Sounds good. Thanks. On Sat, May 22, 2010 at 5:36 PM, Tyson Scott <[email protected]> wrote:
> Bryan, > > > > The first solution looks good. You can always do internet connection > sharing on the ACS to test it out. > > > > There is nothing in the question that leads to not allowing post. This is > what Post is. > > > > *9.5 POST* > > The POST method is used to request that the origin server accept the entity > enclosed in the request as a new subordinate of the resource identified by > the Request-URI in the Request-Line. POST is designed to allow a uniform > method to cover the following functions: > > - Annotation of existing resources; > > - Posting a message to a bulletin board, newsgroup, mailing list, > > or similar group of articles; > > - Providing a block of data, such as the result of submitting a > > form, to a data-handling process; > > - Extending a database through an append operation. > > The actual function performed by the POST method is determined by the > server and is usually dependent on the Request-URI. The posted entity is > subordinate to that URI in the same way that a file is subordinate to a > directory containing it, a news article is subordinate to a newsgroup to > which it is posted, or a record is subordinate to a database. > > The action performed by the POST method might not result in a resource that > can be identified by a URI. In this case, either 200 (OK) or 204 (No > Content) is the appropriate response status, depending on whether or not the > response includes an entity that describes the result. > > I will add a bullet to cover it as I don't want to remove that part of the > solution as it is a good test. I will probably add something like "block a > remote website from submitting forms to ACS." > > > > When working with the Security exam get used to testing your solution. > Results are more important than how you configure it. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *B > *Sent:* Saturday, May 22, 2010 1:54 PM > *To:* [email protected] > *Subject:* [OSL | CCIE_Security] Volume 1 Task 1.15 Application-Aware > Inspection > > > > Hello, > > I have a few questions about this task, it seems there are multiple ways of > doing it. > > > 1. IM INSPECTION > > The solution has an ACL to match the IM client ip address, then creates a > class matching that ACL. This is what I used, would this be okay or is it > not doing what I think it is? > > ASA(config)# class-map type inspect im match-all IM-YAHOO > ASA(config-cmap)# match protocol yahoo-im > ASA(config-cmap)# match peer-ip-address 10.1.1.86 255.255.255.255 > > Also, the task said to not allow any services, so I threw in: > > ASA(config-cmap)# match service chat conf file game voi web > > Then I added the inspect policy to the default class, because the IP > address was already defined in the "peer-ip-address" argument - will this > work as expected? > > ASA(config)# policy-map type inspect im INSPECT-IM > ASA(config-pmap)# class IM-YAHOO > ASA(config-pmap-c)# reset > > ASA(config)# policy-map INSIDE > ASA(config-pmap)# class class-default > ASA(config-pmap-c)# inspect im INSPECT-IM > > The INSIDE policy is then applied to inside interface > > > 2. HTTP INSPECTION TO ACS > > My solution was a bit different as I didn't create a class-map to match the > "POST" method - what is this part for? > > Here is what I have: > > ASA(config)# access-list HTTP-ACS permi tcp any host 10.1.1.100 eq 80 > ASA(config)# class-map HTTP-ACS > ASA(config-cmap)# match access-list HTTP-ACS > > ASA(config)# policy-map type inspect http INSPECT-ACS > ASA(config-pmap-p)# spoof-server "Apache 1.1" > ASA(config-pmap-p)# protocol-violation action reset > > ASA(config)# policy-map INSIDE > ASA(config-pmap)# class HTTP-ACS > ASA(config-pmap-c)# inspect http INSPECT-ACS > > Also, I applied the policy to the inside interface since that is where the > ACS is located - the DSG has it on the outside. Why is it in the outside? > > Please comment. Thanks! > > -B >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
