Cisco IOS zone based firewall
Dec 012016This is the my basic IOS zone based firewall configuration.
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
inspect
class class-default
drop
!
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!
interface GigabitEthernet0/0/0
description outside-interface
ip address 100.100.100.101 255.255.255.252
zone-member security OUTSIDE
speed 100
no negotiation auto
no cdp enable
!
interface GigabitEthernet0/0/1
description dmz-interface
ip address 10.10.30.254 255.255.255.0
zone-member security INSIDE
negotiation auto
!
!
ip access-list extended INSIDE-TO-OUTSIDE
permit ip any any
ip access-list extended OUTSIDE-TO-INSIDE
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
permit tcp any host 10.10.30.200 eq www
permit tcp any host 10.10.30.200 eq 443
!
!