The second task is to "Allow all outbound HTTP, ICMP, TCP and UDP traffic". The solutions guide shows the following class-map:
class-map type inspect match-any INSPECT->OUT match protocol tcp match protocol udp match protocol icmp match protocol http This technically allows the outbound protocols specified. However, it may not work as many would think. In ZFW, the match protocol instructs the inspection engine as to which protocol to use for inspection purposes. Since http is tcp, the http traffic would match the first line in the class. Inspection on http traffic would happen as tcp, not http. So the last line really does nothing. A really, REALLY good read on how ZFW determines protocol inspection can be found at the URL below. Also worth noting is that if you need to match a user defined port, the port needs to be defined in PAM for the protocol being matched. The match protocol is more than just a match in the way that I normally think of it. It is really says, see if the traffic matches the PAM defined port for the protocol defined (x), if so inspect it for (s). It is a match and identify as protocol (x), not just match. This URL is a PDF that is a must read for ZFW. http://www.cisco.com/en/US/prod/vpndevc/ps5708/ps5710/ps1018/prod_configuration_example0900aecd804f1776.pdf
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
