Bryan,
The first solution looks good. You can always do internet connection
sharing on the ACS to test it out.
There is nothing in the question that leads to not allowing post. This is
what Post is.
9.5 POST
The POST method is used to request that the origin server accept the entity
enclosed in the request as a new subordinate of the resource identified by
the Request-URI in the Request-Line. POST is designed to allow a uniform
method to cover the following functions:
- Annotation of existing resources;
- Posting a message to a bulletin board, newsgroup, mailing list,
or similar group of articles;
- Providing a block of data, such as the result of submitting a
form, to a data-handling process;
- Extending a database through an append operation.
The actual function performed by the POST method is determined by the server
and is usually dependent on the Request-URI. The posted entity is
subordinate to that URI in the same way that a file is subordinate to a
directory containing it, a news article is subordinate to a newsgroup to
which it is posted, or a record is subordinate to a database.
The action performed by the POST method might not result in a resource that
can be identified by a URI. In this case, either 200 (OK) or 204 (No
Content) is the appropriate response status, depending on whether or not the
response includes an entity that describes the result.
I will add a bullet to cover it as I don't want to remove that part of the
solution as it is a good test. I will probably add something like "block a
remote website from submitting forms to ACS."
When working with the Security exam get used to testing your solution.
Results are more important than how you configure it.
Regards,
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: [email protected]
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
IPexpert is a premier provider of Self-Study Workbooks, Video on Demand,
Audio Tools, Online Hardware Rental and Classroom Training for the Cisco
CCIE (R&S, Voice, Security & Service Provider) certification(s) with
training locations throughout the United States, Europe, South Asia and
Australia. Be sure to visit our online communities at
www.ipexpert.com/communities and our public website at www.ipexpert.com
<http://www.ipexpert.com/>
From: [email protected]
[mailto:[email protected]] On Behalf Of B
Sent: Saturday, May 22, 2010 1:54 PM
To: [email protected]
Subject: [OSL | CCIE_Security] Volume 1 Task 1.15 Application-Aware
Inspection
Hello,
I have a few questions about this task, it seems there are multiple ways of
doing it.
1. IM INSPECTION
The solution has an ACL to match the IM client ip address, then creates a
class matching that ACL. This is what I used, would this be okay or is it
not doing what I think it is?
ASA(config)# class-map type inspect im match-all IM-YAHOO
ASA(config-cmap)# match protocol yahoo-im
ASA(config-cmap)# match peer-ip-address 10.1.1.86 255.255.255.255
Also, the task said to not allow any services, so I threw in:
ASA(config-cmap)# match service chat conf file game voi web
Then I added the inspect policy to the default class, because the IP address
was already defined in the "peer-ip-address" argument - will this work as
expected?
ASA(config)# policy-map type inspect im INSPECT-IM
ASA(config-pmap)# class IM-YAHOO
ASA(config-pmap-c)# reset
ASA(config)# policy-map INSIDE
ASA(config-pmap)# class class-default
ASA(config-pmap-c)# inspect im INSPECT-IM
The INSIDE policy is then applied to inside interface
2. HTTP INSPECTION TO ACS
My solution was a bit different as I didn't create a class-map to match the
"POST" method - what is this part for?
Here is what I have:
ASA(config)# access-list HTTP-ACS permi tcp any host 10.1.1.100 eq 80
ASA(config)# class-map HTTP-ACS
ASA(config-cmap)# match access-list HTTP-ACS
ASA(config)# policy-map type inspect http INSPECT-ACS
ASA(config-pmap-p)# spoof-server "Apache 1.1"
ASA(config-pmap-p)# protocol-violation action reset
ASA(config)# policy-map INSIDE
ASA(config-pmap)# class HTTP-ACS
ASA(config-pmap-c)# inspect http INSPECT-ACS
Also, I applied the policy to the inside interface since that is where the
ACS is located - the DSG has it on the outside. Why is it in the outside?
Please comment. Thanks!
-B
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
