INSIDE OUTSIDE
155.1.37.0 /24
DMZ OSPF
Area 0
fa0/0
.7
Lo 0
150.1.7.7 /24
R7
!!!!!!!!!!!!!!!!!!!!!!!!!!!
! Access-Lists
!!!!!!!!!!!!!!!!!!!!!!!!!!!
!
! Telnet sessions (for zone self inspection)
!
ip access-list extended ACL_TELNET
permit tcp any any eq 23
!
! SSH and HTTPs connections
!
ip access-list extended ACL_SSH_HTTPS
permit tcp any any eq 22
permit tcp any any eq 443
!
! OSPF updates
!
ip access-list extended ACL_OSPF
permit ospf any any
permit tcp any any eq 443
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! Class-maps of type inspect
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!
! OSPF updates
!
class-map type inspect match-all CMAP_OSPF
match access-group name ACL_OSPF
!
! SSH and HTTPs traffic
!
class-map type inspect match-all CMAP_SSH_HTTPS
match access-group name ACL_SSH_HTTPS
match protocol tcp
!
! Telnet traffic
!
class-map type inspect match-all CMAP_TELNET
match access-group name ACL_TELNET
match protocol tcp
!
! ICMP traffic
!
class-map type inspect match-all CMAP_ICMP
match protocol icmp
!
! Potocol allowed from INSIDE to OUTSIDE
!
class-map type inspect match-any CMAP_INSIDE_TO_OUTSIDE_PROTOCOLS
match protocol http
match protocol ftp
match protocol icmp
match protocol dns
match protocol ssh
match protocol telnet
match protocol aol
!
! Potocol allowed from OUTSIDE to DMZ
!
class-map type inspect match-any CMAP_OUTSIDE_TO_DMZ_PROTOCOLS
match protocol http
match protocol ftp
match protocol dns
match protocol tacacs
!
! Potocol allowed from INSIDE to DMZ
!
class-map type inspect match-any CMAP_INSIDE_TO_DMZ_PROTOCOLS
match protocol http
match protocol ftp
match protocol dns
match protocol tacacs
match protocol ssh
match protocol https
!
! Traffic from INSIDE to OUTSIDE
!
class-map type inspect match-all CMAP_INSIDE_TO_OUTSIDE_ACCESS
match class-map CMAP_INSIDE_TO_OUTSIDE_PROTOCOLS
!
! Traffic from OUTSIDE to DMZ
!
class-map type inspect match-all CMAP_OUTSIDE_TO_DMZ_ACCESS
match class-map CMAP_OUTSIDE_TO_DMZ_PROTOCOLS
!
! Traffic from INSIDE to DMZ (note the two ACLs used)
!
class-map type inspect match-all CMAP_INSIDE_TO_DMZ_ACCESS
match class-map CMAP_INSIDE_TO_DMZ_PROTOCOLS
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! Policy-Maps for Configured Zones
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!
! Policy-maps for INSIDE, OUTSIDE, DMZ
!
policy-map type inspect PMAP_INSIDE_TO_OUTSIDE
class CMAP_INSIDE_TO_OUTSIDE_ACCESS
inspect
!
policy-map type inspect PMAP_INSIDE_TO_DMZ
class CMAP_INSIDE_TO_DMZ_ACCESS
inspect
!
policy-map type inspect PMAP_OUTSIDE_TO_DMZ
class CMAP_OUTSIDE_TO_DMZ_ACCESS
inspect
!
! Policy-maps dealing with the zone self.
!
policy-map type inspect PMAP_OUTSIDE_TO_SELF
class CMAP_SSH_HTTPS
inspect
class CMAP_OSPF
no pass
inspect
!
policy-map type inspect PMAP_DMZ_TO_SELF
class CMAP_SSH_HTTPS
inspect
class CMAP_OSPF
no pass
inspect
!
policy-map type inspect PMAP_SELF_TO_ANY
class CMAP_TELNET
no pass
inspect
class CMAP_ICMP
no pass
inspect
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! Zones and Zone-Pairs
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
zone security INSIDE
zone security OUTSIDE
zone security DMZ
!
zone-pair security ZP_INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect PMAP_INSIDE_TO_OUTSIDE
!
zone-pair security ZP_INSIDE_TO_DMZ source INSIDE destination DMZ
service-policy type inspect PMAP_INSIDE_TO_DMZ
!
zone-pair security ZP_OUTSIDE_TO_DMZ source OUTSIDE destination DMZ
service-policy type inspect PMAP_OUTSIDE_TO_DMZ
!
zone-pair security ZP_OUTSIDE_TO_SELF source OUTSIDE destination self
service-policy type inspect PMAP_OUTSIDE_TO_SELF
!
zone-pair security ZP_DMZ_TO_SELF source DMZ destination self
service-policy type inspect PMAP_DMZ_TO_SELF
!
zone-pair security ZP_SELF_TO_OUTSIDE source self destination OUTSIDE
service-policy type inspect PMAP_SELF_TO_ANY
!
zone-pair security ZP_SELF_TO_DMZ source self destination DMZ
service-policy type inspect PMAP_SELF_TO_ANY
!
! Apply zones to interfaces
!
interface Serial 0/0/0
zone-member security INSIDE
!
interface Serial 0/0/1
zone-member security OUTSIDE
!
interface FastEthernet 0/0
zone-member security DMZ
R3#sh run
Building configuration...
R3#