TRUSTED-VPN Forbindelse
 ip unnumbered GigabitEthernet0/0
 ip nat inside
 ip virtual-reassembly in
 zone-member security DMZ-ZONE
 tunnel source GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile TRUSTED-VPN-VTUNNEL-PROFILE
ip access-list extended IPSECtraffic
 permit esp any any
 permit udp any any eq isakmp
 permit ahp any any
 permit udp any any eq non500-isakmp

ip access-list extended APPLE-FILE-SHARING
 permit tcp any any eq 427
 permit tcp any any eq 548

ip access-list extended APPLE-REMOTE-DESKTOP
 permit tcp any any eq 22
 permit udp any any eq 3283
 permit tcp any any eq 5900
 permit udp any any eq 5900
 permit tcp any any eq 3283

ip access-list extended EIMS-MAILSERVER
 permit tcp any any eq 587
 permit tcp any any eq smtp
 permit tcp any any eq 143

ip access-list extended EIMS-MAILSERVER-ADMIN
 permit tcp any any eq 4199

ip access-list extended INTERNET-->DMZ-EMAIL
 permit ip any object-group GROUP-DMZ-MAIL

ip access-list extended INTERNET-->DMZ-FILEMAKER
 permit ip any object-group GROUP-DMZ-FILEMAKER

ip access-list extended INTERNET-->DMZ-WEBSERVER
 permit ip any object-group GROUP-DMZ-WEBSERVER

access-list 1 permit 192.168.100.0 0.0.0.255
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 1 permit 10.10.10.0 0.0.0.225

 

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards