hi Thank for your input, for example of smtp, based on your explanation, there isn't need to "match protocol smtp " then ? since the access-list already mentioned the port 25 which also means matching smtp protocol from the access-list ?
my main doubt was that do i need to specify "match protocol xxx" since i've already kind of mention it in the ACL with "access-list 122 permit tcp any host 192.1.1.200 *eq 25"* thanks in advance regards KY On Tue, May 17, 2011 at 2:35 PM, Kingsley Charles < [email protected]> wrote: > Option A is simple and will work. > > > Option B can be configured as following in either of two ways: > > access-list 121 permit ip any host 192.1.1.100 > access-list 122 permit ip any host 192.1.1.200 > > > class-map type inspect match-all CM-I-D-SMTP > match access-group 122 > match protocol smtp > > class-map type inspect match-all CM-I-D-WEB > match access-group 121 > match protocol http > > policy-map type inspect PM-I-D > class type inspect CM-I-D-WEB > inspect > class type inspect CM-I-D-SMTP > inspect > > or > > access-list 121 permit tcp any host 192.1.1.100 eq 80 > access-list 122 permit tcp any host 192.1.1.200 eq 25 > > class-map type inspect match-all CM-I-D-SMTP > match access-group 122 > class-map type inspect match-all CM-I-D-WEB > match access-group 121 > > > policy-map type inspect PM-I-D > class type inspect CM-I-D-WEB > inspect > class type inspect CM-I-D-SMTP > inspect > > > With regards > Kings > > On Tue, May 17, 2011 at 11:33 AM, Kok Yong CHEONG <[email protected]>wrote: > >> hi Guys >> >> I'd like to clear by doubts on ZBF. >> >> a practice question like: configure zone policy coming in from internet to >> DMZ as follows: >> 1) allow web access to a server 192.1.1.100 located on the DMZ zone >> 2) allows smtp access to server 192.1.1.200 located in DMZ zone >> >> will the config be (a) or (b) : >> (a) access-list 124 permit tcp any host 192.1.1.100 eq 80 >> access-list 124 permit tcp any host 192.1.1.200 eq 25 >> >> class-map type inspect C-I-D >> match access-group 124 >> >> policy-map type inspect P-I-D >> class type C-I-D >> inspect >> >> >> OR >> >> >> ---------------------------------------------------------------------------------------------------------- >> >> (b) >> access-list 121 permit tcp any host 192.1.1.100 eq 80 >> access-list 122 permit tcp any host 192.1.1.200 eq 25 >> >> >> class-map type inspect match-all CM-I-D-SMTP >> match access-group 122 >> match protocol smtp ------> why do we still need to mention SMTP ? >> class-map type inspect match-all CM-I-D-WEB >> match access-group 121 >> match protocol http ------> why do we still need to mention http ? >> >> policy-map type inspect PM-I-D >> class type inspect CM-I-D-WEB >> inspect >> class type inspect CM-I-D-SMTP >> inspect >> >> >> ---------------------------------------------------------------------------------------------------------- >> >> my main doubt for (b) is why do we need "match protocol smtp", since it >> never mentioned layer 7 inspection. I would expect the access-list is >> sufficient to define the traffic as http traffic already ? or we need both >> the acl and protocol to make it complete ? >> >> appreciate your effort to enlighten me.. thanks in advance >> >> regards >> KY >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
