Option A is simple and will work.
Option B can be configured as following in either of two ways: access-list 121 permit ip any host 192.1.1.100 access-list 122 permit ip any host 192.1.1.200 class-map type inspect match-all CM-I-D-SMTP match access-group 122 match protocol smtp class-map type inspect match-all CM-I-D-WEB match access-group 121 match protocol http policy-map type inspect PM-I-D class type inspect CM-I-D-WEB inspect class type inspect CM-I-D-SMTP inspect or access-list 121 permit tcp any host 192.1.1.100 eq 80 access-list 122 permit tcp any host 192.1.1.200 eq 25 class-map type inspect match-all CM-I-D-SMTP match access-group 122 class-map type inspect match-all CM-I-D-WEB match access-group 121 policy-map type inspect PM-I-D class type inspect CM-I-D-WEB inspect class type inspect CM-I-D-SMTP inspect With regards Kings On Tue, May 17, 2011 at 11:33 AM, Kok Yong CHEONG <[email protected]>wrote: > hi Guys > > I'd like to clear by doubts on ZBF. > > a practice question like: configure zone policy coming in from internet to > DMZ as follows: > 1) allow web access to a server 192.1.1.100 located on the DMZ zone > 2) allows smtp access to server 192.1.1.200 located in DMZ zone > > will the config be (a) or (b) : > (a) access-list 124 permit tcp any host 192.1.1.100 eq 80 > access-list 124 permit tcp any host 192.1.1.200 eq 25 > > class-map type inspect C-I-D > match access-group 124 > > policy-map type inspect P-I-D > class type C-I-D > inspect > > > OR > > > ---------------------------------------------------------------------------------------------------------- > > (b) > access-list 121 permit tcp any host 192.1.1.100 eq 80 > access-list 122 permit tcp any host 192.1.1.200 eq 25 > > > class-map type inspect match-all CM-I-D-SMTP > match access-group 122 > match protocol smtp ------> why do we still need to mention SMTP ? > class-map type inspect match-all CM-I-D-WEB > match access-group 121 > match protocol http ------> why do we still need to mention http ? > > policy-map type inspect PM-I-D > class type inspect CM-I-D-WEB > inspect > class type inspect CM-I-D-SMTP > inspect > > > ---------------------------------------------------------------------------------------------------------- > > my main doubt for (b) is why do we need "match protocol smtp", since it > never mentioned layer 7 inspection. I would expect the access-list is > sufficient to define the traffic as http traffic already ? or we need both > the acl and protocol to make it complete ? > > appreciate your effort to enlighten me.. thanks in advance > > regards > KY > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
