Paul,

 

You are correct that http should be first.

 

Regards,

 

Tyson Scott - CCIE #13513 R&S and Security

Technical Instructor - IPexpert, Inc.


Telephone: +1.810.326.1444 
Cell: +1.248.504.7309
Fax: +1.810.454.0130
Mailto:  [email protected]

 

Join our free online support and peer group communities:
<http://www.IPexpert.com/communities> http://www.IPexpert.com/communities

 

IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand
and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE
Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage
Lab Certifications.

 

From: [email protected]
[mailto:[email protected]] On Behalf Of Paul Stewart
Sent: Saturday, October 03, 2009 11:48 AM
To: [email protected]
Subject: [OSL | CCIE_Security] LAB 12 section 2.2

 

The second task is to "Allow all outbound HTTP, ICMP, TCP and UDP traffic".
The solutions guide shows the following class-map:

class-map type inspect match-any INSPECT->OUT
 match protocol tcp
 match protocol udp
 match protocol icmp
 match protocol http

This technically allows the outbound protocols specified.  However, it may
not work as many would think.  In ZFW, the match protocol instructs the
inspection engine as to which protocol to use for inspection purposes.
Since http is tcp, the http traffic would match the first line in the class.
Inspection on http traffic would happen as tcp, not http.  So the last line
really does nothing.  A really, REALLY good read on how ZFW determines
protocol inspection can be found at the URL below.  Also worth noting is
that if you need to match a user defined port, the port needs to be defined
in PAM for the protocol being matched.  The match protocol is more than just
a match in the way that I normally think of it.  It is really says, see if
the traffic matches the PAM defined port for the protocol defined (x), if so
inspect it for (s).  It is a match and identify as protocol (x), not just
match.

This URL is a PDF that is a must read for ZFW.

http://www.cisco.com/en/US/prod/vpndevc/ps5708/ps5710/ps1018/prod_configurat
ion_example0900aecd804f1776.pdf



_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to