Final and Full working config - regarding ZBF
object-group network GROUP_DMZ_FILEMAKER
description FILEMAKER server in DMZ
host XXX.XXX.XXX.99
object-group network GROUP_DMZ_MAIL
description EMAIL servers in DMZ
host XXX.XXX.XXX.100
host XXX.XXX.XXX.115
object-group network GROUP-DMZ-WEBSERVER
description file servers in DMZ
host XXX.XXX.XXX.101
host XXX.XXX.XXX.102
host XXX.XXX.XXX.103
host XXX.XXX.XXX.104
host XXX.XXX.XXX.105
class-map type inspect match-any CLASS-INTERNET-TRAFFIC
match protocol http
match protocol https
match protocol dns
match protocol icmp
class-map type inspect match-any CLASS-FTP
match protocol ftp
match protocol ftps
class-map type inspect match-any CLASS-SSH
match protocol ssh
class-map type inspect match-any CLASS-IMAP-SMTP
match protocol dns
match access-group name EIMS-MAILSERVER
match access-group name EIMS-MAILSERVER-ADMIN
class-map type inspect match-any CLASS-APPLE-AFP
match access-group name APPLE-FILE-SHARING
class-map type inspect match-all CLASS-MAIL-SERVER-(IP-RANGE-GROUP)
match access-group name INTERNET-->DMZ-EMAIL
match class-map CLASS-IMAP-SMTP
class-map type inspect match-all CLASS-FILE-SERVER-(IP-RANGE-GROUP)
match access-group name INTERNET-->DMZ-WEBSERVER
match class-map CLASS-INTERNET-TRAFFIC
class-map type inspect match-all CLASS-FILEMAKER-SERVER-(IP-RANGE-GROUP)
match access-group name INTERNET-->DMZ-FILEMAKER
class-map type inspect match-any CLASS-APPLE-REMOTE-DESKTOP
match access-group name APPLE-REMOTE-DESKTOP
class-map type inspect match-any CLASS_CRYPTO_IPSEC_PASS
match access-group name IPSEC_TRAFFIC
class-map type inspect match-any CLASS-L4-IP
match protocol icmp
match protocol tcp
match protocol udp
policy-map type inspect POLICY-(PRIVATE-->DMZ)
class type inspect CLASS-FTP
inspect
class type inspect CLASS-SSH
inspect
class type inspect CLASS-APPLE-REMOTE-DESKTOP
inspect
class type inspect CLASS-APPLE-AFP
inspect
class type inspect CLASS-INTERNET-TRAFFIC
inspect
class type inspect CLASS-IMAP-SMTP
inspect
class type inspect CLASS-L4-IP
inspect
class class-default
drop log
policy-map type inspect POLICY-(SELF-->INTERNET)
class type inspect CLASS_CRYPTO_IPSEC_PASS
pass
class type inspect CLASS-L4-IP
inspect
class class-default
drop log
policy-map type inspect POLICY-(INTERNET-->SELF)
class type inspect CLASS_CRYPTO_IPSEC_PASS
pass
class type inspect CLASS-L4-IP
inspect
class class-default
drop log
policy-map type inspect POLICY-(PRIVATE-->INTERNET)
class type inspect CLASS-L4-IP
inspect
class class-default
drop log
policy-map type inspect POLICY-(INTERNET-->DMZ)
class type inspect CLASS-MAIL-SERVER-(IP-RANGE-GROUP)
inspect
class type inspect CLASS-FILE-SERVER-(IP-RANGE-GROUP)
inspect
class class-default
drop log
policy-map type inspect POLICY-(DMZ-->INTERNET)
class type inspect CLASS-L4-IP
inspect
class class-default
drop log
zone security PRIVATE-ZONE
zone security INTERNET-ZONE
zone security DMZ-ZONE
zone-pair security PRIVATE-TO-DMZ source PRIVATE-ZONE destination DMZ-ZONE
service-policy type inspect POLICY-(PRIVATE-->DMZ)
zone-pair security PRIVATE-TO-INTERNET source PRIVATE-ZONE destination INTERNET-ZONE
service-policy type inspect POLICY-(PRIVATE-->INTERNET)
zone-pair security INTERNET-TO-DMZ source INTERNET-ZONE destination DMZ-ZONE
service-policy type inspect POLICY-(INTERNET-->DMZ)
zone-pair security DMZ-TO-INTERNET source DMZ-ZONE destination INTERNET-ZONE
service-policy type inspect POLICY-(DMZ-->INTERNET)
zone-pair security SELF-TO-VPN-INTERNET source self destination INTERNET-ZONE
service-policy type inspect POLICY-(SELF-->INTERNET)
zone-pair security VPN-INTERNET-TO-SELF source INTERNET-ZONE destination self
service-policy type inspect POLICY-(INTERNET-->SELF)
interface GigabitEthernet0/0
description ISP WAN (Wide Area Network)
ip address XXX.XXX.XXX.190 255.255.255.252
ip nat outside
ip virtual-reassembly in
zone-member security INTERNET-ZONE
duplex auto
speed auto
interface GigabitEthernet0/1
description LAN (Local Area Network)
ip address pool VLAN100
ip nat inside
ip virtual-reassembly in
zone-member security PRIVATE-ZONE
duplex auto
speed auto
interface GigabitEthernet0/2
description LAN (Local Area Network)
ip address pool VLAN50
ip nat inside
ip virtual-reassembly in
zone-member security PRIVATE-ZONE
duplex auto
speed auto
interface Vlan200
description HWIC-4ESW_LAN - SERVER PARK
ip address XXX.XXX.XXX.97 255.255.255.224
ip nat inside
ip virtual-reassembly in
zone-member security DMZ-ZONE
interface Virtual-Template1 type tunnel
description Virtuel VPN Forbindelse
ip unnumbered GigabitEthernet0/0
ip nat inside
ip virtual-reassembly in
zone-member security INTERNET-ZONE
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SAS-VPN-VTUNNEL-PROFILE
interface Virtual-Template2 type tunnel
description Virtuel TRUSTED-VPN Forbindelse
ip unnumbered GigabitEthernet0/0
ip nat inside
ip virtual-reassembly in
zone-member security DMZ-ZONE
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile TRUSTED-VPN-VTUNNEL-PROFILE
ip access-list extended IPSECtraffic
permit esp any any
permit udp any any eq isakmp
permit ahp any any
permit udp any any eq non500-isakmp
ip access-list extended APPLE-FILE-SHARING
permit tcp any any eq 427
permit tcp any any eq 548
ip access-list extended APPLE-REMOTE-DESKTOP
permit tcp any any eq 22
permit udp any any eq 3283
permit tcp any any eq 5900
permit udp any any eq 5900
permit tcp any any eq 3283
ip access-list extended EIMS-MAILSERVER
permit tcp any any eq 587
permit tcp any any eq smtp
permit tcp any any eq 143
ip access-list extended EIMS-MAILSERVER-ADMIN
permit tcp any any eq 4199
ip access-list extended INTERNET-->DMZ-EMAIL
permit ip any object-group GROUP-DMZ-MAIL
ip access-list extended INTERNET-->DMZ-FILEMAKER
permit ip any object-group GROUP-DMZ-FILEMAKER
ip access-list extended INTERNET-->DMZ-WEBSERVER
permit ip any object-group GROUP-DMZ-WEBSERVER
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 1 permit 10.10.10.0 0.0.0.225
