how to configure zbf to allow remote dmz admin

Unanswered Question

I have a DMZ configured that should normally only allow traffic to http, mail, etc. However, I would like to allow admin traffic like ssh from certain IPs as well. For example, my DMZs are behind one IP range from one ISP. My LAN is behind another IP range from another ISP. I'd like admin traffic from my LAN ISP range access to the DMZ.

DMZ configuration to allow access to the http servers, etc. is pretty straightforward. However, I can't figure out how to allow that traffic and only allow admin traffic from my LAN ISP IP address range.

Any suggestions?

Thanks,

     Greg

Here's the basic DMZ zone configuration:

class-map type inspect match-any ccp-dmz-protocols

     match protocol http

     match protocol smtp

     match protocol https

     match protocol imap

class-map type inspect match-all ccp-dmz-traffic
     match access-group name dmz-traffic
     match class-map ccp-dmz-protocols
policy-map type inspect ccp-permit-dmzservice
     class type inspect ccp-dmz-traffic
       inspect
     class class-default
       drop log
zone-pair security ccp-zp-out-dmz source out-zone destination dmz-zone
     service-policy type inspect ccp-permit-dmzservice
! This is the NAT host address of my server
ip access-list extended dmz-traffic
     remark CCP_ACL Category=1
     permit ip any host 192.168.1.214
Here's a start at a set of protocols for admin support:
class-map type inspect match-any ccp-dmz-admin
     match protocol http
     match protocol https
     match protocol imap
     match protocol ssh
     match protocol smtp
     match protocol ftp
     match protocol icmp
And here is access list for the outside IPs:
ip access-list extended dmz-admin-ranges
     remark CCP_ACL Category=1
     permit ip 70.xx.xx.xx 0.0.0.15 any
     deny   ip any any
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Panos Kampanakis Mon, 07/12/2010 - 10:35

Here is what I would suggest

access-list 101 permit tcp eq ssh

class-map type inspect match-any ccp-dmz-admin

  match access-group 101

class-map type inspect match-any ccp-dmz-protocols

     match  protocol http

     match protocol smtp

     match protocol  https

     match protocol imap

class-map type inspect  match-all ccp-dmz-traffic
     match access-group name  dmz-traffic
     match class-map ccp-dmz-protocols
policy-map type inspect  ccp-permit-dmzservice
     class type inspect ccp-dmz-traffic
        inspect
     class-map type inspect ccp-dmz-admin
       inspect
     class class-default
       drop log

That will do it.

I hope it helps.

PK

Actions

This Discussion