1] CREATE CLASS-MAP with type INSPECT
class-map type inspect match-any CLASS-TRAFFIC
match protocol dns
match protocol ftp
match protocol telnet
match protocol h323
match protocol https
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
match protocol ICMP
class-map type inspect match-any CLASS-P2P
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any CLASS-SAP
match protocol citrix
match protocol citrix imaclient
match protocol ica
match protocol icabrowser
class-map type inspect match-all A-CLASS-TRAFFIC
match class-map CLASS-TRAFFIC
class-map type inspect match-all B-CLASS-P2P
match class-map CLASS-P2P
class-map type inspect match-all C-CLASS-SAP
match class-map CLASS-SAP
class-map type inspect match-all D-CLASS-HTTP
match protocol http
class-map type inspect match-any E-CLASS-ICMP
match protocol icmp
2] CREATE POLICY-MAP with matching CLASS-MAP
policy-map type inspect SDM-ICMP
class type inspect E-CLASS-ICMP
no drop
inspect
class class-default
no drop
pass
policy-map type inspect SDM-INSPECT
class type inspect A-CLASS-TRAFFIC
no drop
inspect
class type inspect B-CLASS-P2P
drop log
class type inspect C-CLASS-SAP
no drop
inspect
class type inspect D-CLASS-HTTP
no drop
inspect
class class-default
policy-map type inspect SDM-PERMIT
class class-default
3] CREATE Security Zones and tie to Interfaces
zone security out-zone
zone security in-zone
int fa0/0
zone-member security in-zone
int dialer 0
zone-member security out-zone
4] CREATE ZONE-PAIR with Source and Destination
zone-pair security ZP-self-out source self destination out-zone
service-policy type inspect SDM-ICMP
zone-pair security ZP-out-self source out-zone destination self
service-policy type inspect SDM-PERMIT
zone-pair security ZP-in-out source in-zone destination out-zone
service-policy type inspect SDM-INSPECT
5] Show commands
R# show class-map type inspect WORD
R# show policy-map type inspect zone-pair sessions
R# show zone-pair security
R# show zone security
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment