Keep in mind that ZBF requires at least one match protocol statement on class-maps. With that said, some options you said will not work
On Tue, May 17, 2011 at 4:40 AM, Kingsley Charles < [email protected]> wrote: > If you are matching the protocol in the access-list, then you need not > specify "match protocol xxx". > > > With regards > Kings > > > On Tue, May 17, 2011 at 1:02 PM, Kok Yong CHEONG <[email protected]>wrote: > >> hi Thank for your input, >> >> for example of smtp, based on your explanation, there isn't need to "match >> protocol smtp " then ? since the access-list already mentioned the port 25 >> which also means matching smtp protocol from the access-list ? >> >> my main doubt was that do i need to specify "match protocol xxx" since >> i've already kind of mention it in the ACL with "access-list 122 permit tcp >> any host 192.1.1.200 *eq 25"* >> >> >> thanks in advance >> >> regards >> KY >> >> On Tue, May 17, 2011 at 2:35 PM, Kingsley Charles < >> [email protected]> wrote: >> >>> Option A is simple and will work. >>> >>> >>> Option B can be configured as following in either of two ways: >>> >>> access-list 121 permit ip any host 192.1.1.100 >>> access-list 122 permit ip any host 192.1.1.200 >>> >>> >>> class-map type inspect match-all CM-I-D-SMTP >>> match access-group 122 >>> match protocol smtp >>> >>> class-map type inspect match-all CM-I-D-WEB >>> match access-group 121 >>> match protocol http >>> >>> policy-map type inspect PM-I-D >>> class type inspect CM-I-D-WEB >>> inspect >>> class type inspect CM-I-D-SMTP >>> inspect >>> >>> or >>> >>> access-list 121 permit tcp any host 192.1.1.100 eq 80 >>> access-list 122 permit tcp any host 192.1.1.200 eq 25 >>> >>> class-map type inspect match-all CM-I-D-SMTP >>> match access-group 122 >>> class-map type inspect match-all CM-I-D-WEB >>> match access-group 121 >>> >>> >>> policy-map type inspect PM-I-D >>> class type inspect CM-I-D-WEB >>> inspect >>> class type inspect CM-I-D-SMTP >>> inspect >>> >>> >>> With regards >>> Kings >>> >>> On Tue, May 17, 2011 at 11:33 AM, Kok Yong CHEONG <[email protected]>wrote: >>> >>>> hi Guys >>>> >>>> I'd like to clear by doubts on ZBF. >>>> >>>> a practice question like: configure zone policy coming in from internet >>>> to DMZ as follows: >>>> 1) allow web access to a server 192.1.1.100 located on the DMZ zone >>>> 2) allows smtp access to server 192.1.1.200 located in DMZ zone >>>> >>>> will the config be (a) or (b) : >>>> (a) access-list 124 permit tcp any host 192.1.1.100 eq 80 >>>> access-list 124 permit tcp any host 192.1.1.200 eq 25 >>>> >>>> class-map type inspect C-I-D >>>> match access-group 124 >>>> >>>> policy-map type inspect P-I-D >>>> class type C-I-D >>>> inspect >>>> >>>> >>>> OR >>>> >>>> >>>> ---------------------------------------------------------------------------------------------------------- >>>> >>>> (b) >>>> access-list 121 permit tcp any host 192.1.1.100 eq 80 >>>> access-list 122 permit tcp any host 192.1.1.200 eq 25 >>>> >>>> >>>> class-map type inspect match-all CM-I-D-SMTP >>>> match access-group 122 >>>> match protocol smtp ------> why do we still need to mention SMTP ? >>>> class-map type inspect match-all CM-I-D-WEB >>>> match access-group 121 >>>> match protocol http ------> why do we still need to mention http ? >>>> >>>> policy-map type inspect PM-I-D >>>> class type inspect CM-I-D-WEB >>>> inspect >>>> class type inspect CM-I-D-SMTP >>>> inspect >>>> >>>> >>>> ---------------------------------------------------------------------------------------------------------- >>>> >>>> my main doubt for (b) is why do we need "match protocol smtp", since it >>>> never mentioned layer 7 inspection. I would expect the access-list is >>>> sufficient to define the traffic as http traffic already ? or we need both >>>> the acl and protocol to make it complete ? >>>> >>>> appreciate your effort to enlighten me.. thanks in advance >>>> >>>> regards >>>> KY >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> Are you a CCNP or CCIE and looking for a job? Check out >>>> www.PlatinumPlacement.com >>>> >>> >>> >> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
