hi Guys some additional basic doubts...
when it's being asked to inspect http traffic for example, will we need : - only "match protocol http" ? - or we need both "match protocol http" and "match protocol tcp" ? i'm confuse whether tcp or udp always need to be there or not when application layer protocol is required to be inspected. thanks in advance Regards KY On Tue, May 17, 2011 at 7:50 PM, Nick Montante <[email protected]>wrote: > I understand your point, Bruno, but the inspection only occurs on the > traffic matched in your ACL. If you have an ACL matching telnet, and your > class-map matches this ACL, inspection will only occur for TCP/23. I believe > that ZFW will identify that traffic as telnet (since it is coming across > TCP/23) and will inspect it as such. > > > > *From:* Bruno [mailto:[email protected]] > *Sent:* Tuesday, May 17, 2011 7:47 AM > *To:* Nick Montante > *Cc:* Kingsley Charles; Kok Yong CHEONG; [email protected] > > *Subject:* Re: [OSL | CCIE_Security] Doubts on Zone based firewall > > > > Well, If I read "all protocols will be inspected" only wanting to have like > telnet specifically, I would say that it is for sure something I do not want > > I would still go with match protocol xxxx as required. > > On Tue, May 17, 2011 at 8:38 AM, Nick Montante <[email protected]> > wrote: > > My understanding is that a “match protocol” statement is not required; > however, if you do not match any traffic using NBAR and you only match it in > your ACL, it will still work as expected but it will throw a warning when > configured (and at boot) that “no protocol was specified, so all protocols > will be inspected”. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Tuesday, May 17, 2011 7:11 AM > *To:* Bruno > *Cc:* Kok Yong CHEONG; [email protected] > *Subject:* Re: [OSL | CCIE_Security] Doubts on Zone based firewall > > > > I don't think so. All the above given config should work. "match protocol" > is not mandatory for a class-map. > > With regards > Kings > > On Tue, May 17, 2011 at 3:30 PM, Bruno <[email protected]> wrote: > > Keep in mind that ZBF requires at least one match protocol statement on > class-maps. > With that said, some options you said will not work > > > > On Tue, May 17, 2011 at 4:40 AM, Kingsley Charles < > [email protected]> wrote: > > If you are matching the protocol in the access-list, then you need not > specify "match protocol xxx". > > > With regards > Kings > > > > On Tue, May 17, 2011 at 1:02 PM, Kok Yong CHEONG <[email protected]> > wrote: > > hi Thank for your input, > > for example of smtp, based on your explanation, there isn't need to "match > protocol smtp " then ? since the access-list already mentioned the port 25 > which also means matching smtp protocol from the access-list ? > > my main doubt was that do i need to specify "match protocol xxx" since i've > already kind of mention it in the ACL with "access-list 122 permit tcp any > host 192.1.1.200 *eq 25"* > > > > thanks in advance > > regards > KY > > On Tue, May 17, 2011 at 2:35 PM, Kingsley Charles < > [email protected]> wrote: > > Option A is simple and will work. > > > Option B can be configured as following in either of two ways: > > access-list 121 permit ip any host 192.1.1.100 > access-list 122 permit ip any host 192.1.1.200 > > > > class-map type inspect match-all CM-I-D-SMTP > match access-group 122 > match protocol smtp > > class-map type inspect match-all CM-I-D-WEB > match access-group 121 > match protocol http > > policy-map type inspect PM-I-D > class type inspect CM-I-D-WEB > inspect > class type inspect CM-I-D-SMTP > inspect > > or > > > access-list 121 permit tcp any host 192.1.1.100 eq 80 > access-list 122 permit tcp any host 192.1.1.200 eq 25 > > class-map type inspect match-all CM-I-D-SMTP > match access-group 122 > > class-map type inspect match-all CM-I-D-WEB > match access-group 121 > > policy-map type inspect PM-I-D > class type inspect CM-I-D-WEB > inspect > class type inspect CM-I-D-SMTP > inspect > > With regards > Kings > > On Tue, May 17, 2011 at 11:33 AM, Kok Yong CHEONG <[email protected]> > wrote: > > hi Guys > > I'd like to clear by doubts on ZBF. > > a practice question like: configure zone policy coming in from internet to > DMZ as follows: > 1) allow web access to a server 192.1.1.100 located on the DMZ zone > 2) allows smtp access to server 192.1.1.200 located in DMZ zone > > will the config be (a) or (b) : > (a) access-list 124 permit tcp any host 192.1.1.100 eq 80 > access-list 124 permit tcp any host 192.1.1.200 eq 25 > > class-map type inspect C-I-D > match access-group 124 > > policy-map type inspect P-I-D > class type C-I-D > inspect > > > OR > > > ---------------------------------------------------------------------------------------------------------- > > (b) > access-list 121 permit tcp any host 192.1.1.100 eq 80 > access-list 122 permit tcp any host 192.1.1.200 eq 25 > > > class-map type inspect match-all CM-I-D-SMTP > match access-group 122 > match protocol smtp ------> why do we still need to mention SMTP ? > class-map type inspect match-all CM-I-D-WEB > match access-group 121 > match protocol http ------> why do we still need to mention http ? > > policy-map type inspect PM-I-D > class type inspect CM-I-D-WEB > inspect > class type inspect CM-I-D-SMTP > inspect > > > ---------------------------------------------------------------------------------------------------------- > > my main doubt for (b) is why do we need "match protocol smtp", since it > never mentioned layer 7 inspection. I would expect the access-list is > sufficient to define the traffic as http traffic already ? or we need both > the acl and protocol to make it complete ? > > appreciate your effort to enlighten me.. thanks in advance > > regards > KY > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit > www.ipexpert.com<http://portal.mxlogic.com/redir/?atPhOqerLefzzhOrjK-U-MYUyOr01Hlzfj-l3PWApmVv8-xae4AMWw3Q4xgi0ob2wj2o3Q4w70oawkW6K-Y6ygTsGcxlA5xkkt6gJcK1gJY4hIcxX03Q3gG90c90cGcxcby8380MpI6Mufy7N0mUi3mgOhby0M0Woc0Ui4gPgob1cc2nE3gq2jd5x4Cp9E1kaygT01ioQog8lGVs92PRQ46by1EVh6w7Qk734hjlGwe1gAmLUi628sh0syuo5DHCzAbIxoDsyc1MQUmh62FCMIST4e2pBRYk0ApKc5ERg5MipEpGTlpJ0os3MaIMaIfWa5zt-jLuZXTLuVKVIx5K5u8Ol-7ywa8yvbCQQmkTPqbdTT6kTC3hOrvvdwLQzh0qmMMc1kQg0qq818i3hEl6fIT6kONFtd40tlIxexEwH0Qg0jm7Cy0xJfgd43IE-oQYYTfM-ub7Xa1J4SMrjK-U-MYMOYrJVpV> > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com<http://portal.mxlogic.com/redir/?5eVEVd7dTD7NNEVdFTvsvoushpdw0RGNDF_axVZicHsLAvgB72i8y1gJUyj2QMO30fgmYh5FwA4zxws7caydrL41M3uls1p4dcwg5jOX1u2090kczgpEep4C14C60Mny1kg85E5w8t3giUl30cE7Dwk-5hFc93rEOO0Ez4yg71wnt6gIb41jqxcob1qo4wMpgv0BwobBUEChtMJs1M83P5kNsqcn0s1Oap4gs528iIpm0GMKcyAw55DHwa5RAVIAQlkhENsi3nk64mhpIMbf3Byo71wK6gO1hAf0U7lt62H8II11wo3Fwi3093MO7z8j1bo2y1K_9TLuZXTLsTsSgyT2L4pa_3Ng54hfBPqqbarVJ5CXXzarP1EVdLLCMnWhEwdboo60Gq80dd40A91EQaz7SrzapoQKCy0eGSgDgQglwq809H3Ph0gSDE6y1SkvcquurDUvf5zZB0SCrodFTvsvouopudTCoM> > > > > > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit > www.ipexpert.com<http://portal.mxlogic.com/redir/?atPhOqerLefzzhOrjK-U-MYUyOr01Hlzfj-l3PWApmVv8-xae4D_38Q6k1O093xMc1wQ6k1s4Cq6qJQ9H86byV1Is5PbxAw90c1d07E1j8u5APhOd1BoOw2k1w220cl3xy8FGRga8x84FwA1QjWzwM7wiqeg86DNgcBgUc1A27MocSF4CI1hs9xwib5OQj9B0M5g752tNpkr6X8Bg78T5xpV5Wj9cqfst3giUl30c5VEcnCu6x_xUQo2ZM78T4lhMAmK7wgWhgop3hELk1Me1MiWdBSO0U1Jh0wg61K8y1hs9BNI3zoo0YhFKV4g3yoQg3bxK_9TLuZXTLsTsSgyT2L4pa_3Ng54hfBPqqbarVJ5CXXzarP1EVdLLCMnWhEwdboo60Gq80dd40A91EQaz7SrzapoQKCy0eGSgDgQglwq809H3Ph0gSDE6y1SkvcquurDUvf5zZB0SOrodFTvsvouopudKg4iG8Gd> > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com<http://portal.mxlogic.com/redir/?kXCzAQsTusv76zASDtZNZxVN5AS03mH6uDYG7DR8OJO-hZ2ks95g64xgg0uw9rEp7e2wwc1QM91w4xUp1zUwcnjj1xsb3a845i0U1EwIO7Kz8mCn0Em-28S6gZw1W1El4w64w6l6gC5N41A0ocS3of7N3Uwbs91H8p8BN0o0tc60s928pEc5wC61bQ1Ed19CyMyjcAQ0G5h8rw0Fcqc84aRsK4xpWW235N0QsEzg3Wa3xy8FGRg70EibnY9314e8wehfc2PRPhO5SgIjKh60Uqsb8z1kPomrry71cOW-a0icT61Kdk1s4Cq6qJRmrg2Y65zt-jLuZXTLuVKVIx5K5u8Ol-7ywa8yvbCQQmkTPqbdTT6kTC3hOrvvdwLQzh0qmMMc1kQg0qq818i3hEl6fIT6kONFtd40tlIxexEwH0Qg0jm7Cy0xJfgd43IE-oQYYTfM-ub7Xa1JwSMrjK-U-MYMOYr-IV-noPm> > > > > -- > Bruno Fagioli (by Jaunty Jackalope) > Cisco Security Professional > > > > This communication is the property of ClarkDietrich Building Systems LLC and > may > > contain confidential or privileged information. Unauthorized use of this > > communication is strictly prohibited and may be unlawful. If you have received > > this communication in error, please immediately notify the sender by reply and > > destroy all copies of the communication and any attachments. > > > > > -- > Bruno Fagioli (by Jaunty Jackalope) > Cisco Security Professional > > This communication is the property of ClarkDietrich Building Systems LLC and > may > contain confidential or privileged information. Unauthorized use of this > communication is strictly prohibited and may be unlawful. If you have received > this communication in error, please immediately notify the sender by reply and > destroy all copies of the communication and any attachments. > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
