Most likely but ask the proctor.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: Pemasiri Devanarayana [mailto:[email protected]] Sent: Wednesday, February 09, 2011 12:14 PM To: Mark Senteza Cc: [email protected]; Tyson Scott; Kingsley Charles Subject: Re: [OSL | CCIE_Security] Zone Base Firewall and NAT on ASA Hi, Thanks for all your inputs/feedback. My 1st question again is that let's say that question only ask to allow outside users access webserver via www.xxxx.com and inside users access via http://x.x.x.x:80, for that we use as follows: nat (inside,outside) Nated_IP, real_ip dns So, do we also need to have acl on the firewall to allow http/https access-list outside extended permit tcp any host <nated-ip> eq 80/443 thanks Pemasiri On Wed, Feb 9, 2011 at 3:46 AM, Mark Senteza <[email protected]> wrote: 1) Are you talking about Port Redirection ? Question isnt too clear. 2) I would ask the Proctor to confirm that question. You'd safe yourself crucial time. 3) I havent come across such a scenario, but essentially, that would mean you design is only allowing inbound traffic and not outbound. But then again, if that was the case, and you so happened to be told to pass IP Traffic from outside to inside, just like you mentioned in your second question, then you can safely assume (maybe not - others can clarify) that you'd need to pass the same traffic in the reverse direction. It wouldnt be pass IP though, because in that case, if you are passing IP inbound and outbound then you'd be defeating the whole purpose of the ZFW. Mark On Tue, Feb 8, 2011 at 3:26 PM, Pemasiri Devanarayana <[email protected]> wrote: Hi All, I have the following questions and appreciate your correct solutions how we face those in the real lab exam.. 1) if a question asked you to configure nat for allow ftp/http or dns doctoring etc.. do we need to configure to allow those traffic (http/ftp/dns etc.) on the firewall outside interface in addition to the question stated NAT configurations..? 2. in ZBF if the question said traffic (any ip traffic) from zone x to zone y should be allowed...how do we know whether its the class-map with pass or class map with inspect..?? We know that pass will not have return traffic allow and not state table, but how do we understand whether it should be configured for pass or inspect..? 3) again in ZBF...if the question does not ask anything about from Inside to outside, should we still inspect the traffic from inside to outside..? thanks Pemasiri _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
