------------------ZPF-------------------------------------- Pluto: (config)#zone security Inside (config-sec-zone)#description Our LAN (config)#zone security Outside (config-sec-zone)#description Big bad Internet (config)#zone security DMZ (config-sec-zone)#description Our exposed DMZ #show zone security (config)#class-map type inspect match-any class_in_out (config-cmap)#match protocol http (config-cmap)#match protocol https (config-cmap)#match protocol icmp (config-cmap)#match protocol udp (config-cmap)#match protocol tcp (config)#policy-map type inspect policy_in_out (config-pmap)#class type inspect class_in_out (config-pmap-c)#inspect (config)#zone-pair security pair_in_out source Inside destination Outside (config-sec-zone-pair)#service-policy type inspect policy_in_out (config)#class-map type inspect match-any class_in_dmz (config-cmap)#match protocol icmp (config-cmap)#match protocol telnet (config-cmap)#match protocol http (config-cmap)#match protocol https (config-cmap)#match protocol smtp (config-cmap)#match protocol imap (config-cmap)#match protocol pop3 (config)#policy-map type inspect policy_in_dmz (config-pmap)#class type inspect class_in_dmz (config-pmap-c)#inspect (config)#zone-pair security pair_in_dmz source Inside destination DMZ (config-sec-zone-pair)#service-policy type inspect policy_in_dmz (config)#access-list 101 permit ip any host 10.0.2.2 (config)#access-list 102 permit ip any host 10.0.3.2 (config)#class-map type inspect match-all class_out_dmz_http (config-cmap)#match access-group 101 (config-cmap)#match protocol http (config)#class-map type inspect match-all class_out_dmz_smtp (config-cmap)#match access-group 102 (config-cmap)#match protocol smtp (config)#policy-map type inspect policy_out_dmz (config-pmap)#class type inspect class_out_dmz_http (config-pmap-c)#inspect (config-pmap)#class type inspect class_out_dmz_smtp (config-pmap-c)#inspect (config)#zone-pair security pair_out_dmz source Outside destination DMZ (config-sec-zone-pair)#service-policy type inspect policy_out_dmz (config)#interface s2/0 (config-if)#zone-member security Outside (config)#interface s2/1 (config-if)#zone-member security Inside (config)#interface s2/2 (config-if)#zone-member security DMZ --In to Out-- Minnie: #ping 10.0.0.2 -> it works #telnet 10.0.0.2 -> it works, keep open see conn on Pluto #telnet 10.0.0.2 www -> it works, keep open see conn on Pluto Pluto: #show policy-map type inspect zone-pair pair_in_out sessions -> see telnet, http session, matches for icmp, tcp, http --In to DMZ-- Minnie: #ping 10.0.2.2 -> it works #telnet 10.0.2.2 -> it works #telnet 10.0.2.2 www -> it works #telnet 10.0.2.2 smtp -> it works Pluto: #show policy-map type inspect zone-pair pair_in_dmz sessions -> telnet session, http session, matches on telnet and http, smtp --Out to In-- Mickey: #ping 10.0.1.2 -> does not work #telnet 10.0.1.2 -> does not work --Out to DMZ-- Mickey: #ping 10.0.2.2 -> does not work #telnet 10.0.2.2 -> does not work #telnet 10.0.3.2 smtp -> it works (refused by remote host - no smtp server) #telnet 10.0.2.2 smtp -> does not work #telnet 10.0.2.2 www -> it works #telnet 10.0.3.2 www -> does not work Pluto: #show policy-map type inspect zone-pair pair_out_dmz -> dropped packets, one http session, one smtp session --DMZ to In-- Donald: #ping 10.0.1.2 -> does not work #telnet 10.0.1.2 -> does not work --DMZ to Out-- Donald: #ping 10.0.0.2 -> does not work #telnet 10.0.0.2 -> does not work ---------------------------------------------------