{{page>:menu}}
====== policy-map ======
*příklad konfiguráku z C876 (ADSL)
===== LAN-WAN =====
! ----------------------------------------------------------------------------------------------------------------
!
!insp-traffic
class-map type inspect match-any cls-insp-traffic
match protocol pptp
match protocol dns
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol tcp
match protocol udp
exit
class-map type inspect match-all insp-traffic
match class-map cls-insp-traffic
exit
! ----------------------------------------------------------------------------------------------------------------
!
! protocol-p2p
class-map type inspect match-any cls-protocol-p2p
match protocol edonkey
match protocol gnutella
match protocol kazaa2
match protocol fasttrack
exit
class-map type inspect match-all protocol-p2p
match class-map cls-protocol-p2p
exit
! ----------------------------------------------------------------------------------------------------------------
!
!protocol-smtp
class-map type inspect match-all protocol-smtp
match protocol smtp
exit
! ----------------------------------------------------------------------------------------------------------------
!
! protocol-http
!
class-map type inspect match-all protocol-http
match protocol http
exit
! ----------------------------------------------------------------------------------------------------------------
!
! invalid-src
!
access-list 100 remark -- class invalid-src
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
class-map type inspect match-all invalid-src
match access-group 100
exit
! ----------------------------------------------------------------------------------------------------------------
! ----------------------------------------------------------------------------------------------------------------
!
! policy-map INSPECT
!
policy-map type inspect inspect
class type inspect invalid-src
drop log
exit
class type inspect protocol-http
no drop
inspect
exit
class type inspect protocol-smtp
no drop
inspect
exit
class type inspect protocol-p2p
no drop
inspect
exit
class type inspect insp-traffic
no drop
inspect
exit
class class-default
no drop
pass
exit
exit
zone security WAN
exit
zone security LAN
exit
interface Dialer0
zone-member security WAN
exit
interface Vlan1
zone-member security LAN
exit
zone-pair security zp-LAN-WAN source LAN destination WAN
service-policy type inspect inspect
exit
===== WAN-LAN =====
policy-map type inspect WAN_LAN
class type inspect cls_pptp
no drop
pass
exit
class type inspect protocol-smtp
no drop
pass
exit
class class-default
drop log
exit
exit
zone security WAN
exit
zone security LAN
exit
zone-pair security zp-WAN-To-LAN source WAN destination LAN
service-policy type inspect WAN_LAN
exit
===== WAN-FW =====
ip access-list extended port_https
permit tcp any any eq 443
exit
ip access-list extended port_ssh
permit tcp any any eq 22
exit
ip access-list extended port_cmd
permit tcp any any eq cmd
exit
access-list 110 remark ACL na Cisco - Datron
access-list 110 permit ip 212.158.133.128 0.0.0.31 any
class-map type inspect match-any self-cls-access
match access-group name port_https
match access-group name port_ssh
match access-group name port_cmd
exit
class-map type inspect match-all self-access
match class-map self-cls-access
match access-group 110
exit
policy-map type inspect WAN_self
class type inspect self-access
no drop
inspect
exit
class class-default
exit
zone security WAN
exit
zone security LAN
exit
zone-pair security zp-WAN-self source WAN destination self
service-policy type inspect WAN_self
exit
===== FW-WAN =====
class-map type inspect match-any cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
exit
class-map type inspect match-all icmp-access
match class-map cls-icmp-access
exit
policy-map type inspect self_WAN
class type inspect icmp-access
no drop
inspect
exit
class class-default
no drop
pass
exit
exit
zone-pair security zp-self-WAN source self destination WAN
service-policy type inspect self_WAN
exit