hi Bruno you are saying ZBF required : 1) at least "1 match statement" in class-map type inspect ? OR 2) at least "1 match* protocol* statement" in class-map type inspect ?
if it's (2), that means if i only have "match access-group 122" on a class-map type inspect command, this will not work ? and i need to have both "match access-group 122" AND "match protocol smtp" on a class-map type inspect command to work ? appreciate any response to clear my doubt. thanks KY On Tue, May 17, 2011 at 6:00 PM, Bruno <[email protected]> wrote: > Keep in mind that ZBF requires at least one match protocol statement on > class-maps. > With that said, some options you said will not work > > > On Tue, May 17, 2011 at 4:40 AM, Kingsley Charles < > [email protected]> wrote: > >> If you are matching the protocol in the access-list, then you need not >> specify "match protocol xxx". >> >> >> With regards >> Kings >> >> >> On Tue, May 17, 2011 at 1:02 PM, Kok Yong CHEONG <[email protected]>wrote: >> >>> hi Thank for your input, >>> >>> for example of smtp, based on your explanation, there isn't need to >>> "match protocol smtp " then ? since the access-list already mentioned the >>> port 25 which also means matching smtp protocol from the access-list ? >>> >>> my main doubt was that do i need to specify "match protocol xxx" since >>> i've already kind of mention it in the ACL with "access-list 122 permit tcp >>> any host 192.1.1.200 *eq 25"* >>> >>> >>> thanks in advance >>> >>> regards >>> KY >>> >>> On Tue, May 17, 2011 at 2:35 PM, Kingsley Charles < >>> [email protected]> wrote: >>> >>>> Option A is simple and will work. >>>> >>>> >>>> Option B can be configured as following in either of two ways: >>>> >>>> access-list 121 permit ip any host 192.1.1.100 >>>> access-list 122 permit ip any host 192.1.1.200 >>>> >>>> >>>> class-map type inspect match-all CM-I-D-SMTP >>>> match access-group 122 >>>> match protocol smtp >>>> >>>> class-map type inspect match-all CM-I-D-WEB >>>> match access-group 121 >>>> match protocol http >>>> >>>> policy-map type inspect PM-I-D >>>> class type inspect CM-I-D-WEB >>>> inspect >>>> class type inspect CM-I-D-SMTP >>>> inspect >>>> >>>> or >>>> >>>> access-list 121 permit tcp any host 192.1.1.100 eq 80 >>>> access-list 122 permit tcp any host 192.1.1.200 eq 25 >>>> >>>> class-map type inspect match-all CM-I-D-SMTP >>>> match access-group 122 >>>> class-map type inspect match-all CM-I-D-WEB >>>> match access-group 121 >>>> >>>> >>>> policy-map type inspect PM-I-D >>>> class type inspect CM-I-D-WEB >>>> inspect >>>> class type inspect CM-I-D-SMTP >>>> inspect >>>> >>>> >>>> With regards >>>> Kings >>>> >>>> On Tue, May 17, 2011 at 11:33 AM, Kok Yong CHEONG >>>> <[email protected]>wrote: >>>> >>>>> hi Guys >>>>> >>>>> I'd like to clear by doubts on ZBF. >>>>> >>>>> a practice question like: configure zone policy coming in from internet >>>>> to DMZ as follows: >>>>> 1) allow web access to a server 192.1.1.100 located on the DMZ zone >>>>> 2) allows smtp access to server 192.1.1.200 located in DMZ zone >>>>> >>>>> will the config be (a) or (b) : >>>>> (a) access-list 124 permit tcp any host 192.1.1.100 eq 80 >>>>> access-list 124 permit tcp any host 192.1.1.200 eq 25 >>>>> >>>>> class-map type inspect C-I-D >>>>> match access-group 124 >>>>> >>>>> policy-map type inspect P-I-D >>>>> class type C-I-D >>>>> inspect >>>>> >>>>> >>>>> OR >>>>> >>>>> >>>>> ---------------------------------------------------------------------------------------------------------- >>>>> >>>>> (b) >>>>> access-list 121 permit tcp any host 192.1.1.100 eq 80 >>>>> access-list 122 permit tcp any host 192.1.1.200 eq 25 >>>>> >>>>> >>>>> class-map type inspect match-all CM-I-D-SMTP >>>>> match access-group 122 >>>>> match protocol smtp ------> why do we still need to mention SMTP ? >>>>> class-map type inspect match-all CM-I-D-WEB >>>>> match access-group 121 >>>>> match protocol http ------> why do we still need to mention http ? >>>>> >>>>> policy-map type inspect PM-I-D >>>>> class type inspect CM-I-D-WEB >>>>> inspect >>>>> class type inspect CM-I-D-SMTP >>>>> inspect >>>>> >>>>> >>>>> ---------------------------------------------------------------------------------------------------------- >>>>> >>>>> my main doubt for (b) is why do we need "match protocol smtp", since it >>>>> never mentioned layer 7 inspection. I would expect the access-list is >>>>> sufficient to define the traffic as http traffic already ? or we need >>>>> both >>>>> the acl and protocol to make it complete ? >>>>> >>>>> appreciate your effort to enlighten me.. thanks in advance >>>>> >>>>> regards >>>>> KY >>>>> >>>>> _______________________________________________ >>>>> For more information regarding industry leading CCIE Lab training, >>>>> please visit www.ipexpert.com >>>>> >>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>> www.PlatinumPlacement.com >>>>> >>>> >>>> >>> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > > > > -- > Bruno Fagioli (by Jaunty Jackalope) > Cisco Security Professional >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
