thanks yuri for the confirmation. and to tyson - i think after reading back through my notes it was for section 2.1 - setting up R4 as a ZBFW with different types of IPsec and SSL tunnels to pass through it in the future section 4.x. it is discussed briefly in the solution VOD as well as mentioned in the solution guide.
i do not think adding the command invalidates the solution, but it was something i had not seen before and *should* not get any matches without an L2TP/IPsec deployment. really it just kicked off a bunch of questions in my head that i had to go research, which did help. so either way, we got the points for correctness and i learned something too. happy mother's day! andrew On Sun, May 8, 2011 at 7:03 AM, Tyson Scott <[email protected]> wrote: > Esp cannot be inspected. What did I say in the solution guide? > > Regards, > > Tyson Scott > CCIE # 13513 (R&S, Security, SP) > Managing Partner/Technical Instructor - IPexpert Inc. > [email protected] > > > > ----- Reply message ----- > From: "Andrew Wurster" <[email protected]> > Date: Sun, May 8, 2011 12:41 am > Subject: [OSL | CCIE_Security] ZBFW ESP inspection > To: "OSL Security" <[email protected]> > > hey team - > > in one of the solution guides (lab 17), i saw mention of the > *ipsec-msft *inspection > (*match protocol ipsec-msft*). i believe that doesn't apply in the case of > normal site to site and VPN traffic over ESP and we have to "pass" ESP > regardless (and consequently plan for it's return with a mirror policy). > > i first thought this is for UDP 1701 which is the encapsulation for > L2TP/IPsec. is it for L2TP/IPsec, or for standard NAT-T on UDP 4500, or > what? > > am i also correct in my understanding that things like ESP (*match protocol > ipsec*), while may be possible to inspect on high-end routers like a 7600, > is not capable on the ISRs in the lab blueprint? > > looking here... : > > > http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_m1.html#wp1057374 > > > > thanks! > > andrew > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
