I have a DMZ configured that should normally only allow traffic to http, mail, etc. However, I would like to allow admin traffic like ssh from certain IPs as well. For example, my DMZs are behind one IP range from one ISP. My LAN is behind another IP range from another ISP. I'd like admin traffic from my LAN ISP range access to the DMZ.
DMZ configuration to allow access to the http servers, etc. is pretty straightforward. However, I can't figure out how to allow that traffic and only allow admin traffic from my LAN ISP IP address range.
Any suggestions?
Thanks,
Greg
Here's the basic DMZ zone configuration:
class-map type inspect match-any ccp-dmz-protocols
match protocol http
match protocol smtp
match protocol https
match protocol imap
class-map type inspect match-all ccp-dmz-traffic
match access-group name dmz-traffic
match class-map ccp-dmz-protocols
policy-map type inspect ccp-permit-dmzservice
class type inspect ccp-dmz-traffic
inspect
class class-default
drop log
zone-pair security ccp-zp-out-dmz source out-zone destination dmz-zone
service-policy type inspect ccp-permit-dmzservice
! This is the NAT host address of my server
ip access-list extended dmz-traffic
remark CCP_ACL Category=1
permit ip any host 192.168.1.214
Here's a start at a set of protocols for admin support:
class-map type inspect match-any ccp-dmz-admin
match protocol http
match protocol https
match protocol imap
match protocol ssh
match protocol smtp
match protocol ftp
match protocol icmp
And here is access list for the outside IPs:
ip access-list extended dmz-admin-ranges
remark CCP_ACL Category=1
permit ip 70.xx.xx.xx 0.0.0.15 any
deny ip any any