Well, If I read "all protocols will be inspected" only wanting to have like telnet specifically, I would say that it is for sure something I do not want
I would still go with match protocol xxxx as required. On Tue, May 17, 2011 at 8:38 AM, Nick Montante <[email protected]>wrote: > My understanding is that a “match protocol” statement is not required; > however, if you do not match any traffic using NBAR and you only match it in > your ACL, it will still work as expected but it will throw a warning when > configured (and at boot) that “no protocol was specified, so all protocols > will be inspected”. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Tuesday, May 17, 2011 7:11 AM > *To:* Bruno > *Cc:* Kok Yong CHEONG; [email protected] > *Subject:* Re: [OSL | CCIE_Security] Doubts on Zone based firewall > > > > I don't think so. All the above given config should work. "match protocol" > is not mandatory for a class-map. > > With regards > Kings > > On Tue, May 17, 2011 at 3:30 PM, Bruno <[email protected]> wrote: > > Keep in mind that ZBF requires at least one match protocol statement on > class-maps. > With that said, some options you said will not work > > > > On Tue, May 17, 2011 at 4:40 AM, Kingsley Charles < > [email protected]> wrote: > > If you are matching the protocol in the access-list, then you need not > specify "match protocol xxx". > > > With regards > Kings > > > > On Tue, May 17, 2011 at 1:02 PM, Kok Yong CHEONG <[email protected]> > wrote: > > hi Thank for your input, > > for example of smtp, based on your explanation, there isn't need to "match > protocol smtp " then ? since the access-list already mentioned the port 25 > which also means matching smtp protocol from the access-list ? > > my main doubt was that do i need to specify "match protocol xxx" since i've > already kind of mention it in the ACL with "access-list 122 permit tcp any > host 192.1.1.200 *eq 25"* > > > > thanks in advance > > regards > KY > > On Tue, May 17, 2011 at 2:35 PM, Kingsley Charles < > [email protected]> wrote: > > Option A is simple and will work. > > > Option B can be configured as following in either of two ways: > > access-list 121 permit ip any host 192.1.1.100 > access-list 122 permit ip any host 192.1.1.200 > > > > class-map type inspect match-all CM-I-D-SMTP > match access-group 122 > match protocol smtp > > class-map type inspect match-all CM-I-D-WEB > match access-group 121 > match protocol http > > policy-map type inspect PM-I-D > class type inspect CM-I-D-WEB > inspect > class type inspect CM-I-D-SMTP > inspect > > or > > > access-list 121 permit tcp any host 192.1.1.100 eq 80 > access-list 122 permit tcp any host 192.1.1.200 eq 25 > > class-map type inspect match-all CM-I-D-SMTP > match access-group 122 > > class-map type inspect match-all CM-I-D-WEB > match access-group 121 > > policy-map type inspect PM-I-D > class type inspect CM-I-D-WEB > inspect > class type inspect CM-I-D-SMTP > inspect > > With regards > Kings > > On Tue, May 17, 2011 at 11:33 AM, Kok Yong CHEONG <[email protected]> > wrote: > > hi Guys > > I'd like to clear by doubts on ZBF. > > a practice question like: configure zone policy coming in from internet to > DMZ as follows: > 1) allow web access to a server 192.1.1.100 located on the DMZ zone > 2) allows smtp access to server 192.1.1.200 located in DMZ zone > > will the config be (a) or (b) : > (a) access-list 124 permit tcp any host 192.1.1.100 eq 80 > access-list 124 permit tcp any host 192.1.1.200 eq 25 > > class-map type inspect C-I-D > match access-group 124 > > policy-map type inspect P-I-D > class type C-I-D > inspect > > > OR > > > ---------------------------------------------------------------------------------------------------------- > > (b) > access-list 121 permit tcp any host 192.1.1.100 eq 80 > access-list 122 permit tcp any host 192.1.1.200 eq 25 > > > class-map type inspect match-all CM-I-D-SMTP > match access-group 122 > match protocol smtp ------> why do we still need to mention SMTP ? > class-map type inspect match-all CM-I-D-WEB > match access-group 121 > match protocol http ------> why do we still need to mention http ? > > policy-map type inspect PM-I-D > class type inspect CM-I-D-WEB > inspect > class type inspect CM-I-D-SMTP > inspect > > > ---------------------------------------------------------------------------------------------------------- > > my main doubt for (b) is why do we need "match protocol smtp", since it > never mentioned layer 7 inspection. I would expect the access-list is > sufficient to define the traffic as http traffic already ? or we need both > the acl and protocol to make it complete ? > > appreciate your effort to enlighten me.. thanks in advance > > regards > KY > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit > www.ipexpert.com<http://portal.mxlogic.com/redir/?2DsQsCzCXPzUUQsCQXLKfIfe8ICM0kBL3RLzfBPt-Kqen1MVx4QsILCXCXmBUHjXdNBcIn8lrxrW0GI3Vg-ASQ2NYGjVsSyUOCedEITvspjhvhdLLCMnWhEwdboo60Gq80dd40A91EQaz7SrzapoQKCy0eGSgDgQglwq809H3Ph0gSDE6y1SkvcquurDUvf5zZB0SyrodFTvsvouopudS6xKc4_45azy> > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com<http://portal.mxlogic.com/redir/?1jKqejhPtVNYsqejqtTT7S7D4mjo08b7Xek6RgIvJLl-4-ndTWVEVs73C4jhOO-rKrJqnyJfIT6kONsxlK5LE2GMfB3Wjrgb7OFfBPqbzaoUSyPtZNBd5Z4S--r1vF6y0QJxwo2FEw0QQg2gA6zgGcvpKcFBziWq80WHp2t3h1m1Ew0CIfd413quwq87phYNFVVKvxYYmfSk3qpJwSDtZNZxVxBUTuWA> > > > > > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit > www.ipexpert.com<http://portal.mxlogic.com/redir/?5eVEVd7dTD7NNEVdFTvsvoushpdw0Fbu7Hv6vbCXZsQsK3xP29EVpvdTdSJbNmDSrzapoKgGT2TQ1lo7OxZ9JE5zVkDOVJ5NBcsrhpK-UOCy-yrvvdwLQzh0qmMMc1kQg0qq818i3hEl6fIT6kONFtd40tlIxexEwH0Qg0jm7Cy0xJfgd43IE-oQYYTfM-ub7Xa1JASMrjK-U-MYMOYrEu0gADhEbV6> > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com<http://portal.mxlogic.com/redir/?kXCzAQsTusv76zASDtZNZxVN5AS022N-PB1Jkb7XrRvxfBPt-Kqen1MVx4QsILCXCXmBUHjXdNBcIn8lrxrW0GI3Vg-ASQ2NYGjVsSyUOCedEITvspjhvhdLLCMnWhEwdboo60Gq80dd40A91EQaz7SrzapoQKCy0eGSgDgQglwq809H3Ph0gSDE6y1SkvcquurDUvf5zZB0SMrodFTvsvouopudHn4p> > > > > -- > Bruno Fagioli (by Jaunty Jackalope) > Cisco Security Professional > > > > This communication is the property of ClarkDietrich Building Systems LLC and > may > contain confidential or privileged information. Unauthorized use of this > communication is strictly prohibited and may be unlawful. If you have received > this communication in error, please immediately notify the sender by reply and > destroy all copies of the communication and any attachments. > > -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
