Security: Zone based firewall rules

Intended traffic that will be allowed and be inspected from inside to outside zone

class-map type inspect match-any fw-cmap
match protocol ssh
match protocol telnet
match protocol http
match protocol https
match protocol ftp
match protocol dns
match protocol ntp
match protocol smtp
match protocol isakmp
match protocol ipsec-msft

Class map can be used for QoS to classify interesting traffic, the type inspect specify that this class map is for zone based firewall.

There’s a default class known as class-default, this class classify everything.

Firewall action. Only protocols specified in fw-cmap are allowed, the rest will be dropped

policy-map type inspect fw-policy
class type inspect fw-cmap
inspect
police rate 2000000 burst 300000
class class-default
drop

Apply the policy from inside to outside direction

zone-pair security inside-outside source inside destination outside
service-policy type inspect fw-policy

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Twitter account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Cancel

Connecting to %s

Share this:

Like this:

Related

Published by cyruslab

Leave a Reply Cancel reply