11.39 CBPFW

Hi there,

I would like to post my configuration because it seems to me that match better some requirements that i didnt found on the SG.

So i believe that sharing our configuration can be helpful to see how we interpreted the other requirements as for example bullet point number 5 and also about match the ACLs for the INSIDE & DMZ subnets as indicated in the bullet point number 10 of the task.

!
ip port-map aol port tcp 80 list 99
!
!
class-map type inspect match-all CMAP_OUT2SELF
 match protocol ssh
 match protocol https
class-map type inspect match-any CMAP_SELF2OUT
 match protocol icmp
 match access-group name RIP
 match access-group name TELNET
class-map type inspect match-any CMAP_IN2DMZ
 match protocol http
 match protocol ftp
 match protocol dns
 match protocol tacacs
 match protocol ssh
 match protocol https
 match access-group name IN2DMZ
class-map type inspect match-any CMAP_IN2OUT
 match protocol http
 match protocol ftp
 match protocol icmp
 match protocol dns
 match protocol ssh
 match protocol telnet
 match protocol aol
 match access-group name LAN
 match access-group name PROXY
class-map type inspect match-all CMAP_DMZ2SELF
 match protocol ssh
 match protocol https
class-map type inspect match-any CMAP_OUT2DMZ
 match protocol http
 match protocol ftp
 match protocol dns
 match protocol tacacs
 match access-group name DMZ
!
!
policy-map type inspect PMAP_IN2OUT
 class type inspect CMAP_IN2OUT
  inspect
 class class-default
policy-map type inspect PMAP_DMZ2SELF
 class type inspect CMAP_DMZ2SELF
  pass
 class class-default
policy-map type inspect PMAP_OUT2SELF
 class type inspect CMAP_OUT2SELF
  inspect
 class class-default
policy-map type inspect PMAP_SELF2OUT
 class type inspect CMAP_SELF2OUT
  inspect
 class class-default
policy-map type inspect PMAP_IN2DMZ
 class type inspect CMAP_IN2DMZ
  inspect
 class class-default
policy-map type inspect PMAP_OUT2DMZ
 class type inspect CMAP_OUT2DMZ
  inspect
 class class-default
!
zone security INSIDE
zone security OUTSIDE
zone security DMZ
zone-pair security OUT2SELF source OUTSIDE destination self
 service-policy type inspect PMAP_OUT2SELF
zone-pair security DMZ2SELF source DMZ destination self
 service-policy type inspect PMAP_DMZ2SELF
zone-pair security IN2OUT source INSIDE destination OUTSIDE
 service-policy type inspect PMAP_IN2OUT
zone-pair security OUT2DMZ source OUTSIDE destination DMZ
 service-policy type inspect PMAP_OUT2DMZ
zone-pair security IN2DMZ source INSIDE destination DMZ
 service-policy type inspect PMAP_IN2DMZ
zone-pair security SELF2OUT source self destination OUTSIDE
 service-policy type inspect PMAP_SELF2OUT
zone-pair security SELF2DMZ source self destination DMZ
 service-policy type inspect PMAP_SELF2OUT
!
!
ip access-list standard LAN
 permit 150.1.1.0 0.0.0.255
!
ip access-list extended DMZ
 permit ip any 150.1.37.0 0.0.0.255
ip access-list extended IN2DMZ
 permit ip 150.1.1.0 0.0.0.255 155.1.37.0 0.0.0.255
ip access-list extended PROXY
 permit tcp 150.1.1.0 0.0.0.255 any eq 3128 8080
ip access-list extended RIP
 permit udp any any eq rip
ip access-list extended TELNET
 permit tcp any any eq telnet
!
access-list 99 permit 150.1.1.0 0.0.0.255
!
interface FastEthernet0/1
 ip address 155.1.5.5 255.255.255.0
 ip rip advertise 10
 zone-member security DMZ
 speed 100
 full-duplex
!
interface Serial0/1
 ip address 155.1.45.5 255.255.255.0
 ip rip advertise 10
 zone-member security INSIDE
 clock rate 64000
!
interface FastEthernet0/0
 ip address 155.1.58.5 255.255.255.0
 ip rip advertise 10
 zone-member security OUTSIDE
 speed 100
 full-duplex
!
!
The last zone-pair has the same policy-map assigned SELF2OUT because i realized later that both zones shared the same policy (Telnet+icmp) so i reassigned it using the same name but the requirements are fullfilled anyway, i just need change the names to let things more clean.

Sign In or Register to comment.