R3(config)#zone security IN-ZONE R3(config-sec-zone)#exit R3(config-sec-zone)#zone se OUT-ZONE

R3(config)#ip access-list extended 101 R3(config-ext-nacl)#permit ip 192.168.3.0 0.0.0.255 any

R3(config)#class-map ty ? inspect Configure CBAC Class Map R3(config)#class-map type ? inspect Configure CBAC Class Map R3(config)#class-map type inspect ? WORD class-map name match-all Logical-AND all matching statements under this classmap match-any Logical-OR all matching statements under this classmap R3(config)#class-map type inspect match-all R3(config)#class-map type inspect match-all ? WORD class-map name R3(config)#class-map type inspect match-all IN-NET-CLASS-MAP

Router(config-cmap)#match ? access-group Access group any Any packets class-map Class map cos IEEE 802.1Q/ISL class of service/user priority values destination-address Destination address discard-class Discard behavior identifier dscp Match DSCP in IP(v4) and IPv6 packets fr-de Match on Frame-relay DE bit fr-dlci Match on fr-dlci input-interface Select an input interface to match ip IP specific values mpls Multi Protocol Label Switching specific values not Negate this match result packet Layer 3 Packet length precedence Match Precedence in IP(v4) and IPv6 packets protocol Protocol qos-group Qos-group source-address Source address Router(config-cmap)#match acc Router(config-cmap)#match access-group ? <1-2699> Access list index name Named Access List Router(config-cmap)#match access-group 101

R3(config)#policy-map ? WORD policy-map name type type of the policy-map R3(config)#policy-map type ? inspect Configure CBAC Policy Map R3(config)#policy-map type inspect ? WORD policy-map name R3(config)#policy-map type inspect IN-2-OUT-PMAP R3(config-pmap)#

R3(config-pmap)#class type ? inspect Configure CBAC Class Map R3(config-pmap)#class type inspect ? WORD class-map name class-default System default class matching otherwise unclassified packets R3(config-pmap)#class type inspect IN-NET-CLASS-MAP % class IN-NET-CLASS-MAP of type default is not allowed in policy-map IN-2-OUT-PMAP of type inspect

R3(config-pmap-c)#inspect R3(config-pmap-c)#? drop Drop the packet exit Exit from class action configuration mode inspect Context-based Access Control Engine no Negate or set default values of a command pass Pass the packet R3(config-pmap-c)#inspect %No specific protocol configured in class IN-NET-CLASS-MAP for inspection. All protocols will be inspected

R3(config)#zone R3(config)#zone ? security Security zone R3(config)#zone-pair se R3(config)#zone-pair security ? WORD Name of zone-pair R3(config)#zone-pair security IN-2-OUT-ZPAIR ? source Source zone R3(config)#zone-pair security IN-2-OUT-ZPAIR source IN-ZONE ? destination Destination zone R3(config)#zone-pair security IN-2-OUT-ZPAIR source IN-ZONE destination OUT-ZONE R3(config-sec-zone-pair)#

R3(config-sec-zone-pair)#service-policy ? type Service Policy type R3(config-sec-zone-pair)#service-policy type ? inspect Configure CBAC Service Policy type inspect R3(config-sec-zone-pair)#service-policy type inspect IN-2-OUT-PMAP

R3(config-sec-zone-pair)#int f0/1 R3(config-if)# zone-member security ? WORD Name of zone defined R3(config-if)#zone-member security IN-ZONE R3(config-if)#int s0/0/1 R3(config-if)#zone-member security OUT-ZONE

R3(config)#zone security IN-ZONE R3(config-sec-zone)#zone se OUT-ZONE R3(config-ext-nacl)#permit ip 192.168.3.0 0.0.0.255 any R3(config)#class-map type inspect match-all IN-NET-CLASS-MAP Router(config-cmap)#match access-group 101 R3(config)#policy-map type inspect IN-2-OUT-PMAP R3(config-pmap)#class type inspect IN-NET-CLASS-MAP R3(config-pmap-c)#inspect R3(config)#zone-pair security IN-2-OUT-ZPAIR source IN-ZONE destination OUT-ZONE R3(config-sec-zone-pair)#service-policy type inspect IN-2-OUT-PMAP R3(config-if)#zone-member security IN-ZONE R3(config-if)#zone-member security OUT-ZONE

R3(config)#ip acc extended OUT-IN R3(config-ext-nacl)#deny ip any any R3(config-if)#ip access-group OUT-IN in

R3(config)#ip inspect name ? WORD Name of inspection defined (16 characters max) R3(config)#ip inspect name IN-OUT-IN ? http HTTP Protocol icmp ICMP Protocol tcp Transmission Control Protocol telnet Telnet udp User Datagram Protocol R3(config)#ip inspect name IN-OUT-IN http R3(config)#ip inspect name IN-OUT-IN icmp R3(config)#ip inspect name IN-OUT-IN telnet

R3(config)#ip inspect audit-trail R3(config)#logging 192.168.1.3 R3(config)#logging on

R3(config-if)#ip inspect IN-OUT-IN ? in Inbound inspection out Outbound inspection R3(config-if)#ip inspect IN-OUT-IN out

%FW-6-SESS_AUDIT_TRAIL_START: Start http session: initiator (192.168.3.3:1048) -- responder (192.168.1.3:80) %FW-6-SESS_AUDIT_TRAIL_STOP: Stop http session: initiator (192.168.3.3:1048) -- responder (192.168.1.3:80)

R3(config)#do show ip inspect sessions Established Sessions Session 137553504 (192.168.3.3:1054)=>(192.168.1.3:http SIS_OPEN

R3#debug ip inspect detailed INSPECT Detailed Debug debugging is on R3# %FW-6-SESS_AUDIT_TRAIL_START: Start http session: initiator (192.168.3.3:1055) -- responder (192.168.1.3:80) CBAC: Finding pregen session for src_tableid:0, src_addr:192.168.3.3, src_port:1055, dst_tableid:0, dst_addr:192.168.1.3, dst_port:80 %FW-6-SESS_AUDIT_TRAIL_STOP: Stop http session: initiator (192.168.3.3:1055) -- responder (192.168.1.3:80)