Security: Zone based firewall rules

Posted on March 15, 2011 by

Intended traffic that will be allowed and be inspected from inside to outside zone

class-map type inspect match-any fw-cmap
match protocol ssh
match protocol telnet
match protocol http
match protocol https
match protocol ftp
match protocol dns
match protocol ntp
match protocol smtp
match protocol isakmp
match protocol ipsec-msft

Class map can be used for QoS to classify interesting traffic, the type inspect specify that this class map is for zone based firewall.

There’s a default class known as class-default, this class classify everything.

Firewall action. Only protocols specified in fw-cmap are allowed, the rest will be dropped

policy-map type inspect fw-policy
class type inspect fw-cmap
inspect
police rate 2000000 burst 300000
class class-default
drop

Apply the policy from inside to outside direction

zone-pair security inside-outside source inside destination outside
service-policy type inspect fw-policy

Advertisements
This entry was posted in Security and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w
Cancel

Connecting to %s