More info about this Tried to create a PAM and that`s the message I get %Unable to add port-map entry. TCP or UDP protocol must be specified for user-defined applications
On Tue, Mar 1, 2011 at 11:24 AM, Bruno <[email protected]> wrote: > I don't think your suggestion would work King. > I think when you go under policy-map to attach a class-map you must have > configured at least 1 INSPECT. A class-map with no inspect statement, when > attached under policy-map generates this: > %No specific protocol configured in class test for inspection. All > protocols will be inspected > > I don't know the answer for the question but would shoot that is not > possible as King said > > > On Tue, Mar 1, 2011 at 9:43 AM, Kingsley Charles < > [email protected]> wrote: > >> BGP and RIP which uses TCP and UDP can be inspected. But not sure, if OSPF >> and EIGRP which are directly encapsulated in IP can be inspected using their >> protocol numbers. >> >> You can configure access-list for ospf/eigrp and associate to the class >> map for testing it. >> >> With regards >> Kings >> >> On Tue, Mar 1, 2011 at 10:42 AM, Richard Chan <[email protected]>wrote: >> >>> >>> Hi, >>> >>> What is the best practice for allowing IGP traffic >>> when self zones are configured in both directions? >>> >>> 1. Say you have self-Outside zone and Outside-self zone configured. >>> >>> 2. For IGPs like OSPF/RIP/EIGRP would you add a PASS action class >>> to both zone-pairs? Or do you "inspect" one of them. I don't think of >>> IGP peerings as "sessions" in the UDP/TCP sense. >>> >>> >>> !--- >>> policy-map type inspect XXX-out-self >>> class IGP >>> pass >>> !--- apply to Outside-self zone-pair >>> !--- >>> policy-map type inspect XXX-self-out >>> class IGP >>> pass >>> !--- apply to self-Outside zone-pair >>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> > > > -- > Bruno Fagioli (by Jaunty Jackalope) > Cisco Security Professional > -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
