LANT TO WAN
Router>
Router>en
Router#conf term
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#zone security LAN-ZONE
Router(config-sec-zone)#zone security WAN-ZONE
Router(config-sec-zone)#EXIT
Router(config)#class-map type inspect match-any LAN_TO_WAN_CLASS
Router(config-cmap)#description traffico da lan a<wan
Router(config-cmap)#match protocol icmp
Router(config-cmap)#match protocol dns
Router(config-cmap)#match protocol http
Router(config-cmap)#
Router(config-cmap)#match protocol ssh
//controllo quali sono i protocolli che vengono gestiti
Router(config-cmap)#match protocol ?
bgp Border Gateway Protocol
dns Domain Name Server lookup
eigrp Enhanced Interior Gateway Routing Protocol
ftp File Transfer Protocol
h323 H323 Protocol
http World Wide Web traffic
icmp ICMP
ipv6 IPV6
ntp Network Time Protocol
pop3 Post Office Protocol
rtp Real Time Protocol
skinny Skinny Call Control Protocol
smtp Simple Mail Transfer Protocol
snmp Simple Network Management Protocol
ssh Secured Shell
syslog System Logging Utility
tcp TCP
telnet Telnet
tftp Trivial File Transfer Protocol
udp User Datagram Protocol
Router(config-cmap)#exit
Router(config)#policy-map type inspect LAN_TO_WAN_POLICY
Router(config-pmap)#class type inspect LAN_TO_WAN_CLASS
Router(config-pmap-c)#inspect
Router(config-pmap-c)#exit
Router(config-pmap)#int fa1/0
Router(config-if)#zone-member security LAN-ZONE
Router(config-if)#int fa 0/0
Router(config-if)#zone-member security WAN-ZONE
Router(config-if)#exit
Router(config)#zone-pair security LAN-WAN source LAN_ZONE destination WAN_ZONE
% Source security zone name LAN_ZONE not defined
Router(config)#zone-pair security LAN-WAN source LAN-ZONE destination WAN-ZONE
Router(config-sec-zone-pair)#service-policy type inspect LAN_TO_WAN_POLICY
Router(config-sec-zone-pair)#exit
Router(config)#exit
Router#
%SYS-5-CONFIG_I: Configured from console by console
LAN TO DMZ
Router#conf term
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#zone security DMZ-ZONE
Router(config-sec-zone)#exit
Router(config)#class-map type inspect match-any LAN_TO_DMZ_CLASS
Router(config-cmap)#description traffico mail dalla lan verso la DMZ
Router(config-cmap)#match protocol smtp
Router(config-cmap)#match protocol imap
^
% Invalid input detected at '^' marker.
Router(config-cmap)#match protocol icmp
Router(config-cmap)#match protocol ftp
Router(config-cmap)#match protocol ssh
Router(config-cmap)#match protocol ?
bgp Border Gateway Protocol
dns Domain Name Server lookup
eigrp Enhanced Interior Gateway Routing Protocol
ftp File Transfer Protocol
h323 H323 Protocol
http World Wide Web traffic
icmp ICMP
ipv6 IPV6
ntp Network Time Protocol
pop3 Post Office Protocol
rtp Real Time Protocol
skinny Skinny Call Control Protocol
smtp Simple Mail Transfer Protocol
snmp Simple Network Management Protocol
ssh Secured Shell
syslog System Logging Utility
tcp TCP
telnet Telnet
tftp Trivial File Transfer Protocol
udp User Datagram Protocol
Router(config-cmap)#exit
Router(config)#policy-map type inspect LAN_TO_DMZ_POLICY
Router(config-pmap)#class type inspect LAN_TO_DMZ_CLASS
Router(config-pmap-c)#inspect
Router(config-pmap-c)#exit
Router(config-pmap)#exit
Router(config)#int fa 0/1
Router(config-if)#zone-member security DMZ-ZONE
Router(config-if)#exit
Router(config)#zone-pair security LAN-DMZ source LAN-ZONE destination DMZ-ZONE
Router(config-sec-zone-pair)#service-policy type inspect LAN_TO_DMZ_POLICY
Router(config-sec-zone-pair)#exit
DMZ TO WAN
Router(config)#class-map type inspect match-any DMZ_TO_WAN_CLASS
Router(config-cmap)#description definisco il traffico dal server mail verso la WAN
Router(config-cmap)#match protocol smtp
Router(config-cmap)#match protocol dns
Router(config-cmap)#exit
Router(config)#policy-map type inspect DMZ_TO_WAN_POLICY
Router(config-pmap)#class type inspect DMZ_TO_WAN_CLASS
Router(config-pmap-c)#inspect
Router(config-pmap-c)#
Router>en
Router#conf term
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#zone-pair security DMZ-WAN source DMZ-ZONE destination WAN-ZONE
Router(config-sec-zone-pair)#service-policy type inspect DMZ_TO_WAN_POLICY
Router(config-sec-zone-pair)#exit
Router(config)#exit
Router#
%SYS-5-CONFIG_I
Router>en
Router#conf term
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#zone-pair security DMZ-WAN source DMZ-ZONE destination WAN-ZONE
Router(config-sec-zone-pair)#service-policy type inspect DMZ_TO_WAN_POLICY
Router(config-sec-zone-pair)#exit
Router(config)#exit
Router#
%SYS-5-CONFIG_I: Configured from console by console
WAN TO DMZ
Router#conf term
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
Router(config)#ip access-list extended FTP_IN_ACL
Router(config-ext-nacl)#permit tcp any host 192.168.20.31 eq ftp
Router(config-ext-nacl)#permit tcp any host 192.168.20.31 eq ftp-data
^
% Invalid input detected at '^' marker.
Router(config-ext-nacl)#permit tcp any host 192.168.20.31 eq ?
<0-65535> Port number
domain Domain Name Service (DNS, 53)
ftp File Transfer Protocol (21)
pop3 Post Office Protocol v3 (110)
smtp Simple Mail Transport Protocol (25)
telnet Telnet (23)
www World Wide Web (HTTP, 80)
Router(config-ext-nacl)#permit tcp any host 192.168.20.31 eq
% Incomplete command.
Router(config-ext-nacl)#deny ip any any
Router(config-ext-nacl)#exit
Router(config)#ip access-list extended SMTP_IN_ACL
Router(config-ext-nacl)#permit tcp any host 192.168.20.32 eq smtp
Router(config-ext-nacl)#deny ip any any
Router(config-ext-nacl)#exit
Router(config)#class-map inspect match-all WAN_TO_DMZ_CLASS_MAIL
^
% Invalid input detected at '^' marker.
Router(config)#class-map TYPE inspect match-all WAN_TO_DMZ_CLASS_MAIL
Router(config-cmap)#matchaccess-group name SMTP_IN_ACL
^
% Invalid input detected at '^' marker.
Router(config-cmap)#match access-group name SMTP_IN_ACL
Router(config-cmap)#MATCH PROTOCOL SMTP
Router(config-cmap)#exit
Router(config)#class-map TYPE inspect match-all WAN_TO_DMZ_CLASS_ftp
Router(config-cmap)#match access-group name fTP_IN_ACL
Router(config-cmap)#MATCH PROTOCOL ftp
Router(config-cmap)#exit
Router(config)#policy-map inspect WAN_TO_DMZ_POLICY
^
% Invalid input detected at '^' marker.
Router(config)#policy-map TYPE inspect WAN_TO_DMZ_POLICY
Router(config-pmap)#LASS TYPE INSPECT wan_to_dmz_class_ftp
^
% Invalid input detected at '^' marker.
Router(config-pmap)#cLASS TYPE INSPECT wan_to_dmz_class_ftp
% class map wan_to_dmz_class_ftp not configured
Router(config-pmap)#inspect
^
% Invalid input detected at '^' marker.
Router(config-pmap)#cLASS TYPE INSPECT wan_to_dmz_class_ftp
% class map wan_to_dmz_class_ftp not configured
Router(config-pmap)#class type inspect WAN_TO_DMZ_CLASS_FTP
% class map WAN_TO_DMZ_CLASS_FTP not configured
Router(config-pmap)#EXIT
Router(config)#class-map type inspect match-all WAN_TO_DMZ_CLASS_FTP
Router(config-cmap)#match access-group name FTP_IN_ACL
Router(config-cmap)#match protocol ftp
Router(config-cmap)#exit
Router(config)#class type inspect WAN_TO_DMZ_CLASS_FTP
Router(config-cmap)#inspect
^
% Invalid input detected at '^' marker.
Router(config-cmap)#class type inspect WAN_TO_DMZ_CLASS_MAIL
Router(config-cmap)#inspect
^
% Invalid input detected at '^' marker.
Router(config-cmap)#exit
Router(config)#policy-map type inspect WAN_TO_DMZ_POLICY
Router(config-pmap)#class type inspect WAN_TO_DMZ_CLASS_MAIL
Router(config-pmap-c)#inspect
Router(config-pmap-c)#class type inspect WAN_TO_DMZ_CLASS_FTP
Router(config-pmap-c)#inspect
Router(config-pmap-c)#exit
Router(config-pmap)#exit
Router(config)#zone-pair security WAN-DMZ source WAN-ZONE destination DMZ-ZONE
Router(config-sec-zone-pair)#service-policy type inspect WAN_TO_DMZ_POLICY
Router(config-sec-zone-pair)#
Router(config-sec-zone-pair)#DO WR
Router#sh policy-map type inspect zone-pair session
Zone-pair: LAN-WAN
Service-policy inspect : LAN_TO_WAN_POLICY
Class-map: LAN_TO_WAN_CLASS (match-any)
Match: protocol icmp
1 packets, 28 bytes
30 second rate 0 bps
Match: protocol dns
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol http
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ssh
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes
Zone-pair: LAN-DMZ
Service-policy inspect : LAN_TO_DMZ_POLICY
Class-map: LAN_TO_DMZ_CLASS (match-any)
Match: protocol smtp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol icmp
3 packets, 84 bytes
30 second rate 0 bps
Match: protocol ftp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ssh
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes
Zone-pair: DMZ-WAN
Service-policy inspect : DMZ_TO_WAN_POLICY
Class-map: DMZ_TO_WAN_CLASS (match-any)
Match: protocol smtp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol dns
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes
Zone-pair: WAN-DMZ
Service-policy inspect : WAN_TO_DMZ_POLICY
Class-map: WAN_TO_DMZ_CLASS_MAIL (match-all)
Match: access-group name SMTP_IN_ACL
Match: protocol smtp
Inspect
Class-map: WAN_TO_DMZ_CLASS_FTP (match-all)
Match: access-group name FTP_IN_ACL
Match: protocol ftp
Inspect
Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes
Router#