Re: [OSL | CCIE_Security] Doubts on Zone based firewall

[Nick Montante]

My understanding is that a "match protocol" statement is not required; however, 
if you do not match any traffic using NBAR and you only match it in your ACL, 
it will still work as expected but it will throw a warning when configured (and 
at boot) that "no protocol was specified, so all protocols will be inspected".

From: ccie_security-boun...@onlinestudylist.com 
[mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Kingsley Charles
Sent: Tuesday, May 17, 2011 7:11 AM
To: Bruno
Cc: Kok Yong CHEONG; ccie_security@onlinestudylist.com
Subject: Re: [OSL | CCIE_Security] Doubts on Zone based firewall

I don't think so. All the above given config should work. "match protocol" is 
not mandatory for a class-map.

With regards
Kings
On Tue, May 17, 2011 at 3:30 PM, Bruno 
<bruno.gime...@gmail.com<mailto:bruno.gime...@gmail.com>> wrote:
Keep in mind that ZBF requires at least one match protocol statement on 
class-maps.
With that said, some options you said will not work

On Tue, May 17, 2011 at 4:40 AM, Kingsley Charles 
<kingsley.char...@gmail.com<mailto:kingsley.char...@gmail.com>> wrote:
If you are matching the protocol in the access-list, then you need not specify 
"match protocol xxx".


With regards
Kings

On Tue, May 17, 2011 at 1:02 PM, Kok Yong CHEONG 
<cheon...@gmail.com<mailto:cheon...@gmail.com>> wrote:
hi Thank for your input,

for example of smtp, based on your explanation, there isn't need to "match 
protocol smtp " then ? since the access-list already mentioned the port 25 
which also means matching smtp protocol from the access-list ?

my main doubt was that do i need to specify "match protocol xxx" since i've 
already kind of mention it in the ACL with "access-list 122 permit tcp any host 
192.1.1.200 eq 25"


thanks in advance

regards
KY
On Tue, May 17, 2011 at 2:35 PM, Kingsley Charles 
<kingsley.char...@gmail.com<mailto:kingsley.char...@gmail.com>> wrote:
Option A is simple and will work.


Option B can be configured as following in either of two ways:

access-list 121 permit ip any host 192.1.1.100
access-list 122 permit ip any host 192.1.1.200


class-map type inspect match-all CM-I-D-SMTP
 match access-group 122
 match protocol smtp
class-map type inspect match-all CM-I-D-WEB
 match access-group 121
 match protocol http
policy-map type inspect PM-I-D
 class type inspect CM-I-D-WEB
  inspect
 class type inspect CM-I-D-SMTP
  inspect
or

access-list 121 permit tcp any host 192.1.1.100 eq 80
access-list 122 permit tcp any host 192.1.1.200 eq 25

class-map type inspect match-all CM-I-D-SMTP
 match access-group 122
class-map type inspect match-all CM-I-D-WEB
 match access-group 121

policy-map type inspect PM-I-D
 class type inspect CM-I-D-WEB
  inspect
 class type inspect CM-I-D-SMTP
  inspect

With regards
Kings
On Tue, May 17, 2011 at 11:33 AM, Kok Yong CHEONG 
<cheon...@gmail.com<mailto:cheon...@gmail.com>> wrote:
hi Guys

I'd like to clear by doubts on ZBF.

a practice question like: configure zone policy coming in from internet to DMZ 
as follows:
1) allow web access to a server 192.1.1.100 located on the DMZ zone
2) allows smtp access to server 192.1.1.200 located in DMZ zone

will the config be (a) or (b) :
(a) access-list 124 permit tcp any host 192.1.1.100 eq 80
access-list 124 permit tcp any host 192.1.1.200 eq 25

class-map type inspect C-I-D
match access-group 124

policy-map type inspect P-I-D
class type C-I-D
inspect


OR

----------------------------------------------------------------------------------------------------------

(b)
access-list 121 permit tcp any host 192.1.1.100 eq 80
access-list 122 permit tcp any host 192.1.1.200 eq 25


class-map type inspect match-all CM-I-D-SMTP
 match access-group 122
 match protocol smtp ------>  why do we still need to mention SMTP ?
class-map type inspect match-all CM-I-D-WEB
 match access-group 121
 match protocol http ------>  why do we still need to mention http ?

policy-map type inspect PM-I-D
 class type inspect CM-I-D-WEB
  inspect
 class type inspect CM-I-D-SMTP
  inspect

----------------------------------------------------------------------------------------------------------

my main doubt for (b) is why do we need "match protocol smtp", since it never 
mentioned layer 7 inspection.  I would expect the access-list is sufficient to 
define the traffic as http traffic already ?  or we need both the acl and 
protocol to make it complete ?

appreciate your effort to enlighten me..  thanks in advance

regards
KY
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com<http://portal.mxlogic.com/redir/?2DsQsCzCXPzUUQsCQXLKfIfe8ICM0kBL3RLzfBPt-Kqen1MVx4QsILCXCXmBUHjXdNBcIn8lrxrW0GI3Vg-ASQ2NYGjVsSyUOCedEITvspjhvhdLLCMnWhEwdboo60Gq80dd40A91EQaz7SrzapoQKCy0eGSgDgQglwq809H3Ph0gSDE6y1SkvcquurDUvf5zZB0SyrodFTvsvouopudS6xKc4_45azy>

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com<http://portal.mxlogic.com/redir/?1jKqejhPtVNYsqejqtTT7S7D4mjo08b7Xek6RgIvJLl-4-ndTWVEVs73C4jhOO-rKrJqnyJfIT6kONsxlK5LE2GMfB3Wjrgb7OFfBPqbzaoUSyPtZNBd5Z4S--r1vF6y0QJxwo2FEw0QQg2gA6zgGcvpKcFBziWq80WHp2t3h1m1Ew0CIfd413quwq87phYNFVVKvxYYmfSk3qpJwSDtZNZxVxBUTuWA>




_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com<http://portal.mxlogic.com/redir/?5eVEVd7dTD7NNEVdFTvsvoushpdw0Fbu7Hv6vbCXZsQsK3xP29EVpvdTdSJbNmDSrzapoKgGT2TQ1lo7OxZ9JE5zVkDOVJ5NBcsrhpK-UOCy-yrvvdwLQzh0qmMMc1kQg0qq818i3hEl6fIT6kONFtd40tlIxexEwH0Qg0jm7Cy0xJfgd43IE-oQYYTfM-ub7Xa1JASMrjK-U-MYMOYrEu0gADhEbV6>

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com<http://portal.mxlogic.com/redir/?kXCzAQsTusv76zASDtZNZxVN5AS022N-PB1Jkb7XrRvxfBPt-Kqen1MVx4QsILCXCXmBUHjXdNBcIn8lrxrW0GI3Vg-ASQ2NYGjVsSyUOCedEITvspjhvhdLLCMnWhEwdboo60Gq80dd40A91EQaz7SrzapoQKCy0eGSgDgQglwq809H3Ph0gSDE6y1SkvcquurDUvf5zZB0SMrodFTvsvouopudHn4p>


--
Bruno Fagioli (by Jaunty Jackalope)
Cisco Security Professional




This communication is the property of ClarkDietrich Building Systems LLC and may
contain confidential or privileged information. Unauthorized use of this
communication is strictly prohibited and may be unlawful. If you have received
this communication in error, please immediately notify the sender by reply and
destroy all copies of the communication and any attachments.
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com