ZBFW example INSIDE/OUTSIDE/DMZ

ZBFW

ZBFW on R2 acting as firewall:

class-map type inspect match-all CM_ICMP
match protocol icmp
class-map type inspect match-all CM_HTTP
match protocol http
class-map type inspect match-all CM_TELNET
match protocol telnet
!
!
policy-map type inspect PM_INSIDE2OUTSIDE
class type inspect CM_TELNET
inspect
class type inspect CM_ICMP
inspect
class class-default
policy-map type inspect PM_OUTSIDE2INSIDE
class type inspect CM_ICMP
inspect
class class-default
policy-map type inspect PM_OUTSIDE2DMZ
class type inspect CM_HTTP
inspect
class type inspect CM_ICMP
inspect
class class-default
!
zone security ZONE_OUTSIDE
zone security ZONE_INSIDE
zone security ZONE_DMZ
zone-pair security ZP_INSIDE2OUTSIDE source ZONE_INSIDE destination ZONE_OUTSIDE
service-policy type inspect PM_INSIDE2OUTSIDE
zone-pair security ZP_OUTSIDE2INSIDE source ZONE_OUTSIDE destination ZONE_INSIDE
service-policy type inspect PM_OUTSIDE2INSIDE
zone-pair security ZP_OUTSIDE2DMZ source ZONE_OUTSIDE destination ZONE_DMZ
service-policy type inspect PM_OUTSIDE2DMZ

interface FastEthernet0/0
ip address 129.53.12.2 255.255.255.0
zone-member security ZONE_INSIDE
!
interface FastEthernet0/1
ip address 129.53.23.2 255.255.255.0
zone-member security ZONE_OUTSIDE
!
interface FastEthernet1/0
ip address 129.53.24.2 255.255.255.0
zone-member security ZONE_DMZ

SHOW the ZBFW policys in action and see traffic flows inspect/drop/pass:

R2#sh policy-map type inspect zone-pair sessions
Zone-pair: ZP_INSIDE2OUTSIDE

Service-policy inspect : PM_INSIDE2OUTSIDE

Class-map: CM_TELNET (match-all)
Match: protocol telnet
Inspect

Class-map: CM_ICMP (match-all)
Match: protocol icmp
Inspect
Established Sessions
Session 66FF68B0 (129.53.12.1:8)=>(3.3.3.3:0) icmp SIS_OPEN
Created 00:00:02, Last heard 00:00:02
ECHO request
Bytes sent (initiator:responder) [360:360]

Class-map: class-default (match-any)
Match: any
Drop (default action)
5 packets, 400 bytes
Zone-pair: ZP_OUTSIDE2INSIDE

Service-policy inspect : PM_OUTSIDE2INSIDE

Class-map: CM_ICMP (match-all)
Match: protocol icmp
Inspect

Class-map: class-default (match-any)
Match: any
Drop (default action)
4 packets, 96 bytes
Zone-pair: ZP_OUTSIDE2DMZ

Service-policy inspect : PM_OUTSIDE2DMZ

Class-map: CM_HTTP (match-all)
Match: protocol http
Inspect
Established Sessions
Session 66FF6B78 (129.53.23.3:25019)=>(4.4.4.4:80) http SIS_OPEN
Created 00:00:09, Last heard 00:00:09
Bytes sent (initiator:responder) [0:0]

Class-map: CM_ICMP (match-all)
Match: protocol icmp
Inspect

Class-map: class-default (match-any)
Match: any
Drop (default action)
4 packets, 96 bytes
R2#

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s