Is moving it to the top not the reason for not removing the default? In the solution from the WB the default ftp inspection was put back.
Your solution below removes the default ftp inspection, the order of the inspection is then not important. Which one will be the more correct solution? From: wale ogunyemi [mailto:[email protected]] Sent: 27 December 2010 02:48 PM To: Johan Bornman; OSL Security Subject: Re: [OSL | CCIE_Security] Lab 11 Task 1.7 Hi Johan, don't forget that you have to remove the inspect ftp from the class inspection-default i.e config t policy-map global_policy class inspection_default no inspect ftp ! Then,,,,, class-map CUSTOM_FTP match port tcp eq 21021 policy-map global_policy class CUSTOM_FTP inspect ftp-----its as good as doing PAM with ASA... _____ From: Johan Bornman <[email protected]> To: OSL Security <[email protected]> Sent: Mon, December 27, 2010 1:27:59 PM Subject: [OSL | CCIE_Security] Lab 11 Task 1.7 Hi, Custom inspection is done on ftp, port 21021. The solution from the WB: class-map CUSTOM_FTP match port tcp eq 21021 policy-map global_policy class CUSTOM_FTP inspect ftp My question is about the ftp keyword under the global_policy. 1. How does the ASA know that the new custom ftp port must also include 21021? 2. Will the ftp keyword also include port 21? Thanks Johan
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
