If you are matching the protocol in the access-list, then you need not specify "match protocol xxx".
With regards Kings On Tue, May 17, 2011 at 1:02 PM, Kok Yong CHEONG <[email protected]> wrote: > hi Thank for your input, > > for example of smtp, based on your explanation, there isn't need to "match > protocol smtp " then ? since the access-list already mentioned the port 25 > which also means matching smtp protocol from the access-list ? > > my main doubt was that do i need to specify "match protocol xxx" since i've > already kind of mention it in the ACL with "access-list 122 permit tcp any > host 192.1.1.200 *eq 25"* > > > thanks in advance > > regards > KY > > On Tue, May 17, 2011 at 2:35 PM, Kingsley Charles < > [email protected]> wrote: > >> Option A is simple and will work. >> >> >> Option B can be configured as following in either of two ways: >> >> access-list 121 permit ip any host 192.1.1.100 >> access-list 122 permit ip any host 192.1.1.200 >> >> >> class-map type inspect match-all CM-I-D-SMTP >> match access-group 122 >> match protocol smtp >> >> class-map type inspect match-all CM-I-D-WEB >> match access-group 121 >> match protocol http >> >> policy-map type inspect PM-I-D >> class type inspect CM-I-D-WEB >> inspect >> class type inspect CM-I-D-SMTP >> inspect >> >> or >> >> access-list 121 permit tcp any host 192.1.1.100 eq 80 >> access-list 122 permit tcp any host 192.1.1.200 eq 25 >> >> class-map type inspect match-all CM-I-D-SMTP >> match access-group 122 >> class-map type inspect match-all CM-I-D-WEB >> match access-group 121 >> >> >> policy-map type inspect PM-I-D >> class type inspect CM-I-D-WEB >> inspect >> class type inspect CM-I-D-SMTP >> inspect >> >> >> With regards >> Kings >> >> On Tue, May 17, 2011 at 11:33 AM, Kok Yong CHEONG <[email protected]>wrote: >> >>> hi Guys >>> >>> I'd like to clear by doubts on ZBF. >>> >>> a practice question like: configure zone policy coming in from internet >>> to DMZ as follows: >>> 1) allow web access to a server 192.1.1.100 located on the DMZ zone >>> 2) allows smtp access to server 192.1.1.200 located in DMZ zone >>> >>> will the config be (a) or (b) : >>> (a) access-list 124 permit tcp any host 192.1.1.100 eq 80 >>> access-list 124 permit tcp any host 192.1.1.200 eq 25 >>> >>> class-map type inspect C-I-D >>> match access-group 124 >>> >>> policy-map type inspect P-I-D >>> class type C-I-D >>> inspect >>> >>> >>> OR >>> >>> >>> ---------------------------------------------------------------------------------------------------------- >>> >>> (b) >>> access-list 121 permit tcp any host 192.1.1.100 eq 80 >>> access-list 122 permit tcp any host 192.1.1.200 eq 25 >>> >>> >>> class-map type inspect match-all CM-I-D-SMTP >>> match access-group 122 >>> match protocol smtp ------> why do we still need to mention SMTP ? >>> class-map type inspect match-all CM-I-D-WEB >>> match access-group 121 >>> match protocol http ------> why do we still need to mention http ? >>> >>> policy-map type inspect PM-I-D >>> class type inspect CM-I-D-WEB >>> inspect >>> class type inspect CM-I-D-SMTP >>> inspect >>> >>> >>> ---------------------------------------------------------------------------------------------------------- >>> >>> my main doubt for (b) is why do we need "match protocol smtp", since it >>> never mentioned layer 7 inspection. I would expect the access-list is >>> sufficient to define the traffic as http traffic already ? or we need both >>> the acl and protocol to make it complete ? >>> >>> appreciate your effort to enlighten me.. thanks in advance >>> >>> regards >>> KY >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >>> >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
