Esp cannot be inspected. What did I say in the solution guide? Regards,
Tyson Scott CCIE # 13513 (R&S, Security, SP) Managing Partner/Technical Instructor - IPexpert Inc. [email protected] ----- Reply message ----- From: "Andrew Wurster" <[email protected]> Date: Sun, May 8, 2011 12:41 am Subject: [OSL | CCIE_Security] ZBFW ESP inspection To: "OSL Security" <[email protected]> hey team - in one of the solution guides (lab 17), i saw mention of the *ipsec-msft *inspection (*match protocol ipsec-msft*). i believe that doesn't apply in the case of normal site to site and VPN traffic over ESP and we have to "pass" ESP regardless (and consequently plan for it's return with a mirror policy). i first thought this is for UDP 1701 which is the encapsulation for L2TP/IPsec. is it for L2TP/IPsec, or for standard NAT-T on UDP 4500, or what? am i also correct in my understanding that things like ESP (*match protocol ipsec*), while may be possible to inspect on high-end routers like a 7600, is not capable on the ISRs in the lab blueprint? looking here... : http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_m1.html#wp1057374 thanks! andrew
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
