These are my questions :-) Samples configs are from CCIE docs.
With regards Kings On Mon, Apr 12, 2010 at 6:41 PM, Tyson Scott <[email protected]> wrote: > Are these questions from Yusuf's labs because I can't think of where they > are in our workbooks? > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Monday, April 12, 2010 4:11 AM > *To:* [email protected] > *Subject:* [OSL | CCIE_Security] ASA MPF's queries > > > > Hi all > > > > I have two queries with ASA's MPF > > > > *Query 1* > > > > > > hostname(config)# *class-map http_traffic* > > hostname(config-cmap)# *match port tcp eq 80* > > > > hostname(config)# *policy-map outside_policy* > > hostname(config-pmap)# *class inspection_default* > > hostname(config-pmap-c)# *inspect http http_map* > > hostname(config-pmap-c)# *inspect sip* > > hostname(config-pmap)# *class http_traffic* > > hostname(config-pmap-c)# *set connection timeout tcp 0:10:0* > > > > In the above given configuration, the class inspection_default is > configured for http inspection. All the http traffic will match this rule. > > Below you can see "set connection" applied to class http_traffic that > matches port 80. Will this work? > > > > All the http traffic will match class inspection_default and how will http > traffic again match against class http_traffic? > > > > > > *Query 2* > > > > hostname(config)# class-map im_inspect_class_map > > hostname(config-cmap)# match default-inspection-traffic > > > > hostname(config)# policy-map type inspect im im_policy_all > > hostname(config-pmap)# class yahoo_file_block_list > > hostname(config-pmap-c)# match service file-transfer > > hostname(config-pmap)# class yahoo_im_policy > > hostname(config-pmap-c)# drop-connection > > hostname(config-pmap)# class yahoo_im_policy2 > > hostname(config-pmap-c)# reset > > hostname(config)# policy-map global_policy_name > > hostname(config-pmap)# class im_inspect_class_map > > hostname(config-pmap-c)# inspect im im_policy_all > > *match default-inspection-traffic.* What does *default-inspection-traffic > *match. Does it match any traffic or only the > > ports that the ASA can inspect. > > > > If you check in ASA, the *default-inspection-traffic *does not have a por > defined for IM. > > asa/king(config-cmap)# match ? > > mpf-class-map mode commands/options: > > access-list Match an Access List > > any Match any packet > > default-inspection-traffic Match default inspection traffic: > > ctiqbe----tcp--2748 dns-------udp--53 > > ftp-------tcp--21 > gtp-------udp--2123,3386 > > h323-h225-tcp--1720 > h323-ras--udp--1718-1719 > > http------tcp--80 icmp------icmp > > ils-------tcp--389 > mgcp------udp--2427,2727 > > netbios---udp--137-138 radius-acct---udp--1646 > > rpc-------udp--111 rsh-------tcp--514 > > rtsp------tcp--554 sip-------tcp--5060 > > sip-------udp--5060 skinny----tcp--2000 > > smtp------tcp--25 sqlnet----tcp--1521 > > tftp------udp--69 waas------tcp--1-65535 > > xdmcp-----udp--177 > > If it doesn't have a port for IM, how will it be inspected? > > > > > > With regards > > Kings >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
