hi Guys I'd like to clear by doubts on ZBF.
a practice question like: configure zone policy coming in from internet to DMZ as follows: 1) allow web access to a server 192.1.1.100 located on the DMZ zone 2) allows smtp access to server 192.1.1.200 located in DMZ zone will the config be (a) or (b) : (a) access-list 124 permit tcp any host 192.1.1.100 eq 80 access-list 124 permit tcp any host 192.1.1.200 eq 25 class-map type inspect C-I-D match access-group 124 policy-map type inspect P-I-D class type C-I-D inspect OR ---------------------------------------------------------------------------------------------------------- (b) access-list 121 permit tcp any host 192.1.1.100 eq 80 access-list 122 permit tcp any host 192.1.1.200 eq 25 class-map type inspect match-all CM-I-D-SMTP match access-group 122 match protocol smtp ------> why do we still need to mention SMTP ? class-map type inspect match-all CM-I-D-WEB match access-group 121 match protocol http ------> why do we still need to mention http ? policy-map type inspect PM-I-D class type inspect CM-I-D-WEB inspect class type inspect CM-I-D-SMTP inspect ---------------------------------------------------------------------------------------------------------- my main doubt for (b) is why do we need "match protocol smtp", since it never mentioned layer 7 inspection. I would expect the access-list is sufficient to define the traffic as http traffic already ? or we need both the acl and protocol to make it complete ? appreciate your effort to enlighten me.. thanks in advance regards KY
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
