Requirement: NAT based Port-Forwarding through configured Zone-Based Firewall
The Most Important Thing :
Match and allow specific traffic (e.g. from and to "DMZ" ) for booth flows (INTERNET-> INSIDE and INSIDE->INTERNET) is MUST!
For more readable config and for counting purposes I've use separate class-maps
class-map type inspect match-all CM-INSIDE-INTERNET
match access-group name ACL-INSIDE-INTERNET
class-map type inspect match-all CM-INTERNET-INSIDE
match access-group name ACL-INTERNET-INSIDE
policy-map type inspect PM-INSIDE-INTERNET
class type inspect CM-OLD-RULES
inspect
class type inspect CM-INSIDE-INTERNET
inspect
Class class-default
Drop
policy-map type inspect PM-INTERNET-INSIDE
class type inspect CM-OLD-RULES
pass
class type inspect CM-INTERNET-INSIDE
pass
Class class-default
Drop
ip nat inside source static tcp PRI.VA.TE.IP 80 P.UB.LIC.IP 80 extendable
ip access-list extended ACL-INSIDE-INTERNET
permit tcp host PRI.VA.TE.IP eq www any
ip access-list extended ACL-INTERNET-INSIDE
permit tcp any host PRI.VA.TE.IP eq www
Абонамент за:
Коментари за публикацията (Atom)
Няма коментари:
Публикуване на коментар