! Generated by Network Security Policy Compiler, version 2.453

! [ BEGIN router:protect_web ]
! [ Model = IOS ]
! [ IP = 10.10.1.5 ]
! [ Routing ]
! route network:management -> interface:mngt.service_lan
ip route 10.1.11.0 255.255.255.0 10.10.1.6
! route network:small_customer -> interface:small.service_lan
ip route 10.1.2.0 255.255.255.0 10.10.1.4
! [ ACL ]
! interface:protect_web.service_lan
ip access-list extended FastEthernet0_in
! permit src=network:0/0; dst=interface:protect_web.service_lan; srv=service:ping;
 permit icmp any host 10.10.1.5 8
! permit src=network:0/0; dst=interface:protect_web.service_lan; srv=service:pong;
 permit icmp any host 10.10.1.5 0
! permit src=network:management; dst=interface:protect_web.service_lan; srv=auto_srv:ip;
 permit ip 10.1.11.0 0.0.0.255 host 10.10.1.5
! permit src=network:small_customer; dst=host:extranet; srv=service:http;
 permit tcp 10.1.2.0 0.0.0.255 10.20.1.12 0.0.0.3 eq 80
! permit src=network:small_customer; dst=host:extranet; srv=service:http;
 permit tcp 10.1.2.0 0.0.0.255 10.20.1.16 0.0.0.3 eq 80
! permit src=network:small_customer; dst=host:extranet; srv=service:http;
 permit tcp 10.1.2.0 0.0.0.255 10.20.1.10 0.0.0.1 eq 80
! deny src=network:0/0; dst=network:0/0; srv=auto_srv:ip;
 deny ip any any

! interface:protect_web.web_servers
ip access-list extended FastEthernet1_in
! permit src=network:0/0; dst=interface:protect_web.web_servers; srv=service:ping;
 permit icmp any host 10.20.1.1 8
! permit src=network:0/0; dst=interface:protect_web.web_servers; srv=service:pong;
 permit icmp any host 10.20.1.1 0
! permit src=host:extranet; dst=network:small_customer; srv=reverse:TCP_ANY; stateless
 permit tcp 10.20.1.12 0.0.0.3 10.1.2.0 0.0.0.255 established
! permit src=host:extranet; dst=network:small_customer; srv=reverse:TCP_ANY; stateless
 permit tcp 10.20.1.16 0.0.0.3 10.1.2.0 0.0.0.255 established
! permit src=host:extranet; dst=network:small_customer; srv=reverse:TCP_ANY; stateless
 permit tcp 10.20.1.10 0.0.0.1 10.1.2.0 0.0.0.255 established
! deny src=network:0/0; dst=network:0/0; srv=auto_srv:ip;
 deny ip any any

interface FastEthernet0
 ip access-group FastEthernet0_in in
interface FastEthernet1
 ip access-group FastEthernet1_in in

! [ END router:protect_web ]

