LANT TO WAN

Router>

Router>en

Router#conf term

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#zone security LAN-ZONE

Router(config-sec-zone)#zone security WAN-ZONE

Router(config-sec-zone)#EXIT

Router(config)#class-map type inspect match-any LAN_TO_WAN_CLASS

Router(config-cmap)#description traffico da lan a<wan

Router(config-cmap)#match protocol icmp

Router(config-cmap)#match protocol dns

Router(config-cmap)#match protocol http

Router(config-cmap)#

Router(config-cmap)#match protocol ssh

//controllo quali sono i protocolli che vengono gestiti

Router(config-cmap)#match protocol ?

bgp Border Gateway Protocol

dns Domain Name Server lookup

eigrp Enhanced Interior Gateway Routing Protocol

ftp File Transfer Protocol

h323 H323 Protocol

http World Wide Web traffic

icmp ICMP

ipv6 IPV6

ntp Network Time Protocol

pop3 Post Office Protocol

rtp Real Time Protocol

skinny Skinny Call Control Protocol

smtp Simple Mail Transfer Protocol

snmp Simple Network Management Protocol

ssh Secured Shell

syslog System Logging Utility

tcp TCP

telnet Telnet

tftp Trivial File Transfer Protocol

udp User Datagram Protocol

Router(config-cmap)#exit

Router(config)#policy-map type inspect LAN_TO_WAN_POLICY

Router(config-pmap)#class type inspect LAN_TO_WAN_CLASS

Router(config-pmap-c)#inspect

Router(config-pmap-c)#exit

Router(config-pmap)#int fa1/0

Router(config-if)#zone-member security LAN-ZONE

Router(config-if)#int fa 0/0

Router(config-if)#zone-member security WAN-ZONE

Router(config-if)#exit

Router(config)#zone-pair security LAN-WAN source LAN_ZONE destination WAN_ZONE

% Source security zone name LAN_ZONE not defined

Router(config)#zone-pair security LAN-WAN source LAN-ZONE destination WAN-ZONE

Router(config-sec-zone-pair)#service-policy type inspect LAN_TO_WAN_POLICY

Router(config-sec-zone-pair)#exit

Router(config)#exit

Router#

%SYS-5-CONFIG_I: Configured from console by console

LAN TO DMZ

Router#conf term

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#zone security DMZ-ZONE

Router(config-sec-zone)#exit

Router(config)#class-map type inspect match-any LAN_TO_DMZ_CLASS

Router(config-cmap)#description traffico mail dalla lan verso la DMZ

Router(config-cmap)#match protocol smtp

Router(config-cmap)#match protocol imap

^

% Invalid input detected at '^' marker.

Router(config-cmap)#match protocol icmp

Router(config-cmap)#match protocol ftp

Router(config-cmap)#match protocol ssh

Router(config-cmap)#match protocol ?

bgp Border Gateway Protocol

dns Domain Name Server lookup

eigrp Enhanced Interior Gateway Routing Protocol

ftp File Transfer Protocol

h323 H323 Protocol

http World Wide Web traffic

icmp ICMP

ipv6 IPV6

ntp Network Time Protocol

pop3 Post Office Protocol

rtp Real Time Protocol

skinny Skinny Call Control Protocol

smtp Simple Mail Transfer Protocol

snmp Simple Network Management Protocol

ssh Secured Shell

syslog System Logging Utility

tcp TCP

telnet Telnet

tftp Trivial File Transfer Protocol

udp User Datagram Protocol

Router(config-cmap)#exit

Router(config)#policy-map type inspect LAN_TO_DMZ_POLICY

Router(config-pmap)#class type inspect LAN_TO_DMZ_CLASS

Router(config-pmap-c)#inspect

Router(config-pmap-c)#exit

Router(config-pmap)#exit

Router(config)#int fa 0/1

Router(config-if)#zone-member security DMZ-ZONE

Router(config-if)#exit

Router(config)#zone-pair security LAN-DMZ source LAN-ZONE destination DMZ-ZONE

Router(config-sec-zone-pair)#service-policy type inspect LAN_TO_DMZ_POLICY

Router(config-sec-zone-pair)#exit

DMZ TO WAN

Router(config)#class-map type inspect match-any DMZ_TO_WAN_CLASS

Router(config-cmap)#description definisco il traffico dal server mail verso la WAN

Router(config-cmap)#match protocol smtp

Router(config-cmap)#match protocol dns

Router(config-cmap)#exit

Router(config)#policy-map type inspect DMZ_TO_WAN_POLICY

Router(config-pmap)#class type inspect DMZ_TO_WAN_CLASS

Router(config-pmap-c)#inspect

Router(config-pmap-c)#

Router>en

Router#conf term

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#zone-pair security DMZ-WAN source DMZ-ZONE destination WAN-ZONE

Router(config-sec-zone-pair)#service-policy type inspect DMZ_TO_WAN_POLICY

Router(config-sec-zone-pair)#exit

Router(config)#exit

Router#

%SYS-5-CONFIG_I

Router>en

Router#conf term

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#zone-pair security DMZ-WAN source DMZ-ZONE destination WAN-ZONE

Router(config-sec-zone-pair)#service-policy type inspect DMZ_TO_WAN_POLICY

Router(config-sec-zone-pair)#exit

Router(config)#exit

Router#

%SYS-5-CONFIG_I: Configured from console by console

WAN TO DMZ

Router#conf term

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#

Router(config)#ip access-list extended FTP_IN_ACL

Router(config-ext-nacl)#permit tcp any host 192.168.20.31 eq ftp

Router(config-ext-nacl)#permit tcp any host 192.168.20.31 eq ftp-data

^

% Invalid input detected at '^' marker.

Router(config-ext-nacl)#permit tcp any host 192.168.20.31 eq ?

<0-65535> Port number

domain Domain Name Service (DNS, 53)

ftp File Transfer Protocol (21)

pop3 Post Office Protocol v3 (110)

smtp Simple Mail Transport Protocol (25)

telnet Telnet (23)

www World Wide Web (HTTP, 80)

Router(config-ext-nacl)#permit tcp any host 192.168.20.31 eq

% Incomplete command.

Router(config-ext-nacl)#deny ip any any

Router(config-ext-nacl)#exit

Router(config)#ip access-list extended SMTP_IN_ACL

Router(config-ext-nacl)#permit tcp any host 192.168.20.32 eq smtp

Router(config-ext-nacl)#deny ip any any

Router(config-ext-nacl)#exit

Router(config)#class-map inspect match-all WAN_TO_DMZ_CLASS_MAIL

^

% Invalid input detected at '^' marker.

Router(config)#class-map TYPE inspect match-all WAN_TO_DMZ_CLASS_MAIL

Router(config-cmap)#matchaccess-group name SMTP_IN_ACL

^

% Invalid input detected at '^' marker.

Router(config-cmap)#match access-group name SMTP_IN_ACL

Router(config-cmap)#MATCH PROTOCOL SMTP

Router(config-cmap)#exit

Router(config)#class-map TYPE inspect match-all WAN_TO_DMZ_CLASS_ftp

Router(config-cmap)#match access-group name fTP_IN_ACL

Router(config-cmap)#MATCH PROTOCOL ftp

Router(config-cmap)#exit

Router(config)#policy-map inspect WAN_TO_DMZ_POLICY

^

% Invalid input detected at '^' marker.

Router(config)#policy-map TYPE inspect WAN_TO_DMZ_POLICY

Router(config-pmap)#LASS TYPE INSPECT wan_to_dmz_class_ftp

^

% Invalid input detected at '^' marker.

Router(config-pmap)#cLASS TYPE INSPECT wan_to_dmz_class_ftp

% class map wan_to_dmz_class_ftp not configured

Router(config-pmap)#inspect

^

% Invalid input detected at '^' marker.

Router(config-pmap)#cLASS TYPE INSPECT wan_to_dmz_class_ftp

% class map wan_to_dmz_class_ftp not configured

Router(config-pmap)#class type inspect WAN_TO_DMZ_CLASS_FTP

% class map WAN_TO_DMZ_CLASS_FTP not configured

Router(config-pmap)#EXIT

Router(config)#class-map type inspect match-all WAN_TO_DMZ_CLASS_FTP

Router(config-cmap)#match access-group name FTP_IN_ACL

Router(config-cmap)#match protocol ftp

Router(config-cmap)#exit

Router(config)#class type inspect WAN_TO_DMZ_CLASS_FTP

Router(config-cmap)#inspect

^

% Invalid input detected at '^' marker.

Router(config-cmap)#class type inspect WAN_TO_DMZ_CLASS_MAIL

Router(config-cmap)#inspect

^

% Invalid input detected at '^' marker.

Router(config-cmap)#exit

Router(config)#policy-map type inspect WAN_TO_DMZ_POLICY

Router(config-pmap)#class type inspect WAN_TO_DMZ_CLASS_MAIL

Router(config-pmap-c)#inspect

Router(config-pmap-c)#class type inspect WAN_TO_DMZ_CLASS_FTP

Router(config-pmap-c)#inspect

Router(config-pmap-c)#exit

Router(config-pmap)#exit

Router(config)#zone-pair security WAN-DMZ source WAN-ZONE destination DMZ-ZONE

Router(config-sec-zone-pair)#service-policy type inspect WAN_TO_DMZ_POLICY

Router(config-sec-zone-pair)#

Router(config-sec-zone-pair)#DO WR

Router#sh policy-map type inspect zone-pair session

Zone-pair: LAN-WAN

Service-policy inspect : LAN_TO_WAN_POLICY

Class-map: LAN_TO_WAN_CLASS (match-any)

Match: protocol icmp

1 packets, 28 bytes

30 second rate 0 bps

Match: protocol dns

0 packets, 0 bytes

30 second rate 0 bps

Match: protocol http

0 packets, 0 bytes

30 second rate 0 bps

Match: protocol ssh

0 packets, 0 bytes

30 second rate 0 bps

Inspect

Class-map: class-default (match-any)

Match: any

Drop (default action)

0 packets, 0 bytes

Zone-pair: LAN-DMZ

Service-policy inspect : LAN_TO_DMZ_POLICY

Class-map: LAN_TO_DMZ_CLASS (match-any)

Match: protocol smtp

0 packets, 0 bytes

30 second rate 0 bps

Match: protocol icmp

3 packets, 84 bytes

30 second rate 0 bps

Match: protocol ftp

0 packets, 0 bytes

30 second rate 0 bps

Match: protocol ssh

0 packets, 0 bytes

30 second rate 0 bps

Inspect

Class-map: class-default (match-any)

Match: any

Drop (default action)

0 packets, 0 bytes

Zone-pair: DMZ-WAN

Service-policy inspect : DMZ_TO_WAN_POLICY

Class-map: DMZ_TO_WAN_CLASS (match-any)

Match: protocol smtp

0 packets, 0 bytes

30 second rate 0 bps

Match: protocol dns

0 packets, 0 bytes

30 second rate 0 bps

Inspect

Class-map: class-default (match-any)

Match: any

Drop (default action)

0 packets, 0 bytes

Zone-pair: WAN-DMZ

Service-policy inspect : WAN_TO_DMZ_POLICY

Class-map: WAN_TO_DMZ_CLASS_MAIL (match-all)

Match: access-group name SMTP_IN_ACL

Match: protocol smtp

Inspect

Class-map: WAN_TO_DMZ_CLASS_FTP (match-all)

Match: access-group name FTP_IN_ACL

Match: protocol ftp

Inspect

Class-map: class-default (match-any)

Match: any

Drop (default action)

0 packets, 0 bytes

Router#