R1 R3 R2

155.1.13.0 /24 155.1.23.0 /24

.1 .3 .3 .2

s0/0/0 s0/0/0 s0/0/1 s0/0/1 DCE

Lo 0 fa0/0 Lo 0
150.1.1.1 /24 OSPF Area 0 OSPF Area 0 150.1.2.2 /24
.3

INSIDE OUTSIDE
155.1.37.0 /24

DMZ OSPF
Area 0

fa0/0
.7

Lo 0
150.1.7.7 /24
R7

!!!!!!!!!!!!!!!!!!!!!!!!!!!
! Access-Lists
!!!!!!!!!!!!!!!!!!!!!!!!!!!

!
! Telnet sessions (for zone self inspection)
!
ip access-list extended ACL_TELNET
permit tcp any any eq 23
!
! SSH and HTTPs connections
!
ip access-list extended ACL_SSH_HTTPS
permit tcp any any eq 22
permit tcp any any eq 443
!
! OSPF updates
!
ip access-list extended ACL_OSPF
permit ospf any any
permit tcp any any eq 443
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! Class-maps of type inspect
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!
! OSPF updates
!
class-map type inspect match-all CMAP_OSPF
match access-group name ACL_OSPF

!
! SSH and HTTPs traffic
!
class-map type inspect match-all CMAP_SSH_HTTPS
match access-group name ACL_SSH_HTTPS
match protocol tcp
!
! Telnet traffic
!
class-map type inspect match-all CMAP_TELNET
match access-group name ACL_TELNET
match protocol tcp
!
! ICMP traffic
!
class-map type inspect match-all CMAP_ICMP
match protocol icmp
!
! Potocol allowed from INSIDE to OUTSIDE
!
class-map type inspect match-any CMAP_INSIDE_TO_OUTSIDE_PROTOCOLS
match protocol http
match protocol ftp
match protocol icmp
match protocol dns
match protocol ssh
match protocol telnet
match protocol aol
!
! Potocol allowed from OUTSIDE to DMZ
!
class-map type inspect match-any CMAP_OUTSIDE_TO_DMZ_PROTOCOLS
match protocol http
match protocol ftp
match protocol dns
match protocol tacacs
!
! Potocol allowed from INSIDE to DMZ
!
class-map type inspect match-any CMAP_INSIDE_TO_DMZ_PROTOCOLS
match protocol http
match protocol ftp
match protocol dns
match protocol tacacs
match protocol ssh
match protocol https
!
! Traffic from INSIDE to OUTSIDE
!
class-map type inspect match-all CMAP_INSIDE_TO_OUTSIDE_ACCESS
match class-map CMAP_INSIDE_TO_OUTSIDE_PROTOCOLS
!
! Traffic from OUTSIDE to DMZ
!
class-map type inspect match-all CMAP_OUTSIDE_TO_DMZ_ACCESS
match class-map CMAP_OUTSIDE_TO_DMZ_PROTOCOLS

!
! Traffic from INSIDE to DMZ (note the two ACLs used)
!
class-map type inspect match-all CMAP_INSIDE_TO_DMZ_ACCESS
match class-map CMAP_INSIDE_TO_DMZ_PROTOCOLS

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! Policy-Maps for Configured Zones
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!
! Policy-maps for INSIDE, OUTSIDE, DMZ
!
policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
class CMAP_INSIDE_TO_OUTSIDE_ACCESS
inspect

!
policy-map type inspect PMAP_INSIDE_TO_DMZ
class CMAP_INSIDE_TO_DMZ_ACCESS
inspect
!
policy-map type inspect PMAP_OUTSIDE_TO_DMZ
class CMAP_OUTSIDE_TO_DMZ_ACCESS
inspect

!
! Policy-maps dealing with the zone self.
!
policy-map type inspect PMAP_OUTSIDE_TO_SELF
class CMAP_SSH_HTTPS
inspect
class CMAP_OSPF
no pass
inspect
!
policy-map type inspect PMAP_DMZ_TO_SELF
class CMAP_SSH_HTTPS
inspect
class CMAP_OSPF
no pass
inspect
!
policy-map type inspect PMAP_SELF_TO_ANY
class CMAP_TELNET
no pass
inspect
class CMAP_ICMP
no pass
inspect

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! Zones and Zone-Pairs
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
zone security INSIDE
zone security OUTSIDE
zone security DMZ
!
zone-pair security ZP_INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect PMAP_INSIDE_TO_OUTSIDE
!
zone-pair security ZP_INSIDE_TO_DMZ source INSIDE destination DMZ
service-policy type inspect PMAP_INSIDE_TO_DMZ
!
zone-pair security ZP_OUTSIDE_TO_DMZ source OUTSIDE destination DMZ
service-policy type inspect PMAP_OUTSIDE_TO_DMZ
!
zone-pair security ZP_OUTSIDE_TO_SELF source OUTSIDE destination self
service-policy type inspect PMAP_OUTSIDE_TO_SELF
!
zone-pair security ZP_DMZ_TO_SELF source DMZ destination self
service-policy type inspect PMAP_DMZ_TO_SELF
!
zone-pair security ZP_SELF_TO_OUTSIDE source self destination OUTSIDE
service-policy type inspect PMAP_SELF_TO_ANY
!
zone-pair security ZP_SELF_TO_DMZ source self destination DMZ
service-policy type inspect PMAP_SELF_TO_ANY
!
! Apply zones to interfaces
!
interface Serial 0/0/0
zone-member security INSIDE
!
interface Serial 0/0/1
zone-member security OUTSIDE
!
interface FastEthernet 0/0
zone-member security DMZ
R3#sh run
Building configuration...

Current configuration : 6124 bytes

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot system flash:c2800nm-adventerprisek9-mz.124-15.T9.bin
boot-end-marker
!
no logging buffered
!
no aaa new-model
memory-size iomem 10
dot11 syslog
!
!
ip cef
!
!
!
multilink bundle-name authenticated
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1367916274
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1367916274
revocation-check none
rsakeypair TP-self-signed-1367916274
!
!
crypto pki certificate chain TP-self-signed-1367916274
certificate self-signed 01
3082023A 308201A3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
 69666963 6174652D 31333637 39313632 3734301E 170D3130 31303235 31373236
33355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33363739
31363237 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100DBB5 C26E90DB 46D30640 6A2FE45A C1D74C0B DE722C27 EE7EED9D BB16C7F7
7F833B79 51C59E0A 123E79FC 8525F31E 987CF811 D28544BD C6AC4A89 4E28FFB4
677F1990 1FE30799 16F6FEDA 55759A01 6ACD503D F3C9150C 69554051 84935CCF
1F4C8C8E EFB7196B EA9D1DC3 783ED058 13AD28E8 75E71234 47FDEC0D 9CFE1377
F35D0203 010001A3 62306030 0F060355 1D130101 FF040530 030101FF 300D0603
551D1104 06300482 02523330 1F060355 1D230418 30168014 316B0F73 E80DE449
EB01A9F3 EF72C952 62B02625 301D0603 551D0E04 16041431 6B0F73E8 0DE449EB
01A9F3EF 72C95262 B0262530 0D06092A 864886F7 0D010104 05000381 81008F1E
A8FF253C 1DA49010 FC592FCD 8140C645 C2F9B7DD FB9E1F96 1E4678D0 FDA8EEDF
316094D0 61D82FF1 BF304EEF A18A0062 B2A8C429 6A89B721 92EB6A5F 880E38AA
462540E2 87A3DE28 94D1C05C 07CE0DF3 799E68EF 906E0E81 10FB93CE 70413CAE
27488433 3E2BBAAA CC847B86 542DE322 476CE060 177088BA B3BE696E 29B0
quit
!
!
username damir privilege 15 password 0 damir
archive
log config
hidekeys
!
!
!
!
!
class-map type inspect match-any CMAP_OUTSIDE_TO_DMZ_PROTOCOLS
match protocol http
match protocol ftp
match protocol dns
match protocol tacacs
class-map type inspect match-all CMAP_OUTSIDE_TO_DMZ_ACCESS
match class-map CMAP_OUTSIDE_TO_DMZ_PROTOCOLS
class-map type inspect match-any CMAP_INSIDE_TO_OUTSIDE_PROTOCOLS
match protocol http
match protocol ftp
match protocol icmp
match protocol dns
match protocol ssh
match protocol telnet
match protocol aol
class-map type inspect match-any CMAP_INSIDE_TO_DMZ_PROTOCOLS
match protocol http
match protocol ftp
match protocol dns
match protocol tacacs
match protocol ssh
match protocol https
class-map type inspect match-all CMAP_SSH_HTTPS
match access-group name ACL_SSH_HTTPS
match protocol tcp
class-map type inspect match-all CMAP_TELNET
match access-group name ACL_TELNET
match protocol tcp
class-map type inspect match-all CMAP_INSIDE_TO_OUTSIDE_ACCESS
match class-map CMAP_INSIDE_TO_OUTSIDE_PROTOCOLS
class-map type inspect match-all CMAP_OSPF
match access-group name ACL_OSPF
class-map type inspect match-all CMAP_INSIDE_TO_DMZ_ACCESS
 match class-map CMAP_INSIDE_TO_DMZ_PROTOCOLS
class-map type inspect match-all CMAP_ICMP
match protocol icmp
!
!
policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
class type inspect CMAP_INSIDE_TO_OUTSIDE_ACCESS
inspect
class class-default
policy-map type inspect PMAP_OUTSIDE_TO_SELF
class type inspect CMAP_SSH_HTTPS
inspect
class type inspect CMAP_OSPF
inspect
class class-default
policy-map type inspect PMAP_SELF_TO_ANY
class type inspect CMAP_TELNET
inspect
class type inspect CMAP_ICMP
inspect
class class-default
policy-map type inspect PMAP_INSIDE_TO_DMZ
class type inspect CMAP_INSIDE_TO_DMZ_ACCESS
inspect
class class-default
policy-map type inspect PMAP_DMZ_TO_SELF
class type inspect CMAP_OSPF
inspect
class type inspect CMAP_SSH_HTTPS
inspect
class class-default
policy-map type inspect PMAP_OUTSIDE_TO_DMZ
class type inspect CMAP_OUTSIDE_TO_DMZ_ACCESS
inspect
class class-default
!
zone security INSIDE
zone security OUTSIDE
zone security DMZ
zone-pair security ZP_INSIDE_TO_DMZ source INSIDE destination DMZ
service-policy type inspect PMAP_INSIDE_TO_DMZ
zone-pair security ZP_OUTSIDE_TO_DMZ source OUTSIDE destination DMZ
service-policy type inspect PMAP_OUTSIDE_TO_DMZ
zone-pair security ZP_OUTSIDE_TO_SELF source OUTSIDE destination self
service-policy type inspect PMAP_OUTSIDE_TO_SELF
zone-pair security ZP_DMZ_TO_SELF source DMZ destination self
service-policy type inspect PMAP_DMZ_TO_SELF
zone-pair security ZP_SELF_TO_OUTSIDE source self destination OUTSIDE
service-policy type inspect PMAP_SELF_TO_ANY
zone-pair security ZP_SELF_TO_DMZ source self destination DMZ
service-policy type inspect PMAP_SELF_TO_ANY
zone-pair security ZP_INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect PMAP_INSIDE_TO_OUTSIDE
!
!
!
!
interface FastEthernet0/0
ip address 155.1.37.3 255.255.255.0
zone-member security DMZ
duplex auto
 speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
ip address 155.1.13.3 255.255.255.0
zone-member security INSIDE
no fair-queue
!
interface Serial0/0/1
ip address 155.1.23.3 255.255.255.0
zone-member security OUTSIDE
!
router ospf 1
log-adjacency-changes
network 155.1.13.0 0.0.0.255 area 0
network 155.1.23.0 0.0.0.255 area 0
network 155.1.37.0 0.0.0.255 area 0
!
ip forward-protocol nd
!
!
ip http server
ip http authentication local
ip http secure-server
!
ip access-list extended ACL_DMZ_HOSTS
ip access-list extended ACL_OSPF
permit ospf any any
permit tcp any any eq 443
ip access-list extended ACL_SSH_HTTPS
permit tcp any any eq 22
permit tcp any any eq 443
ip access-list extended ACL_TELNET
permit tcp any any eq telnet
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

R3#