If you are matching the protocol in the access-list, then you need not
specify "match protocol xxx".


With regards
Kings

On Tue, May 17, 2011 at 1:02 PM, Kok Yong CHEONG <[email protected]> wrote:

> hi Thank for your input,
>
> for example of smtp, based on your explanation, there isn't need to "match
> protocol smtp " then ? since the access-list already mentioned the port 25
> which also means matching smtp protocol from the access-list ?
>
> my main doubt was that do i need to specify "match protocol xxx" since i've
> already kind of mention it in the ACL with "access-list 122 permit tcp any
> host 192.1.1.200 *eq 25"*
>
>
> thanks in advance
>
> regards
> KY
>
> On Tue, May 17, 2011 at 2:35 PM, Kingsley Charles <
> [email protected]> wrote:
>
>> Option A is simple and will work.
>>
>>
>> Option B can be configured as following in either of two ways:
>>
>> access-list 121 permit ip any host 192.1.1.100
>> access-list 122 permit ip any host 192.1.1.200
>>
>>
>> class-map type inspect match-all CM-I-D-SMTP
>>  match access-group 122
>>  match protocol smtp
>>
>> class-map type inspect match-all CM-I-D-WEB
>>  match access-group 121
>>  match protocol http
>>
>> policy-map type inspect PM-I-D
>>  class type inspect CM-I-D-WEB
>>   inspect
>>  class type inspect CM-I-D-SMTP
>>   inspect
>>
>> or
>>
>> access-list 121 permit tcp any host 192.1.1.100 eq 80
>> access-list 122 permit tcp any host 192.1.1.200 eq 25
>>
>> class-map type inspect match-all CM-I-D-SMTP
>>  match access-group 122
>> class-map type inspect match-all CM-I-D-WEB
>>  match access-group 121
>>
>>
>> policy-map type inspect PM-I-D
>>  class type inspect CM-I-D-WEB
>>   inspect
>>  class type inspect CM-I-D-SMTP
>>   inspect
>>
>>
>> With regards
>> Kings
>>
>> On Tue, May 17, 2011 at 11:33 AM, Kok Yong CHEONG <[email protected]>wrote:
>>
>>> hi Guys
>>>
>>> I'd like to clear by doubts on ZBF.
>>>
>>> a practice question like: configure zone policy coming in from internet
>>> to DMZ as follows:
>>> 1) allow web access to a server 192.1.1.100 located on the DMZ zone
>>> 2) allows smtp access to server 192.1.1.200 located in DMZ zone
>>>
>>> will the config be (a) or (b) :
>>> (a) access-list 124 permit tcp any host 192.1.1.100 eq 80
>>> access-list 124 permit tcp any host 192.1.1.200 eq 25
>>>
>>> class-map type inspect C-I-D
>>> match access-group 124
>>>
>>> policy-map type inspect P-I-D
>>> class type C-I-D
>>> inspect
>>>
>>>
>>> OR
>>>
>>>
>>> ----------------------------------------------------------------------------------------------------------
>>>
>>> (b)
>>> access-list 121 permit tcp any host 192.1.1.100 eq 80
>>> access-list 122 permit tcp any host 192.1.1.200 eq 25
>>>
>>>
>>> class-map type inspect match-all CM-I-D-SMTP
>>>  match access-group 122
>>>  match protocol smtp ------>  why do we still need to mention SMTP ?
>>> class-map type inspect match-all CM-I-D-WEB
>>>  match access-group 121
>>>  match protocol http ------>  why do we still need to mention http ?
>>>
>>> policy-map type inspect PM-I-D
>>>  class type inspect CM-I-D-WEB
>>>   inspect
>>>  class type inspect CM-I-D-SMTP
>>>   inspect
>>>
>>>
>>> ----------------------------------------------------------------------------------------------------------
>>>
>>> my main doubt for (b) is why do we need "match protocol smtp", since it
>>> never mentioned layer 7 inspection.  I would expect the access-list is
>>> sufficient to define the traffic as http traffic already ?  or we need both
>>> the acl and protocol to make it complete ?
>>>
>>> appreciate your effort to enlighten me..  thanks in advance
>>>
>>> regards
>>> KY
>>>
>>> _______________________________________________
>>> For more information regarding industry leading CCIE Lab training, please
>>> visit www.ipexpert.com
>>>
>>> Are you a CCNP or CCIE and looking for a job? Check out
>>> www.PlatinumPlacement.com
>>>
>>
>>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to