Intended traffic that will be allowed and be inspected from inside to outside zone
class-map type inspect match-any fw-cmap
match protocol ssh
match protocol telnet
match protocol http
match protocol https
match protocol ftp
match protocol dns
match protocol ntp
match protocol smtp
match protocol isakmp
match protocol ipsec-msft
Class map can be used for QoS to classify interesting traffic, the type inspect specify that this class map is for zone based firewall.
There’s a default class known as class-default, this class classify everything.
Firewall action. Only protocols specified in fw-cmap are allowed, the rest will be dropped
policy-map type inspect fw-policy
class type inspect fw-cmap
inspect
police rate 2000000 burst 300000
class class-default
drop
Apply the policy from inside to outside direction
zone-pair security inside-outside source inside destination outside
service-policy type inspect fw-policy