Security: Zone based firewall rules

Intended traffic that will be allowed and be inspected from inside to outside zone

class-map type inspect match-any fw-cmap
match protocol ssh
match protocol telnet
match protocol http
match protocol https
match protocol ftp
match protocol dns
match protocol ntp
match protocol smtp
match protocol isakmp
match protocol ipsec-msft

Class map can be used for QoS to classify interesting traffic, the type inspect specify that this class map is for zone based firewall.

There’s a default class known as class-default, this class classify everything.

Firewall action. Only protocols specified in fw-cmap are allowed, the rest will be dropped

policy-map type inspect fw-policy
class type inspect fw-cmap
police rate 2000000 burst 300000
class class-default

Apply the policy from inside to outside direction

zone-pair security inside-outside source inside destination outside
service-policy type inspect fw-policy


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s