Hello, I have a few questions about this task, it seems there are multiple ways of doing it.
1. IM INSPECTION The solution has an ACL to match the IM client ip address, then creates a class matching that ACL. This is what I used, would this be okay or is it not doing what I think it is? ASA(config)# class-map type inspect im match-all IM-YAHOO ASA(config-cmap)# match protocol yahoo-im ASA(config-cmap)# match peer-ip-address 10.1.1.86 255.255.255.255 Also, the task said to not allow any services, so I threw in: ASA(config-cmap)# match service chat conf file game voi web Then I added the inspect policy to the default class, because the IP address was already defined in the "peer-ip-address" argument - will this work as expected? ASA(config)# policy-map type inspect im INSPECT-IM ASA(config-pmap)# class IM-YAHOO ASA(config-pmap-c)# reset ASA(config)# policy-map INSIDE ASA(config-pmap)# class class-default ASA(config-pmap-c)# inspect im INSPECT-IM The INSIDE policy is then applied to inside interface 2. HTTP INSPECTION TO ACS My solution was a bit different as I didn't create a class-map to match the "POST" method - what is this part for? Here is what I have: ASA(config)# access-list HTTP-ACS permi tcp any host 10.1.1.100 eq 80 ASA(config)# class-map HTTP-ACS ASA(config-cmap)# match access-list HTTP-ACS ASA(config)# policy-map type inspect http INSPECT-ACS ASA(config-pmap-p)# spoof-server "Apache 1.1" ASA(config-pmap-p)# protocol-violation action reset ASA(config)# policy-map INSIDE ASA(config-pmap)# class HTTP-ACS ASA(config-pmap-c)# inspect http INSPECT-ACS Also, I applied the policy to the inside interface since that is where the ACS is located - the DSG has it on the outside. Why is it in the outside? Please comment. Thanks! -B
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
